Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1524424
MD5:aa9949bd15875a5926fbf69ee1cbab14
SHA1:684a285fd052ea63159e7ce6422ca826f1b425a0
SHA256:39181ee18d5f072fd0506ad9e882bef008d3662a8349d5386735ac1b476aab98
Tags:exeuser-Bitsight
Infos:

Detection

Credential Flusher
Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Credential Flusher
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found API chain indicative of sandbox detection
Machine Learning detection for sample
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected non-DNS traffic on DNS port
Detected potential crypto function
Enables debug privileges
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 1340 cmdline: "C:\Users\user\Desktop\file.exe" MD5: AA9949BD15875A5926FBF69EE1CBAB14)
    • taskkill.exe (PID: 4220 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
      • conhost.exe (PID: 5908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • chrome.exe (PID: 712 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-infobars MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)
      • chrome.exe (PID: 1432 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2100 --field-trial-handle=2024,i,9003555246335183954,2073049887589838962,262144 /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)
      • chrome.exe (PID: 6912 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5564 --field-trial-handle=2024,i,9003555246335183954,2073049887589838962,262144 /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)
      • chrome.exe (PID: 8084 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5528 --field-trial-handle=2024,i,9003555246335183954,2073049887589838962,262144 /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: file.exe PID: 1340JoeSecurity_CredentialFlusherYara detected Credential FlusherJoe Security

    Sigma Signatures

    No Sigma rule has matched

    Suricata Signatures

    No Suricata rule has matched

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    AI detected suspicious sample
    Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
    Machine Learning detection for sample
    Source: file.exeJoe Sandbox ML: detected
    Source: file.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
    Source: unknownHTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.7:49712 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.7:49714 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.7:49737 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 20.3.187.198:443 -> 192.168.2.7:64022 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.7:64023 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.7:64024 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.7:64025 version: TLS 1.2
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0082DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_0082DBBE
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007FC2A2 FindFirstFileExW,0_2_007FC2A2
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008368EE FindFirstFileW,FindClose,0_2_008368EE
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0083698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_0083698F
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0082D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0082D076
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0082D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0082D3A9
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00839642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00839642
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0083979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0083979D
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00839B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00839B2B
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00835C97 FindFirstFileW,FindNextFileW,FindClose,0_2_00835C97
    Source: global trafficTCP traffic: 192.168.2.7:64021 -> 162.159.36.2:53
    Source: Joe Sandbox ViewIP Address: 239.255.255.250 239.255.255.250
    Source: Joe Sandbox ViewJA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
    Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
    Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
    Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
    Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
    Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
    Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
    Source: unknownTCP traffic detected without corresponding DNS query: 20.50.201.200
    Source: unknownTCP traffic detected without corresponding DNS query: 20.50.201.200
    Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
    Source: unknownTCP traffic detected without corresponding DNS query: 20.50.201.200
    Source: unknownTCP traffic detected without corresponding DNS query: 20.50.201.200
    Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
    Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
    Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
    Source: unknownTCP traffic detected without corresponding DNS query: 20.50.201.200
    Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
    Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
    Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
    Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
    Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
    Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
    Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
    Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
    Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
    Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
    Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
    Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
    Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
    Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
    Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
    Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
    Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
    Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
    Source: unknownTCP traffic detected without corresponding DNS query: 20.50.201.200
    Source: unknownTCP traffic detected without corresponding DNS query: 13.85.23.86
    Source: unknownTCP traffic detected without corresponding DNS query: 13.85.23.86
    Source: unknownTCP traffic detected without corresponding DNS query: 13.85.23.86
    Source: unknownTCP traffic detected without corresponding DNS query: 13.85.23.86
    Source: unknownTCP traffic detected without corresponding DNS query: 13.85.23.86
    Source: unknownTCP traffic detected without corresponding DNS query: 13.85.23.86
    Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
    Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
    Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
    Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
    Source: unknownTCP traffic detected without corresponding DNS query: 13.85.23.86
    Source: unknownTCP traffic detected without corresponding DNS query: 13.85.23.86
    Source: unknownTCP traffic detected without corresponding DNS query: 13.85.23.86
    Source: unknownTCP traffic detected without corresponding DNS query: 13.85.23.86
    Source: unknownTCP traffic detected without corresponding DNS query: 13.85.23.86
    Source: unknownTCP traffic detected without corresponding DNS query: 13.85.23.86
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0083CE44 InternetReadFile,SetEvent,GetLastError,SetEvent,0_2_0083CE44
    Source: global trafficHTTP traffic detected: GET /account?=https://accounts.google.com/v3/signin/challenge/pwd HTTP/1.1Host: youtube.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIk6HLAQiFoM0BCNy9zQEIucrNAQii0c0BCIrTzQEIpNbNAQj01s0BCKfYzQEI+cDUFRj1yc0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
    Source: global trafficHTTP traffic detected: GET /account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd HTTP/1.1Host: www.youtube.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIk6HLAQiFoM0BCNy9zQEIucrNAQii0c0BCIrTzQEIpNbNAQj01s0BCKfYzQEI+cDUFRj1yc0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
    Source: global trafficHTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
    Source: global trafficHTTP traffic detected: GET /accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=1484300216&timestamp=1727888893272 HTTP/1.1Host: accounts.youtube.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-full-version: "117.0.5938.134"sec-ch-ua-arch: "x86"sec-ch-ua-platform: "Windows"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-model: ""sec-ch-ua-bitness: "64"sec-ch-ua-wow64: ?0sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIk6HLAQiFoM0BCNy9zQEIucrNAQii0c0BCIrTzQEIpNbNAQj01s0BCKfYzQEI+cDUFRj1yc0BGOuNpRc=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: iframeReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
    Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.134"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8X-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIk6HLAQiFoM0BCNy9zQEIucrNAQii0c0BCIrTzQEIpNbNAQj01s0BCKfYzQEI+cDUFRj1yc0BGOuNpRc=Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=518=mw5dS35IUArFNqfBh-1DPq_dIHjS5CGwXkW95-xyUCBHiiEdGGEkS9j3P84dxoXHwnpqON_Y854aIPBouTmTa-t7HgdjI0TRhQ3o-iV0tZEp1z1UZ3L4YWVD3jc6zsbR71sIbEhZ2ABwt6jItUAgvSO82qrkwThJSVQo5TIUYmKoxNxfEA
    Source: global trafficHTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=CPDyww1OOnssaDW&MD=wyszWg9z HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
    Source: global trafficHTTP traffic detected: GET /clientwebservice/ping HTTP/1.1Connection: Keep-AliveUser-Agent: DNS resiliency checker/1.0Host: fe3cr.delivery.mp.microsoft.com
    Source: global trafficHTTP traffic detected: GET /sls/ping HTTP/1.1Connection: Keep-AliveUser-Agent: DNS resiliency checker/1.0Host: slscr.update.microsoft.com
    Source: global trafficHTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=CPDyww1OOnssaDW&MD=wyszWg9z HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
    Source: global trafficHTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=CPDyww1OOnssaDW&MD=wyszWg9z HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
    Source: chromecache_85.8.drString found in binary or memory: _.fq(p)+"/familylink/privacy/notice/embedded?langCountry="+_.fq(p);break;case "PuZJUb":a+="https://www.youtube.com/t/terms?chromeless=1&hl="+_.fq(m);break;case "fxTQxb":a+="https://youtube.com/t/terms?gl="+_.fq(_.oq(c))+"&hl="+_.fq(d)+"&override_hl=1"+(f?"&linkless=1":"");break;case "prAmvd":a+="https://www.google.com/intl/"+_.fq(m)+"/chromebook/termsofservice.html?languageCode="+_.fq(d)+"&regionCode="+_.fq(c);break;case "NfnTze":a+="https://policies.google.com/privacy/google-partners"+(f?"/embedded": equals www.youtube.com (Youtube)
    Source: global trafficDNS traffic detected: DNS query: youtube.com
    Source: global trafficDNS traffic detected: DNS query: www.youtube.com
    Source: global trafficDNS traffic detected: DNS query: www.google.com
    Source: global trafficDNS traffic detected: DNS query: accounts.youtube.com
    Source: global trafficDNS traffic detected: DNS query: play.google.com
    Source: global trafficDNS traffic detected: DNS query: 198.187.3.20.in-addr.arpa
    Source: unknownHTTP traffic detected: POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1Host: play.google.comConnection: keep-aliveContent-Length: 507sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"Content-Type: application/x-www-form-urlencoded;charset=UTF-8sec-ch-ua-full-version: "117.0.5938.134"sec-ch-ua-platform-version: "10.0.0"X-Goog-AuthUser: 0sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: */*Origin: https://accounts.google.comX-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIk6HLAQiFoM0BCNy9zQEIucrNAQii0c0BCIrTzQEIpNbNAQj01s0BCKfYzQEI+cDUFRj1yc0BGOuNpRc=Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
    Source: chromecache_85.8.drString found in binary or memory: https://accounts.google.com
    Source: chromecache_85.8.drString found in binary or memory: https://accounts.google.com/TOS?loc=
    Source: file.exe, 00000000.00000002.1280984509.0000000000D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1279671533.0000000000D3F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/v3/signin/challenge/pwd
    Source: chromecache_91.8.drString found in binary or memory: https://apis.google.com/js/api.js
    Source: chromecache_85.8.drString found in binary or memory: https://apis.google.com/js/rpc:shindig_random.js?onload=credentialservice.postMessage
    Source: chromecache_85.8.drString found in binary or memory: https://families.google.com/intl/
    Source: chromecache_91.8.drString found in binary or memory: https://fonts.gstatic.com/s/i/productlogos/drive_2020q4/v10/192px.svg
    Source: chromecache_91.8.drString found in binary or memory: https://fonts.gstatic.com/s/i/productlogos/gmail_2020q4/v10/web-48dp/logo_gmail_2020q4_color_2x_web_
    Source: chromecache_91.8.drString found in binary or memory: https://fonts.gstatic.com/s/i/productlogos/maps/v7/192px.svg
    Source: chromecache_85.8.drString found in binary or memory: https://g.co/recover
    Source: chromecache_85.8.drString found in binary or memory: https://play.google.com/log?format=json&hasfast=true
    Source: chromecache_85.8.drString found in binary or memory: https://play.google.com/work/enroll?identifier=
    Source: chromecache_85.8.drString found in binary or memory: https://play.google/intl/
    Source: chromecache_85.8.drString found in binary or memory: https://policies.google.com/privacy
    Source: chromecache_85.8.drString found in binary or memory: https://policies.google.com/privacy/additional
    Source: chromecache_85.8.drString found in binary or memory: https://policies.google.com/privacy/google-partners
    Source: chromecache_85.8.drString found in binary or memory: https://policies.google.com/technologies/cookies
    Source: chromecache_85.8.drString found in binary or memory: https://policies.google.com/technologies/location-data
    Source: chromecache_85.8.drString found in binary or memory: https://policies.google.com/terms
    Source: chromecache_85.8.drString found in binary or memory: https://policies.google.com/terms/location
    Source: chromecache_85.8.drString found in binary or memory: https://policies.google.com/terms/service-specific
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-email-pin.gif
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-password.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-sms-or-voice-pin.gif
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-sms-pin.gif
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-stop-go-landing-page_1x.png
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/accounts/animation/
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/ble_device.png
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/ble_pin.png
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync.png
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync_1x.png
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync_2x.png
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync_darkmode_1x.png
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/continue_on_your_phone.png
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_phone_number_verification.png
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_prompt_silent_tap_yes_darkmode.gif
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_prompt_tap_yes.gif
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_prompt_tap_yes_darkmode.gif
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kid_success.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kid_success_darkmode.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_dark_v2.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_updated.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_updated_darkmode.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_v2.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_not_ready.png
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_stick_around_1.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_stick_around_dark_1.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_account_1.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_account_darkmode_1.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_privacy_1.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_privacy_darkmode_1.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_created.png
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_double_device.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_double_device_darkmode.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_full_house.png
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_link_accounts_1.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_link_accounts_darkmode_1.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_app_decision.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_app_decision_darkmode.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_supervision_1.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_supervision_darkmode_1.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_respect_others_1.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_respect_others_darkmode_1.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_single_device.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_single_device_darkmode.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_stop.png
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/personalization_reminders.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/phone_number_sign_in_2x.png
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/return_to_desktop.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/return_to_desktop_darkmode.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key.gif
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_ios_center.png
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_laptop.gif
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_nfc_discovered.gif
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_nfc_discovered_darkmode.gif
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_phone.gif
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_googleapp_ios.gif
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_googleapp_pulldown.gif
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_tapyes.gif
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/smart_lock_2x.png
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/usb_key.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/web_and_app_activity.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/who_will_be_using_this_device.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/you_tube_history.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/accounts/feature_not_available.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/accounts/feature_not_available_dark.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/gmail_ios_authzen.gif
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/paaskey.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_challenge.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_challenge_darkmode.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_darkmode.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_cross_device.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_cross_device_darkmode.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_darkmode.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_error.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_error_darkmode.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_reauth.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_reauth_darkmode.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_success.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_success_darkmode.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkeyerror.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkeyerror_darkmode.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/red_globe_dark.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/red_globe_light.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/screenlock.png
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_ipad.gif
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone.gif
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone_nfc.gif
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone_usb.gif
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_phone.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_keys.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/success_checkmark_2.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/success_checkmark_2_darkmode.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/accounts/ui/loading_spinner_gm.gif
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/accounts/ui/progress_spinner_color_20dp_4x.gif
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/accounts/ui/success-gm-default_2x.png
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/apps/signup/resources/custom-email-address.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/images/hpp/shield_security_checkup_green_2x_web_96dp.png
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/account_setup_chapter_dark_1.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/account_setup_chapter_v1.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/device_setup_chapter_dark_v1.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/device_setup_chapter_v1.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/parental_control_chapter_dark_v1.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/parental_control_chapter_v1.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_accountslinked.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_accountslinked_dark.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_childneedshelp.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_childneedshelp_dark.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_nextstepsforparents.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_nextstepsforparents_dark.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_allset.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_allset_dark.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_apps_devices.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_apps_devices_darkmode.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_areyousurekid.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_areyousurekid_dark.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_birthdayemail.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_birthdayemail_dark.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_choose_apps.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_choose_apps_darkmode.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_confirmation.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_exploremore.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_exploremore_dark.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_intro.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_intro_darkmode.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacy_terms_a18.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacy_terms_a18_darkmode.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacyterms.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacyterms_dark.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_review_settings.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_review_settings_darkmode.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_safe_search.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_safe_search_darkmode.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_unchanged_a18.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_unchanged_a18_darkmode.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_update_a18.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_update_a18_darkmode.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice_a18.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice_a18_darkmode.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice_darkmode.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervisiongrad.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervisiongrad_dark.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/guardianlinking/linking_complete_0.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/guardianlinking/linking_complete_dark_0.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/ads_personalization.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/ads_personalization_darkmode.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/confirmation.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/confirmation_darkmode.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/eligibility_error.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/eligibility_error_darkmode.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/fork.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/fork_darkmode.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/intro.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/intro_darkmode.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/personal_results.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/personal_results_darkmode.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/safe_search.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/safe_search_darkmode.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/check_notifications.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/check_notifications_dark.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_installing_family_link_2.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_installing_family_link_dark_2.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_location_sharing_2.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_location_sharing_dark_2.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_parental_controls_2.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_parental_controls_dark_2.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_school_time_2.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_school_time_dark_2.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/location_sharing_enabled_2.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/location_sharing_enabled_dark_3.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/parent_sign_in_prologue_1.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/parent_sign_in_prologue_dark_1.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_complete_1.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_complete_dark_1.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_contacts_2.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_contacts_dark_2.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_boy_1.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_boy_dark_1.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_girl_2.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_girl_dark_2.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/ulp_continue_without_gmail_dark_v2.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/ulp_continue_without_gmail_v2.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/all_set.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/all_set_dark.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/are_you_sure_parent.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/are_you_sure_parent_dark.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/content_restriction.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/content_restriction_dark.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/error.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/error_dark.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/how_controls_work.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/how_controls_work_dark.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/next_steps.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/next_steps_dark.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/setup_controls.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/setup_controls_dark.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_parent.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_parent_dark.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_teen.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_teen_dark.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/teentoadultgraduation/supervision_choice.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/teentoadultgraduation/supervision_choice_darkmode.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/kid_setup_parent_escalation.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/kid_setup_parent_escalation_dark.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/send_email_confirmation.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/send_email_confirmation_dark.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/success_sent_email.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/success_sent_email_dark.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/ulpupgrade/kidprofileupgrade_all_set.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/images/ulpupgrade/kidprofileupgrade_all_set_darkmode.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/all_set.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/all_set_dark.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/almost_done_kids_space_dark.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/almost_done_kids_space_v2.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_tablet_v2.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_tablet_v2_dark.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_v2.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_v2_dark.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/emailinstallfamilylink.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/emailinstallfamilylink_dark.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/familylinkinstalling.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/familylinkinstalling_dark.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/hand_over_device_dark_v2.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/hand_over_device_v2.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/linking_accounts_v2.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/linking_accounts_v2_dark.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/locationsetup.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/locationsetup_dark.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_email.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_email_v2.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_email_v2_dark.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_v2.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_v2_dark.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/open_family_link_v2.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/open_family_link_v2_dark.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/parents_help.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/parents_help_dark.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/set_up_kids_space.png
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/set_up_kids_space_dark.png
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setupcontrol.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setupcontrol_dark.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuplocation.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuplocation_dark.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuptimelimits.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuptimelimits_dark.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/supervision_ready_v2.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/supervision_ready_v2_dark.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/youtubeaccess.svg
    Source: chromecache_91.8.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/youtubeaccess_dark.svg
    Source: chromecache_85.8.drString found in binary or memory: https://support.google.com/accounts?hl=
    Source: chromecache_85.8.drString found in binary or memory: https://support.google.com/accounts?p=new-si-ui
    Source: chromecache_85.8.drString found in binary or memory: https://support.google.com/websearch/answer/4358949?hl=ko&ref_topic=3285072
    Source: chromecache_91.8.drString found in binary or memory: https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=
    Source: chromecache_85.8.drString found in binary or memory: https://www.google.com
    Source: chromecache_85.8.drString found in binary or memory: https://www.google.com/intl/
    Source: chromecache_91.8.drString found in binary or memory: https://www.gstatic.com/accounts/speedbump/authzen_optin_illustration.gif
    Source: chromecache_91.8.drString found in binary or memory: https://www.gstatic.com/images/branding/product/2x/chrome_48dp.png
    Source: chromecache_91.8.drString found in binary or memory: https://www.gstatic.com/images/branding/product/2x/googleg_48dp.png
    Source: chromecache_91.8.drString found in binary or memory: https://www.gstatic.com/images/branding/product/2x/gsa_48dp.png
    Source: chromecache_91.8.drString found in binary or memory: https://www.gstatic.com/images/branding/product/2x/play_prism_48dp.png
    Source: chromecache_91.8.drString found in binary or memory: https://www.gstatic.com/images/branding/product/2x/youtube_48dp.png
    Source: chromecache_85.8.drString found in binary or memory: https://www.gstatic.com/images/branding/productlogos/googleg/v6/36px.svg
    Source: chromecache_85.8.drString found in binary or memory: https://www.youtube.com/t/terms?chromeless=1&hl=
    Source: file.exe, 00000000.00000003.1279599832.0000000000D57000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1281052230.0000000000D57000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1279783843.0000000000D57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pw
    Source: file.exe, 00000000.00000003.1244472660.0000000000D44000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1259153279.00000000006B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd
    Source: chromecache_85.8.drString found in binary or memory: https://youtube.com/t/terms?gl=
    Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
    Source: unknownNetwork traffic detected: HTTP traffic on port 49672 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 64022 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64022
    Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 64025 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
    Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49699
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
    Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64030
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64033
    Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49671 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64024
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64023
    Source: unknownNetwork traffic detected: HTTP traffic on port 64024 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64026
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64025
    Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64028
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64027
    Source: unknownNetwork traffic detected: HTTP traffic on port 64028 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49674 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 64037 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 64034 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 64030 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64034
    Source: unknownNetwork traffic detected: HTTP traffic on port 64027 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64037
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64036
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
    Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49677 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 64023 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 64036 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 64033 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
    Source: unknownNetwork traffic detected: HTTP traffic on port 64026 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
    Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
    Source: unknownHTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.7:49712 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.7:49714 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.7:49737 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 20.3.187.198:443 -> 192.168.2.7:64022 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.7:64023 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.7:64024 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.7:64025 version: TLS 1.2
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0083EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_0083EAFF
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0083ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_0083ED6A
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0083EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_0083EAFF
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0082AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,0_2_0082AA57
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00859576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00859576

    System Summary

    barindex
    Binary is likely a compiled AutoIt script file
    Source: file.exeString found in binary or memory: This is a third-party compiled AutoIt script.
    Source: file.exe, 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_b51cae08-4
    Source: file.exe, 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_11daef58-c
    Source: file.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_b8eef30f-6
    Source: file.exeString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_b1fb3928-6
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0082D5EB: CreateFileW,DeviceIoControl,CloseHandle,0_2_0082D5EB
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00821201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00821201
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0082E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_0082E8F6
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007C80600_2_007C8060
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008320460_2_00832046
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008282980_2_00828298
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007FE4FF0_2_007FE4FF
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007F676B0_2_007F676B
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008548730_2_00854873
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007CCAF00_2_007CCAF0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007ECAA00_2_007ECAA0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007DCC390_2_007DCC39
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007F6DD90_2_007F6DD9
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007DB1190_2_007DB119
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007C91C00_2_007C91C0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007E13940_2_007E1394
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007E17060_2_007E1706
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007E781B0_2_007E781B
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007D997D0_2_007D997D
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007C79200_2_007C7920
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007E19B00_2_007E19B0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007E7A4A0_2_007E7A4A
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007E1C770_2_007E1C77
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007E7CA70_2_007E7CA7
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007F9EEE0_2_007F9EEE
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0084BE440_2_0084BE44
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007E1F320_2_007E1F32
    Source: C:\Users\user\Desktop\file.exeCode function: String function: 007DF9F2 appears 40 times
    Source: C:\Users\user\Desktop\file.exeCode function: String function: 007E0A30 appears 46 times
    Source: C:\Users\user\Desktop\file.exeCode function: String function: 007C9CB3 appears 31 times
    Source: file.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
    Source: classification engineClassification label: mal64.troj.evad.winEXE@36/30@13/8
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008337B5 GetLastError,FormatMessageW,0_2_008337B5
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008210BF AdjustTokenPrivileges,CloseHandle,0_2_008210BF
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008216C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_008216C3
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008351CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_008351CD
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0084A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_0084A67C
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0083648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,0_2_0083648E
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007C42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_007C42A2
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5908:120:WilError_03
    Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
    Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
    Source: C:\Windows\SysWOW64\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-infobars
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2100 --field-trial-handle=2024,i,9003555246335183954,2073049887589838962,262144 /prefetch:8
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5564 --field-trial-handle=2024,i,9003555246335183954,2073049887589838962,262144 /prefetch:8
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5528 --field-trial-handle=2024,i,9003555246335183954,2073049887589838962,262144 /prefetch:8
    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /TJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-infobarsJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2100 --field-trial-handle=2024,i,9003555246335183954,2073049887589838962,262144 /prefetch:8Jump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5564 --field-trial-handle=2024,i,9003555246335183954,2073049887589838962,262144 /prefetch:8Jump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5528 --field-trial-handle=2024,i,9003555246335183954,2073049887589838962,262144 /prefetch:8Jump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: wsock32.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dllJump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
    Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
    Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
    Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
    Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
    Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
    Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
    Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
    Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
    Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007C42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_007C42DE
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007E0A76 push ecx; ret 0_2_007E0A89
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007DF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_007DF98E
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00851C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00851C41
    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion

    barindex
    Found API chain indicative of sandbox detection
    Source: C:\Users\user\Desktop\file.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleepgraph_0-94962
    Source: C:\Users\user\Desktop\file.exeAPI coverage: 3.5 %
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0082DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_0082DBBE
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007FC2A2 FindFirstFileExW,0_2_007FC2A2
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008368EE FindFirstFileW,FindClose,0_2_008368EE
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0083698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_0083698F
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0082D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0082D076
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0082D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0082D3A9
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00839642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00839642
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0083979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0083979D
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00839B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00839B2B
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00835C97 FindFirstFileW,FindNextFileW,FindClose,0_2_00835C97
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007C42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_007C42DE
    Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0083EAA2 BlockInput,0_2_0083EAA2
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007F2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_007F2622
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007C42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_007C42DE
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007E4CE8 mov eax, dword ptr fs:[00000030h]0_2_007E4CE8
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00820B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00820B62
    Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007F2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_007F2622
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007E083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_007E083F
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007E09D5 SetUnhandledExceptionFilter,0_2_007E09D5
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007E0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_007E0C21
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00821201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00821201
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00802BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00802BA5
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0082B226 SendInput,keybd_event,0_2_0082B226
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008422DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,0_2_008422DA
    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /TJump to behavior
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00820B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00820B62
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00821663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00821663
    Source: file.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
    Source: file.exeBinary or memory string: Shell_TrayWnd
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007E0698 cpuid 0_2_007E0698
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00838195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,0_2_00838195
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0081D27A GetUserNameW,0_2_0081D27A
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007FB952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,0_2_007FB952
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007C42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_007C42DE

    Stealing of Sensitive Information

    barindex
    Yara detected Credential Flusher
    Source: Yara matchFile source: Process Memory Space: file.exe PID: 1340, type: MEMORYSTR
    Source: file.exeBinary or memory string: WIN_81
    Source: file.exeBinary or memory string: WIN_XP
    Source: file.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
    Source: file.exeBinary or memory string: WIN_XPe
    Source: file.exeBinary or memory string: WIN_VISTA
    Source: file.exeBinary or memory string: WIN_7
    Source: file.exeBinary or memory string: WIN_8

    Remote Access Functionality

    barindex
    Yara detected Credential Flusher
    Source: Yara matchFile source: Process Memory Space: file.exe PID: 1340, type: MEMORYSTR
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00841204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,0_2_00841204
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00841806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00841806

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire Infrastructure2
    Valid Accounts    		1
    Windows Management Instrumentation    		1
    DLL Side-Loading    		1
    Exploitation for Privilege Escalation    		2
    Disable or Modify Tools    		21
    Input Capture    		2
    System Time Discovery    		Remote Services1
    Archive Collected Data    		2
    Ingress Tool Transfer    		Exfiltration Over Other Network Medium1
    System Shutdown/Reboot
    CredentialsDomainsDefault Accounts1
    Native API    		2
    Valid Accounts    		1
    DLL Side-Loading    		1
    Deobfuscate/Decode Files or Information    		LSASS Memory1
    Account Discovery    		Remote Desktop Protocol21
    Input Capture    		11
    Encrypted Channel    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
    Valid Accounts    		2
    Obfuscated Files or Information    		Security Account Manager1
    File and Directory Discovery    		SMB/Windows Admin Shares3
    Clipboard Data    		3
    Non-Application Layer Protocol    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
    Access Token Manipulation    		1
    DLL Side-Loading    		NTDS16
    System Information Discovery    		Distributed Component Object ModelInput Capture4
    Application Layer Protocol    		Traffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script2
    Process Injection    		2
    Valid Accounts    		LSA Secrets12
    Security Software Discovery    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
    Virtualization/Sandbox Evasion    		Cached Domain Credentials1
    Virtualization/Sandbox Evasion    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
    Access Token Manipulation    		DCSync3
    Process Discovery    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
    Process Injection    		Proc Filesystem1
    Application Window Discovery    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
    System Owner/User Discovery    		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1524424 Sample: file.exe Startdate: 02/10/2024 Architecture: WINDOWS Score: 64 31 www.google.com 2->31 33 play.google.com 2->33 35 198.187.3.20.in-addr.arpa 2->35 41 Yara detected Credential Flusher 2->41 43 Binary is likely a compiled AutoIt script file 2->43 45 Machine Learning detection for sample 2->45 47 AI detected suspicious sample 2->47 8 file.exe 2->8         started        signatures3 process4 signatures5 49 Binary is likely a compiled AutoIt script file 8->49 51 Found API chain indicative of sandbox detection 8->51 11 chrome.exe 1 8->11         started        14 taskkill.exe 1 8->14         started        process6 dnsIp7 37 192.168.2.7, 123, 138, 443 unknown unknown 11->37 39 239.255.255.250 unknown Reserved 11->39 16 chrome.exe 11->16         started        19 chrome.exe 11->19         started        21 chrome.exe 6 11->21         started        23 conhost.exe 14->23         started        process8 dnsIp9 25 142.250.186.164, 443, 64030 GOOGLEUS United States 16->25 27 youtube.com 142.250.186.78, 443, 49703 GOOGLEUS United States 16->27 29 6 other IPs or domains 16->29

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    file.exe100%Joe Sandbox ML

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    https://play.google/intl/0%URL Reputationsafe
    https://families.google.com/intl/0%URL Reputationsafe
    https://policies.google.com/technologies/location-data0%URL Reputationsafe
    https://apis.google.com/js/api.js0%URL Reputationsafe
    https://policies.google.com/privacy/google-partners0%URL Reputationsafe
    https://policies.google.com/terms/service-specific0%URL Reputationsafe
    https://g.co/recover0%URL Reputationsafe
    https://policies.google.com/privacy/additional0%URL Reputationsafe
    https://support.google.com/websearch/answer/4358949?hl=ko&ref_topic=32850720%URL Reputationsafe
    https://policies.google.com/technologies/cookies0%URL Reputationsafe
    https://policies.google.com/terms0%URL Reputationsafe
    https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=0%URL Reputationsafe
    https://support.google.com/accounts?hl=0%URL Reputationsafe
    https://policies.google.com/terms/location0%URL Reputationsafe
    https://policies.google.com/privacy0%URL Reputationsafe
    https://support.google.com/accounts?p=new-si-ui0%URL Reputationsafe
    https://apis.google.com/js/rpc:shindig_random.js?onload=credentialservice.postMessage0%URL Reputationsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    youtube-ui.l.google.com
    		216.58.206.46
    		truefalse
      		unknown
      www3.l.google.com
      		216.58.206.78
      		truefalse
        		unknown
        play.google.com
        		216.58.212.142
        		truefalse
          		unknown
          www.google.com
          		216.58.206.36
          		truefalse
            		unknown
            youtube.com
            		142.250.186.78
            		truefalse
              		unknown
              accounts.youtube.com
              		unknown
              		unknownfalse
                		unknown
                www.youtube.com
                		unknown
                		unknownfalse
                  		unknown
                  198.187.3.20.in-addr.arpa
                  		unknown
                  		unknownfalse
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    https://play.google.com/log?format=json&hasfast=true&authuser=0false
                      		unknown
                      https://www.google.com/favicon.icofalse
                        		unknown
                        https://play.google.com/log?hasfast=true&authuser=0&format=jsonfalse
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          https://play.google/intl/chromecache_85.8.drfalse
                          • URL Reputation: safe
                          		unknown
                          https://families.google.com/intl/chromecache_85.8.drfalse
                          • URL Reputation: safe
                          		unknown
                          https://youtube.com/t/terms?gl=chromecache_85.8.drfalse
                            		unknown
                            https://policies.google.com/technologies/location-datachromecache_85.8.drfalse
                            • URL Reputation: safe
                            		unknown
                            https://www.google.com/intl/chromecache_85.8.drfalse
                              		unknown
                              https://apis.google.com/js/api.jschromecache_91.8.drfalse
                              • URL Reputation: safe
                              		unknown
                              https://policies.google.com/privacy/google-partnerschromecache_85.8.drfalse
                              • URL Reputation: safe
                              		unknown
                              https://play.google.com/work/enroll?identifier=chromecache_85.8.drfalse
                                		unknown
                                https://policies.google.com/terms/service-specificchromecache_85.8.drfalse
                                • URL Reputation: safe
                                		unknown
                                https://g.co/recoverchromecache_85.8.drfalse
                                • URL Reputation: safe
                                		unknown
                                https://policies.google.com/privacy/additionalchromecache_85.8.drfalse
                                • URL Reputation: safe
                                		unknown
                                https://support.google.com/websearch/answer/4358949?hl=ko&ref_topic=3285072chromecache_85.8.drfalse
                                • URL Reputation: safe
                                		unknown
                                https://policies.google.com/technologies/cookieschromecache_85.8.drfalse
                                • URL Reputation: safe
                                		unknown
                                https://policies.google.com/termschromecache_85.8.drfalse
                                • URL Reputation: safe
                                		unknown
                                https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=chromecache_91.8.drfalse
                                • URL Reputation: safe
                                		unknown
                                https://www.google.comchromecache_85.8.drfalse
                                  		unknown
                                  https://play.google.com/log?format=json&hasfast=truechromecache_85.8.drfalse
                                    		unknown
                                    https://www.youtube.com/t/terms?chromeless=1&hl=chromecache_85.8.drfalse
                                      		unknown
                                      https://support.google.com/accounts?hl=chromecache_85.8.drfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://policies.google.com/terms/locationchromecache_85.8.drfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://policies.google.com/privacychromecache_85.8.drfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://support.google.com/accounts?p=new-si-uichromecache_85.8.drfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://apis.google.com/js/rpc:shindig_random.js?onload=credentialservice.postMessagechromecache_85.8.drfalse
                                      • URL Reputation: safe
                                      		unknown

                                      World Map of Contacted IPs

                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs

                                      Public IPs

                                      IPDomainCountryFlagASNASN NameMalicious
                                      142.250.186.78
                                      		youtube.comUnited States
                                      		15169GOOGLEUSfalse
                                      216.58.212.142
                                      		play.google.comUnited States
                                      		15169GOOGLEUSfalse
                                      216.58.206.78
                                      		www3.l.google.comUnited States
                                      		15169GOOGLEUSfalse
                                      216.58.206.36
                                      		www.google.comUnited States
                                      		15169GOOGLEUSfalse
                                      216.58.206.46
                                      		youtube-ui.l.google.comUnited States
                                      		15169GOOGLEUSfalse
                                      239.255.255.250
                                      		unknownReserved
                                      		unknownunknownfalse
                                      142.250.186.164
                                      		unknownUnited States
                                      		15169GOOGLEUSfalse

                                      Private

                                      IP
                                      192.168.2.7

                                      General Information

                                      Joe Sandbox version:41.0.0 Charoite
                                      Analysis ID:1524424
                                      Start date and time:2024-10-02 19:07:04 +02:00
                                      Joe Sandbox product:CloudBasic
                                      Overall analysis duration:0h 4m 46s
                                      Hypervisor based Inspection enabled:false
                                      Report type:full
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                      Number of analysed new started processes analysed:23
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Sample name:file.exe
                                      Detection:MAL
                                      Classification:mal64.troj.evad.winEXE@36/30@13/8
                                      EGA Information:
                                      • Successful, ratio: 100%
                                      HCA Information:
                                      • Successful, ratio: 95%
                                      • Number of executed functions: 39
                                      • Number of non-executed functions: 314
                                      Cookbook Comments:
                                      • Found application associated with file extension: .exe

                                      Warnings

                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                      • Excluded IPs from analysis (whitelisted): 142.250.186.35, 142.250.186.142, 142.250.110.84, 34.104.35.123, 172.217.16.195, 142.250.185.131, 142.250.186.42, 216.58.206.42, 172.217.16.138, 216.58.212.138, 142.250.186.170, 142.250.185.106, 142.250.184.202, 142.250.186.74, 142.250.185.74, 172.217.16.202, 142.250.181.234, 142.250.186.106, 142.250.186.138, 216.58.206.74, 142.250.184.234, 172.217.18.10, 142.250.185.170, 142.250.185.234, 142.250.74.202, 216.58.212.170, 142.250.185.202, 142.250.185.138, 199.232.214.172, 142.250.186.67, 142.250.185.142
                                      • Excluded domains from analysis (whitelisted): clients1.google.com, fs.microsoft.com, accounts.google.com, content-autofill.googleapis.com, slscr.update.microsoft.com, fonts.gstatic.com, ctldl.windowsupdate.com, clientservices.googleapis.com, time.windows.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com, clients2.google.com, edgedl.me.gvt1.com, update.googleapis.com, clients.l.google.com, www.gstatic.com, optimizationguide-pa.googleapis.com
                                      • Not all processes where analyzed, report is missing behavior information
                                      • Report size exceeded maximum capacity and may have missing disassembly code.
                                      • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                      • VT rate limit hit for: file.exe

                                      Simulations

                                      Behavior and APIs

                                      No simulations

                                      Joe Sandbox View / Context

                                      IPs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      239.255.255.250file.exeGet hashmaliciousCredential FlusherBrowse
                                        file.exeGet hashmaliciousCredential FlusherBrowse
                                          file.exeGet hashmaliciousCredential FlusherBrowse
                                            file.exeGet hashmaliciousCredential FlusherBrowse
                                              file.exeGet hashmaliciousUnknownBrowse
                                                file.exeGet hashmaliciousCredential FlusherBrowse
                                                  file.exeGet hashmaliciousCredential FlusherBrowse
                                                    file.exeGet hashmaliciousCredential FlusherBrowse
                                                      file.exeGet hashmaliciousCredential FlusherBrowse
                                                        27987136e29b3032ad40982c8b7c2e168112c9601e08da806119dcba615524b5.htmlGet hashmaliciousUnknownBrowse

                                                          Domains

                                                          No context

                                                          ASNs

                                                          No context

                                                          JA3 Fingerprints

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          28a2c9bd18a11de089ef85a160da29e4file.exeGet hashmaliciousCredential FlusherBrowse
                                                          • 4.175.87.197
                                                          • 13.85.23.86
                                                          • 184.28.90.27
                                                          • 20.3.187.198
                                                          file.exeGet hashmaliciousCredential FlusherBrowse
                                                          • 4.175.87.197
                                                          • 13.85.23.86
                                                          • 184.28.90.27
                                                          • 20.3.187.198
                                                          file.exeGet hashmaliciousCredential FlusherBrowse
                                                          • 4.175.87.197
                                                          • 13.85.23.86
                                                          • 184.28.90.27
                                                          • 20.3.187.198
                                                          file.exeGet hashmaliciousCredential FlusherBrowse
                                                          • 4.175.87.197
                                                          • 13.85.23.86
                                                          • 184.28.90.27
                                                          • 20.3.187.198
                                                          file.exeGet hashmaliciousUnknownBrowse
                                                          • 4.175.87.197
                                                          • 13.85.23.86
                                                          • 184.28.90.27
                                                          • 20.3.187.198
                                                          file.exeGet hashmaliciousCredential FlusherBrowse
                                                          • 4.175.87.197
                                                          • 13.85.23.86
                                                          • 184.28.90.27
                                                          • 20.3.187.198
                                                          file.exeGet hashmaliciousCredential FlusherBrowse
                                                          • 4.175.87.197
                                                          • 13.85.23.86
                                                          • 184.28.90.27
                                                          • 20.3.187.198
                                                          file.exeGet hashmaliciousCredential FlusherBrowse
                                                          • 4.175.87.197
                                                          • 13.85.23.86
                                                          • 184.28.90.27
                                                          • 20.3.187.198
                                                          file.exeGet hashmaliciousCredential FlusherBrowse
                                                          • 4.175.87.197
                                                          • 13.85.23.86
                                                          • 184.28.90.27
                                                          • 20.3.187.198
                                                          27987136e29b3032ad40982c8b7c2e168112c9601e08da806119dcba615524b5.htmlGet hashmaliciousUnknownBrowse
                                                          • 4.175.87.197
                                                          • 13.85.23.86
                                                          • 184.28.90.27
                                                          • 20.3.187.198

                                                          Dropped Files

                                                          No context

                                                          Created / dropped Files

                                                          Chrome Cache Entry: 82

                                                          Download File
                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                          File Type:ASCII text, with very long lines (468)
                                                          Category:downloaded
                                                          Size (bytes):1858
                                                          Entropy (8bit):5.298162049824456
                                                          Encrypted:false
                                                          SSDEEP:48:o7vGoolL3ALFKphnpiu7xOKAcfO/3d/rYh4vZorw:o/QLUFUL4KA+2y0Mw
                                                          MD5:CE055F881BDAB4EF6C1C8AA4B3890348
                                                          SHA1:2671741A70E9F5B608F690AAEEA4972003747654
                                                          SHA-256:9B91C23691D6032CDFE28863E369624B2EDB033E1487A1D1BB0977E3590E5462
                                                          SHA-512:8A22250628985C2E570E6FBADFC0D5CB6753F0735130F9E74962A409476C2859C5C81F8A0F5C427A9F13ED399C8E251FA43FF67AD5F16860640D45E7A538E857
                                                          Malicious:false
                                                          Reputation:moderate, very likely benign file
                                                          URL:"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZZ4WUe,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=iAskyc,ziXSP"
                                                          Preview:"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi||{};(function(_){var window=this;.try{._.k("iAskyc");._.QZ=function(a){_.W.call(this,a.Fa);this.window=a.Ea.window.get();this.Nc=a.Ea.Nc};_.J(_.QZ,_.W);_.QZ.Ba=function(){return{Ea:{window:_.qu,Nc:_.DE}}};_.QZ.prototype.Po=function(){};_.QZ.prototype.addEncryptionRecoveryMethod=function(){};_.RZ=function(a){return(a==null?void 0:a.Jo)||function(){}};_.SZ=function(a){return(a==null?void 0:a.m3)||function(){}};_.GPb=function(a){return(a==null?void 0:a.Op)||function(){}};._.HPb=function(a){return new Map(Array.from(a,function(b){var c=_.n(b);b=c.next().value;c=c.next().value;return[b,c.map(function(d){return{epoch:d.epoch,key:new Uint8Array(d.key)}})]}))};_.IPb=function(a){setTimeout(function(){throw a;},0)};_.QZ.prototype.kO=function(){return!0};_.nu(_.An,_.QZ);._.l();._.k("ziXSP");.var j_=function(a){_.QZ.call(this,a.Fa)};_.J(j_,_.QZ);j_.Ba=_.QZ.Ba;j_.prototype.Po=function(a,b,c){var d;if((d=this.window.chrome)==nu

                                                          Chrome Cache Entry: 83

                                                          Download File
                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                          File Type:ASCII text, with very long lines (683)
                                                          Category:downloaded
                                                          Size (bytes):3131
                                                          Entropy (8bit):5.355381206612617
                                                          Encrypted:false
                                                          SSDEEP:48:o7FEEM3MtH15jNQ8jsK3rnw0dkckTrKEp/OqLE9xz0W5Bzv3M6hIHYA+JITbwrF8:oq675jOArwoAmI/DLaxNPL5m+m6w
                                                          MD5:E2A7251AD83A0D0634FEA2703D10ED07
                                                          SHA1:90D72011F31FC40D3DA3748F2817F90A29EB5C01
                                                          SHA-256:1079B49C4AAF5C10E4F2E6A086623F40D200A71FF2A1F64E88AA6C91E4BE7A6F
                                                          SHA-512:CD6D75580EA8BD97CF7C7C0E0BD9D9A54FB6EA7DF1DDB5A95E94D38B260F9EE1425C640839ECD229B8D01E145CF2786CA374D31EC537EB8FE17FF415D5B985F5
                                                          Malicious:false
                                                          Reputation:moderate, very likely benign file
                                                          URL:"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PHUIyb,PrPYRd,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=ZwDk9d,RMhBfe"
                                                          Preview:"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi||{};(function(_){var window=this;.try{._.k("ZwDk9d");.var gA=function(a){_.W.call(this,a.Fa)};_.J(gA,_.W);gA.Ba=_.W.Ba;gA.prototype.eS=function(a){return _.Xe(this,{Xa:{gT:_.ll}}).then(function(b){var c=window._wjdd,d=window._wjdc;return!c&&d?new _.li(function(e){window._wjdc=function(f){d(f);e(ZJa(f,b,a))}}):ZJa(c,b,a)})};var ZJa=function(a,b,c){return(a=a&&a[c])?a:b.Xa.gT.eS(c)};.gA.prototype.aa=function(a,b){var c=_.Zra(b).Rj;if(c.startsWith("$")){var d=_.gm.get(a);_.uq[b]&&(d||(d={},_.gm.set(a,d)),d[c]=_.uq[b],delete _.uq[b],_.vq--);if(d)if(a=d[c])b=_.af(a);else throw Error("Jb`"+b);else b=null}else b=null;return b};_.nu(_.Lfa,gA);._.l();._.k("SNUn3");._.YJa=new _.pf(_.wg);._.l();._.k("RMhBfe");.var $Ja=function(a){var b=_.tq(a);return b?new _.li(function(c,d){var e=function(){b=_.tq(a);var f=_.Sfa(a,b);f?c(f.getAttribute("jsdata")):window.document.readyState=="complete"?(f=["Unable to find deferred jsdata wit

                                                          Chrome Cache Entry: 84

                                                          Download File
                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                          File Type:MS Windows icon resource - 2 icons, 16x16, 32 bits/pixel, 32x32, 32 bits/pixel
                                                          Category:downloaded
                                                          Size (bytes):5430
                                                          Entropy (8bit):3.6534652184263736
                                                          Encrypted:false
                                                          SSDEEP:48:wIJct3xIAxG/7nvWDtZcdYLtX7B6QXL3aqG8Q:wIJct+A47v+rcqlBPG9B
                                                          MD5:F3418A443E7D841097C714D69EC4BCB8
                                                          SHA1:49263695F6B0CDD72F45CF1B775E660FDC36C606
                                                          SHA-256:6DA5620880159634213E197FAFCA1DDE0272153BE3E4590818533FAB8D040770
                                                          SHA-512:82D017C4B7EC8E0C46E8B75DA0CA6A52FD8BCE7FCF4E556CBDF16B49FC81BE9953FE7E25A05F63ECD41C7272E8BB0A9FD9AEDF0AC06CB6032330B096B3702563
                                                          Malicious:false
                                                          Reputation:high, very likely benign file
                                                          URL:https://www.google.com/favicon.ico
                                                          Preview:............ .h...&... .... .........(....... ..... ............................................0...................................................................................................................................v.].X.:.X.:.r.Y........................................q.X.S.4.S.4.S.4.S.4.S.4.S.4...X....................0........q.W.S.4.X.:.................J...A...g.........................K.H.V.8..........................F..B.....................,.......................................B..............................................B..B..B..B..B...u..........................................B..B..B..B..B...{.................5.......k...........................................................7R..8F.................................................2........Vb..5C..;I..................R^.....................0................Xc..5C..5C..5C..5C..5C..5C..lv..........................................]i..<J..:G..Zf....................................................

                                                          Chrome Cache Entry: 85

                                                          Download File
                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                          File Type:ASCII text, with very long lines (5693)
                                                          Category:downloaded
                                                          Size (bytes):698314
                                                          Entropy (8bit):5.595120835898624
                                                          Encrypted:false
                                                          SSDEEP:6144:TJvaKtQfcxene0F2HhPM8RGYcBlKmd5r6XISxi7SlncOpYMSrBg5X3O4mAEFD7:TJyKtkIct842ISxXJ09
                                                          MD5:F82438F9EAD5F57493C673008EED9E09
                                                          SHA1:E4681E68FD66D8C76C6ACBC21E2C45F36FD645BC
                                                          SHA-256:B4B092F54EAAA82BFAA159B8D61FB867B51C3067CBD60F4904A205A11F503250
                                                          SHA-512:89027A7B1B3A080D40411F2E6E3B62BF57AC60879223566E71BD41D900C17051F0A058EFE04F8F1FED5E05DC54617D7A86F83D21BDED0F79347795C8B980B4B2
                                                          Malicious:false
                                                          URL:"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=LEikZe,_b,_tp,byfTOb,lsjVmc/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=n73qwf,SCuOPb,IZT63,vfuNJf,UUJqVe,ws9Tlc,siKnQd,XVq9Qb,STuCOe,njlZCf,m9oV,vjKJJ,y5vRwf,iyZMqd,NTMZac,mzzZzc,rCcCxc,vvMGie,K1ZKnb,ziZ8Mc,b3kMqb,mvkUhe,CMcBD,Fndnac,t2srLd,EN3i8d,z0u0L,xiZRqc,NOeYWe,O6y8ed,L9OGUe,PrPYRd,MpJwZc,qPfo0c,cYShmd,hc6Ubd,Rkm0ef,KUM7Z,oLggrd,inNHtf,L1AAkb,WpP9Yc,lwddkf,gJzDyc,SpsfSb,aC1iue,tUnxGc,aW3pY,ZakeSe,EFQ78c,xQtZb,I6YDgd,zbML3c,zr1jrb,vHEMJe,YHI3We,YTxL4,bSspM,Uas9Hd,zy0vNb,K0PMbc,AvtSve,qmdT9,MY7mZe,xBaz7b,GwYlN,eVCnO,EIOG1e,LDQI"
                                                          Preview:"use strict";_F_installCss(".r4WGQb{position:relative}.Dl08I>:first-child{margin-top:0}.Dl08I>:last-child{margin-bottom:0}.IzwVE{color:#1f1f1f;color:var(--gm3-sys-color-on-surface,#1f1f1f);font-family:\"Google Sans\",roboto,\"Noto Sans Myanmar UI\",arial,sans-serif;font-size:1.25rem;font-weight:400;letter-spacing:0rem;line-height:1.2}.l5PPKe{color:#1f1f1f;color:var(--gm3-sys-color-on-surface,#1f1f1f);font-size:1rem}.l5PPKe .dMNVAe{margin:0;padding:0}.l5PPKe>:first-child{margin-top:0;padding-top:0}.l5PPKe>:last-child{margin-bottom:0;padding-bottom:0}.Dl08I{margin:0;padding:0;position:relative}.Dl08I>.SmR8:only-child{padding-top:1px}.Dl08I>.SmR8:only-child::before{top:0}.Dl08I>.SmR8:not(first-child){padding-bottom:1px}.Dl08I>.SmR8::after{bottom:0}.Dl08I>.SmR8:only-child::before,.Dl08I>.SmR8::after{border-bottom:1px solid #c4c7c5;border-bottom:1px solid var(--gm3-sys-color-outline-variant,#c4c7c5);content:\"\";height:0;left:0;position:absolute;width:100%}.aZvCDf{margin-top:8px;margin-left

                                                          Chrome Cache Entry: 86

                                                          Download File
                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                          File Type:ASCII text, with very long lines (2907)
                                                          Category:downloaded
                                                          Size (bytes):22833
                                                          Entropy (8bit):5.425034548615223
                                                          Encrypted:false
                                                          SSDEEP:384:7lFo6ZEdpgtmyiPixV9OX9gMBpHkHnfst9lZulagGcwYHiRFjJzN7:77o6ZviPixV8xpEHn89l4IgGcwYCRtb7
                                                          MD5:749B18538FE32BFE0815D75F899F5B21
                                                          SHA1:AF95A019211AF69F752A43CAA54A83C2AFD41D28
                                                          SHA-256:116B2687C1D5E00DB56A79894AB0C12D4E2E000B9379B7E7AD751B84DF611F3F
                                                          SHA-512:E4B6F4556AA0FD9979BB52681508F5E26FFB256473803F74F7F5C8D93FA3636D7D0A5835618FBC6123022805CE0D9616A7451A0F302C665E28A6090B5D588505
                                                          Malicious:false
                                                          URL:"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PHUIyb,PrPYRd,Rkm0ef,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=RqjULd"
                                                          Preview:"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi||{};(function(_){var window=this;.try{._.uu.prototype.da=_.ca(40,function(){return _.rj(this,3)});_.$y=function(a,b){this.key=a;this.defaultValue=!1;this.flagName=b};_.$y.prototype.ctor=function(a){return typeof a==="boolean"?a:this.defaultValue};_.az=function(){this.ka=!0;var a=_.vj(_.dk(_.Be("TSDtV",window),_.zya),_.uu,1,_.qj())[0];if(a){var b={};for(var c=_.n(_.vj(a,_.Aya,2,_.qj())),d=c.next();!d.done;d=c.next()){d=d.value;var e=_.Jj(d,1).toString();switch(_.tj(d,_.vu)){case 3:b[e]=_.Hj(d,_.lj(d,_.vu,3));break;case 2:b[e]=_.Jj(d,_.lj(d,_.vu,2));break;case 4:b[e]=_.Kj(d,_.lj(d,_.vu,4));break;case 5:b[e]=_.Lj(d,_.lj(d,_.vu,5));break;case 6:b[e]=_.Pj(d,_.ff,6,_.vu);break;default:throw Error("jd`"+_.tj(d,_.vu));}}}else b={};this.ea=b;this.token=.a?a.da():null};_.az.prototype.aa=function(a){if(!this.ka||a.key in this.ea)a=a.ctor(this.ea[a.key]);else if(_.Be("nQyAE",window)){var b=_.Cya(a.flagName);if(b===null)a=a.de

                                                          Chrome Cache Entry: 87

                                                          Download File
                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                          File Type:HTML document, ASCII text, with very long lines (681)
                                                          Category:downloaded
                                                          Size (bytes):4066
                                                          Entropy (8bit):5.363016925556486
                                                          Encrypted:false
                                                          SSDEEP:96:G2CiFZX5BReR68ujioIRVrqtyzBeTV6SfyAKLif9c7w:bCMZXVeR6jiosVrqtyzBaImyAKw9x
                                                          MD5:FC5E597D923838E10390DADD12651A81
                                                          SHA1:C9959F8D539DB5DF07B8246EC12539B6A9CC101F
                                                          SHA-256:A7EBD5280C50AE93C061EAE1E9727329E015E97531F8F2D82D0E3EA76ADB37B4
                                                          SHA-512:784CA572808F184A849388723FBB3701E6981D885BBA8A330A933F90BF0B36A2E4A491D4463A27911B1D9F7A7134F23E15F187FC7CB4554EAE9BC252513EED7C
                                                          Malicious:false
                                                          URL:"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=sOXFj,q0xTif,ZZ4WUe"
                                                          Preview:"use strict";_F_installCss(".N7rBcd{overflow-x:auto}sentinel{}");.this.default_AccountsSignInUi=this.default_AccountsSignInUi||{};(function(_){var window=this;.try{._.vg(_.aqa);._.k("sOXFj");.var tu=function(a){_.W.call(this,a.Fa)};_.J(tu,_.W);tu.Ba=_.W.Ba;tu.prototype.aa=function(a){return a()};_.nu(_.$pa,tu);._.l();._.k("oGtAuc");._.yya=new _.pf(_.aqa);._.l();._.k("q0xTif");.var sza=function(a){var b=function(d){_.Sn(d)&&(_.Sn(d).Jc=null,_.Du(d,null));d.XyHi9&&(d.XyHi9=null)};b(a);a=a.querySelectorAll("[c-wiz]");for(var c=0;c<a.length;c++)b(a[c])},Pu=function(a){_.kt.call(this,a.Fa);this.Qa=this.dom=null;if(this.kl()){var b=_.zm(this.Ug(),[_.Em,_.Dm]);b=_.ni([b[_.Em],b[_.Dm]]).then(function(c){this.Qa=c[0];this.dom=c[1]},null,this);_.hu(this,b)}this.Ra=a.lm.zea};_.J(Pu,_.kt);Pu.Ba=function(){return{lm:{zea:function(a){return _.Ue(a)}}}};Pu.prototype.zp=function(a){return this.Ra.zp(a)};.Pu.prototype.getData=function(a){return this.Ra.getData(a)};Pu.prototype.qo=function(){_.Kt(this.d

                                                          Chrome Cache Entry: 88

                                                          Download File
                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                          File Type:Web Open Font Format (Version 2), TrueType, length 52280, version 1.0
                                                          Category:downloaded
                                                          Size (bytes):52280
                                                          Entropy (8bit):7.995413196679271
                                                          Encrypted:true
                                                          SSDEEP:1536:1rvqtK8DZilXxwJ8mMwAZy7phqsFLdG3B4d:xytBZits8bw4wzbFxG3B4d
                                                          MD5:F61F0D4D0F968D5BBA39A84C76277E1A
                                                          SHA1:AA3693EA140ECA418B4B2A30F6A68F6F43B4BEB2
                                                          SHA-256:57147F08949ABABE7DEEF611435AE418475A693E3823769A25C2A39B6EAD9CCC
                                                          SHA-512:6C3BD90F709BCF9151C9ED9FFEA55C4F6883E7FDA2A4E26BF018C83FE1CFBE4F4AA0DB080D6D024070D53B2257472C399C8AC44EEFD38B9445640EFA85D5C487
                                                          Malicious:false
                                                          URL:https://fonts.gstatic.com/s/googlesans/v58/4UaRrENHsxJlGDuGo1OIlJfC6l_24rlCK1Yo_Iq2vgCI.woff2
                                                          Preview:wOF2.......8.....................................^...$..4?HVAR..?MVAR9.`?STAT.*',..J/.......`..(..Z.0..R.6.$.... .....K..[..q..c..T.....>.P.j.`.w..#...%......N.".....$..3.0.6......... .L.rX/r[j.y.|*(.4.%#.....2.v.m..-..%.....;-.Y.{..&..O=#l@...k..7g..ZI...#.Z./+T..r7...M..3).Z%.x....s..sL..[A!.5*1w'/.8V..2Z..%.X.h.o.).]..9..Q`.$.....7..kZ.~O........d..g.n.d.Rw+&....Cz..uy#..fz,(.J....v.%..`..9.....h...?O..:...c%.....6s....xl..#...5..._......1.>.)"U.4 W....?%......6//!$...!.n9C@n...........!""^.....W..Z<.7.x.."UT.T....E.."R>.R..t.....H d..e_.K../.+8.Q.P.ZQ....;...U....]......._.e*......71.?.7.ORv.?...l...G|.P...|:...I.X..2.,.L........d.g.]}W#uW]QnuP-s.;.-Y.....].......C..j_.M0...y.......J..........NY..@A...,....-.F......'..w./j5g.vUS...U..0.&...y7.LP.....%.....Y......Y..D. e.A..G.?.$.......6...eaK.n5.m...N...,...+BCl..L> .E9~.b[.w.x....6<...}.e...%V....O.......*.?...a..#[eE.4..p..$...].....%......o._......N.._~..El....b..A.0.r8.....|..D.d..

                                                          Chrome Cache Entry: 89

                                                          Download File
                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                          File Type:ASCII text, with very long lines (533)
                                                          Category:downloaded
                                                          Size (bytes):9210
                                                          Entropy (8bit):5.404371326611379
                                                          Encrypted:false
                                                          SSDEEP:192:EEFZpeip4HzZlY0If0Ma23jcUcrhCx6VD1TYPi8:Es/p4jgjUhtD1TY68
                                                          MD5:21E893B65627B397E22619A9F5BB9662
                                                          SHA1:F561B0F66211C1E7B22F94B4935C312AB7087E85
                                                          SHA-256:FFA9B8BC8EF2CDFF5EB4BA1A0BA1710A253A5B42535E2A369D5026967DCF4673
                                                          SHA-512:3DE3CD6A4E9B06AB3EB324E90A40B5F2AEEA8D7D6A2651C310E993CF79EEB5AC6E2E33C587F46B2DD20CC862354FD1A61AEBB9B990E6805F6629404BA285F8FA
                                                          Malicious:false
                                                          URL:"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=AvtSve,CMcBD,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PrPYRd,Rkm0ef,SCuOPb,STuCOe,SpsfSb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,ZakeSe,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,byfTOb,cYShmd,eVCnO,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,qPfo0c,qmdT9,rCcCxc,siKnQd,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=ltDFwf,SD8Jgb,rmumx,E87wgc,qPYxq,Tbb4sb,pxq3x,f8Gu1e,soHxf,YgOFye,yRXbo,bTi8wc,ywOR5c,PHUIyb"
                                                          Preview:"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi||{};(function(_){var window=this;.try{._.qNa=_.y("SD8Jgb",[]);._.GX=function(a,b){if(typeof b==="string")a.Lc(b);else if(b instanceof _.Fp&&b.ia&&b.ia===_.A)b=_.Ya(b.Lw()),a.empty().append(b);else if(b instanceof _.Ua)b=_.Ya(b),a.empty().append(b);else if(b instanceof Node)a.empty().append(b);else throw Error("Vf");};_.HX=function(a){var b=_.Io(a,"[jsslot]");if(b.size()>0)return b;b=new _.Go([_.Kk("span")]);_.Jo(b,"jsslot","");a.empty().append(b);return b};_.NLb=function(a){return a===null||typeof a==="string"&&_.Hi(a)};._.k("SD8Jgb");._.MX=function(a){_.X.call(this,a.Fa);this.Ua=a.controller.Ua;this.od=a.controllers.od[0]||null;this.header=a.controller.header;this.nav=a.controller.nav;var b;(b=this.oa().find("button:not([type])").el())==null||b.setAttribute("type","button")};_.J(_.MX,_.X);_.MX.Ba=function(){return{controller:{Ua:{jsname:"n7vHCb",ctor:_.mv},header:{jsname:"tJHJj",ctor:_.mv},nav:{jsname:"DH6Rkf",ct

                                                          Chrome Cache Entry: 90

                                                          Download File
                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                          File Type:ASCII text, with very long lines (755)
                                                          Category:downloaded
                                                          Size (bytes):1460
                                                          Entropy (8bit):5.291808298251231
                                                          Encrypted:false
                                                          SSDEEP:24:kMYD7DuZvuhqCsNRxoYTY9/qoVk7hz1l2p6vDMW94uEQOeGbCx4VGbgCSFBV87OU:o7DuZWhv6oy12kvwKEeGbC6GbHSh/Hrw
                                                          MD5:4CA7ADFE744A690411EA4D3EA8DB9E4B
                                                          SHA1:2CF1777A199E25378D330DA68BED1871B5C5BC32
                                                          SHA-256:128129BA736B3094323499B0498A5B3A909C1529717461C34B70080A5B1603BD
                                                          SHA-512:8BD3477AF41D1F0FE74AFFCB177BEC0F5F4FDCBBA6BD29D9C2567E6FFDEF5DEB7FF74BF348F33209C39D7BB4958E748DF6731D3DC8F6947352276BC92EAF9E79
                                                          Malicious:false
                                                          URL:"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=P6sQOc"
                                                          Preview:"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi||{};(function(_){var window=this;.try{._.k("lOO0Vd");._.VZa=new _.pf(_.Am);._.l();._.k("P6sQOc");.var $Za=!!(_.Kh[1]&16);var b_a=function(a,b,c,d,e){this.ea=a;this.wa=b;this.ka=c;this.Ca=d;this.Ga=e;this.aa=0;this.da=a_a(this)},c_a=function(a){var b={};_.La(a.yS(),function(e){b[e]=!0});var c=a.pS(),d=a.tS();return new b_a(a.qP(),c.aa()*1E3,a.WR(),d.aa()*1E3,b)},a_a=function(a){return Math.random()*Math.min(a.wa*Math.pow(a.ka,a.aa),a.Ca)},OG=function(a,b){return a.aa>=a.ea?!1:b!=null?!!a.Ga[b]:!0};var PG=function(a){_.W.call(this,a.Fa);this.da=a.Ea.EV;this.ea=a.Ea.metadata;a=a.Ea.Xga;this.fetch=a.fetch.bind(a)};_.J(PG,_.W);PG.Ba=function(){return{Ea:{EV:_.YZa,metadata:_.VZa,Xga:_.OZa}}};PG.prototype.aa=function(a,b){if(this.ea.getType(a.Od())!==1)return _.Sm(a);var c=this.da.eV;return(c=c?c_a(c):null)&&OG(c)?_.wya(a,d_a(this,a,b,c)):_.Sm(a)};.var d_a=function(a,b,c,d){return c.then(function(e){return e},function(e)

                                                          Chrome Cache Entry: 91

                                                          Download File
                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                          File Type:ASCII text, with very long lines (553)
                                                          Category:downloaded
                                                          Size (bytes):743936
                                                          Entropy (8bit):5.791086230020914
                                                          Encrypted:false
                                                          SSDEEP:6144:YVXWBQkPdzg5pTX1ROv/duPzd8C3s891/N:Nfd8j91/N
                                                          MD5:1A3606C746E7B1C949D9078E8E8C1244
                                                          SHA1:56A3EB1E93E61ACD7AAD39DC3526CB60E23651B1
                                                          SHA-256:5F49AE5162183E2EF6F082B29EC99F18DB0212B8ADDB03699B1BFB0AC7869742
                                                          SHA-512:F2D15243311C472331C5F3F083BB6C18D38EC0247A3F3CBAFD96DBA40E4EAE489CDA04176672E39FE3760EF7347596B2A5EAB0FB0125E881EF514475C99863B9
                                                          Malicious:false
                                                          URL:"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/excm=_b,_tp,identifierview/ed=1/dg=0/wt=2/ujg=1/rs=AOaEmlE6O04h0gj7Nu50q-nmaRKM6WWcJw/m=_b,_tp"
                                                          Preview:"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi||{};(function(_){var window=this;.try{._._F_toggles_initialize=function(a){(typeof globalThis!=="undefined"?globalThis:typeof self!=="undefined"?self:this)._F_toggles=a||[]};(0,_._F_toggles_initialize)([0x286081c4, 0x2046d860, 0x39e13c40, 0x14501e80, 0xe420, 0x0, 0x1a000000, 0x1d000003, 0xc, ]);./*.. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0.*/./*.. Copyright Google LLC. SPDX-License-Identifier: Apache-2.0.*/./*.. Copyright 2024 Google, Inc. SPDX-License-Identifier: MIT.*/./*. SPDX-License-Identifier: Apache-2.0.*/./*. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0.*/.var baa,daa,Ma,Sa,gaa,iaa,jb,qaa,waa,Caa,Haa,Kaa,Jb,Laa,Ob,Qb,Rb,Maa,Naa,Sb,Oaa,Paa,Qaa,Yb,Vaa,Xaa,ec,fc,gc,bba,cba,gba,jba,lba,mba,qba,tba,nba,sba,rba,pba,oba,uba,yba,Cba,Dba,Aba,Hc,Ic,Gba,Iba,Mba,Nba,Oba,Pba,Lba,Qba,Sba,dd,Uba,Vba,Xba,Zba,Yba,aca,bca,cca,dca,fca,eca,hca,ica,jca,kca,nca,

                                                          Chrome Cache Entry: 92

                                                          Download File
                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                          File Type:ASCII text, with very long lines (570)
                                                          Category:downloaded
                                                          Size (bytes):3467
                                                          Entropy (8bit):5.514745431912774
                                                          Encrypted:false
                                                          SSDEEP:96:ozbld2fNUmeqJNizhNtt1W8t//loyIpXmdVE2w:onSKE8PWe/Cy4X3j
                                                          MD5:8DEF399E8355ABC23E64505281005099
                                                          SHA1:24FF74C3AEFD7696D84FF148465DF4B1B60B1696
                                                          SHA-256:F128D7218E1286B05DF11310AD3C8F4CF781402698E45448850D2A3A22F5F185
                                                          SHA-512:33721DD47658D8E12ADF6BD9E9316EB89F5B6297927F7FD60F954E04B829DCBF0E1AE6DDD9A3401F45E0011AE4B1397B960C218238A3D0F633A2173D8E604082
                                                          Malicious:false
                                                          URL:"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZZ4WUe,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,iAskyc,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,wg1P6b,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziXSP,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=Wt6vjf,hhhU8,FCpbqb,WhJNk"
                                                          Preview:"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi||{};(function(_){var window=this;.try{._.k("Wt6vjf");.var cya=function(){var a=_.He();return _.Lj(a,1)},Yt=function(a){this.Da=_.t(a,0,Yt.messageId)};_.J(Yt,_.w);Yt.prototype.Ha=function(){return _.Dj(this,1)};Yt.prototype.Va=function(a){return _.Vj(this,1,a)};Yt.messageId="f.bo";var Zt=function(){_.hm.call(this)};_.J(Zt,_.hm);Zt.prototype.xd=function(){this.CT=!1;dya(this);_.hm.prototype.xd.call(this)};Zt.prototype.aa=function(){eya(this);if(this.wC)return fya(this),!1;if(!this.KV)return $t(this),!0;this.dispatchEvent("p");if(!this.zP)return $t(this),!0;this.wM?(this.dispatchEvent("r"),$t(this)):fya(this);return!1};.var gya=function(a){var b=new _.ap(a.W4);a.qQ!=null&&_.Jn(b,"authuser",a.qQ);return b},fya=function(a){a.wC=!0;var b=gya(a),c="rt=r&f_uid="+_.pk(a.zP);_.cn(b,(0,_.bg)(a.ea,a),"POST",c)};.Zt.prototype.ea=function(a){a=a.target;eya(this);if(_.fn(a)){this.cK=0;if(this.wM)this.wC=!1,this.dispatchEvent("r"

                                                          Chrome Cache Entry: 93

                                                          Download File
                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:downloaded
                                                          Size (bytes):84
                                                          Entropy (8bit):4.875266466142591
                                                          Encrypted:false
                                                          SSDEEP:3:DZFJu0+WVTBCq2Bjdw2KsJJuYHSKnZ:lFJuuVTBudw29nu4SKZ
                                                          MD5:87B6333E98B7620EA1FF98D1A837A39E
                                                          SHA1:105DE6815B0885357DE1414BFC0D77FCC9E924EF
                                                          SHA-256:DCD3C133C5C40BECD4100BBE6EDAE84C9735E778E4234A5E8395C56FF8A733BA
                                                          SHA-512:867D7943D813685FAA76394E53199750C55817E836FD19C933F74D11E9657CE66719A6D6B2E39EE1DE62358BCE364E38A55F4E138DF92337DE6985DDCD5D0994
                                                          Malicious:false
                                                          URL:https://content-autofill.googleapis.com/v1/pages/ChVDaHJvbWUvMTE3LjAuNTkzOC4xMzQSHgmA6QC9dWevzxIFDRkBE_oSBQ3oIX6GEgUN05ioBw==?alt=proto
                                                          Preview:Cj0KBw0ZARP6GgAKKQ3oIX6GGgQISxgCKhwIClIYCg5AIS4jJF8qLSY/Ky8lLBABGP////8PCgcN05ioBxoA

                                                          Chrome Cache Entry: 94

                                                          Download File
                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                          File Type:ASCII text, with very long lines (395)
                                                          Category:downloaded
                                                          Size (bytes):1608
                                                          Entropy (8bit):5.257113147606035
                                                          Encrypted:false
                                                          SSDEEP:48:o72ZrNZ4yNAbU+15fMxIdf5WENoBCbw7DbG2bEJrw:oyNNAY+1i4HoBNG2Ilw
                                                          MD5:F06E2DC5CC446B39F878B5F8E4D78418
                                                          SHA1:9F1F34FDD8F8DAB942A9B95D9F720587B6F6AD48
                                                          SHA-256:118E4D2FE7CEF205F9AFC87636554C6D8220882B158333EE3D1990282D158B8F
                                                          SHA-512:893C4F883CD1C88C6AAF5A6E7F232D62823A53E1FFDE5C1C52BB066D75781DD041F4D281CDBF18070D921CE862652D8863E2B9D5E0190CFA4128890D62C44168
                                                          Malicious:false
                                                          URL:"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=w9hDv,ZDZcre,A7fCU"
                                                          Preview:"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi||{};(function(_){var window=this;.try{._.k("w9hDv");._.vg(_.Hla);_.eA=function(a){_.W.call(this,a.Fa);this.aa=a.Xa.cache};_.J(_.eA,_.W);_.eA.Ba=function(){return{Xa:{cache:_.dt}}};_.eA.prototype.execute=function(a){_.Bb(a,function(b){var c;_.$e(b)&&(c=b.eb.kc(b.kb));c&&this.aa.xG(c)},this);return{}};_.nu(_.Nla,_.eA);._.l();._.k("ZDZcre");.var fH=function(a){_.W.call(this,a.Fa);this.Wl=a.Ea.Wl;this.d4=a.Ea.metadata;this.aa=a.Ea.ot};_.J(fH,_.W);fH.Ba=function(){return{Ea:{Wl:_.KG,metadata:_.VZa,ot:_.HG}}};fH.prototype.execute=function(a){var b=this;a=this.aa.create(a);return _.Bb(a,function(c){var d=b.d4.getType(c.Od())===2?b.Wl.Rb(c):b.Wl.fetch(c);return _.yl(c,_.LG)?d.then(function(e){return _.Dd(e)}):d},this)};_.nu(_.Sla,fH);._.l();._.k("K5nYTd");._.UZa=new _.pf(_.Ola);._.l();._.k("sP4Vbe");.._.l();._.k("kMFpHd");.._.l();._.k("A7fCU");.var NG=function(a){_.W.call(this,a.Fa);this.aa=a.Ea.tQ};_.J(NG,_.W);NG.Ba=func

                                                          Chrome Cache Entry: 95

                                                          Download File
                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                          File Type:ASCII text, with very long lines (522)
                                                          Category:downloaded
                                                          Size (bytes):5050
                                                          Entropy (8bit):5.289052544075544
                                                          Encrypted:false
                                                          SSDEEP:96:o4We0hP7OBFXYvB1sig3Fd8HkaXzLmUrv8Vh1WJlLQXT2v2gqw:655758Fd8HkaPZ0GmAD
                                                          MD5:26E26FD11772DFF5C7004BEA334289CC
                                                          SHA1:638DAAF541BDE31E95AEE4F8ADA677434D7051DB
                                                          SHA-256:ADFE3E4960982F5EF4C043052A9990D8683C5FC2B590E817B6B1A5774DDE2CE3
                                                          SHA-512:C31929EB6D1C60D6A84A2574FF60490394A6D6F9B354972F3328952F570D80B3F2AEC916B0E1B66DDB1AC056EB75BFAC477E7AF631D0AD1810EDBAF025465D66
                                                          Malicious:false
                                                          URL:"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZZ4WUe,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,iAskyc,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziXSP,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=wg1P6b"
                                                          Preview:"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi||{};(function(_){var window=this;.try{._.jNa=_.y("wg1P6b",[_.TA,_.Cn,_.Kn]);._.k("wg1P6b");.var Z5a;Z5a=_.mh(["aria-"]);._.uJ=function(a){_.X.call(this,a.Fa);this.Ka=this.wa=this.aa=this.viewportElement=this.Na=null;this.Hc=a.Ea.ff;this.ab=a.Ea.focus;this.Fc=a.Ea.Fc;this.ea=this.Pi();a=-1*parseInt(_.Co(this.Pi().el(),"marginTop")||"0",10);var b=parseInt(_.Co(this.Pi().el(),"marginBottom")||"0",10);this.Ta={top:a,right:0,bottom:b,left:0};a=_.cf(this.getData("isMenuDynamic"),!1);b=_.cf(this.getData("isMenuHoisted"),!1);this.Ga=a?1:b?2:0;this.ka=!1;this.Ca=1;this.Ga!==1&&(this.aa=this.Sa("U0exHf").children().Wc(0),_.ku(this,.$5a(this,this.aa.el())));_.kF(this.oa())&&(a=this.oa().el(),b=this.we.bind(this),a.__soy_skip_handler=b)};_.J(_.uJ,_.X);_.uJ.Ba=function(){return{Ea:{ff:_.ZE,focus:_.KE,Fc:_.ru}}};_.uJ.prototype.xF=function(a){var b=a.source;this.Na=b;var c;((c=a.data)==null?0:c.fz)?(a=a.data.fz,this.Ca=a==="MOUS

                                                          Chrome Cache Entry: 96

                                                          Download File
                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                          File Type:ASCII text, with very long lines (1694)
                                                          Category:downloaded
                                                          Size (bytes):32500
                                                          Entropy (8bit):5.378903546681047
                                                          Encrypted:false
                                                          SSDEEP:768:zYlbuROstb0e39nKGrkysU0smpu4OLOdzIf1p/5GeSsngurz6aKEEEGo/:zYl61Cysbu4OLOdzIfrIen72ZFo/
                                                          MD5:BF4BF9728A7C302FBA5B14F3D0F1878B
                                                          SHA1:2607CA7A93710D629400077FF3602CB207E6F53D
                                                          SHA-256:8981E7B228DF7D6A8797C0CD1E9B0F1F88337D5F0E1C27A04E7A57D2C4309798
                                                          SHA-512:AC9E170FC3AFDC0CF6BB8E926B93EF129A5FAD1BBA51B60BABCF3555E9B652E98F86A00FB099879DED35DD3FFE72ECFA597E20E6CA8CF402BEDEC40F78412EDA
                                                          Malicious:false
                                                          URL:"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=_b,_tp/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=byfTOb,lsjVmc,LEikZe"
                                                          Preview:"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi||{};(function(_){var window=this;.try{.var Aua=function(a,b){this.da=a;this.ea=b;if(!c){var c=new _.ap("//www.google.com/images/cleardot.gif");_.op(c)}this.ka=c};_.h=Aua.prototype;_.h.Zc=null;_.h.lZ=1E4;_.h.bA=!1;_.h.nQ=0;_.h.zJ=null;_.h.bV=null;_.h.setTimeout=function(a){this.lZ=a};_.h.start=function(){if(this.bA)throw Error("dc");this.bA=!0;this.nQ=0;Bua(this)};_.h.stop=function(){Cua(this);this.bA=!1};.var Bua=function(a){a.nQ++;navigator!==null&&"onLine"in navigator&&!navigator.onLine?_.km((0,_.bg)(a.aH,a,!1),0):(a.aa=new Image,a.aa.onload=(0,_.bg)(a.Fja,a),a.aa.onerror=(0,_.bg)(a.Eja,a),a.aa.onabort=(0,_.bg)(a.Dja,a),a.zJ=_.km(a.Gja,a.lZ,a),a.aa.src=String(a.ka))};_.h=Aua.prototype;_.h.Fja=function(){this.aH(!0)};_.h.Eja=function(){this.aH(!1)};_.h.Dja=function(){this.aH(!1)};_.h.Gja=function(){this.aH(!1)};._.h.aH=function(a){Cua(this);a?(this.bA=!1,this.da.call(this.ea,!0)):this.nQ<=0?Bua(this):(this.bA=!1,

                                                          Static File Info

                                                          General

                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Entropy (8bit):6.5824493814648495
                                                          TrID:
                                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                          • DOS Executable Generic (2002/1) 0.02%
                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                          File name:file.exe
                                                          File size:918'528 bytes
                                                          MD5:aa9949bd15875a5926fbf69ee1cbab14
                                                          SHA1:684a285fd052ea63159e7ce6422ca826f1b425a0
                                                          SHA256:39181ee18d5f072fd0506ad9e882bef008d3662a8349d5386735ac1b476aab98
                                                          SHA512:ed2ea562933f92f8af4b54748ab69fabb8e773b91ba4bc1ce7b91cf0ee8c8663146b6732a6d3adc64bc8ac6a4dd6b004384cf9d7f60804a75804ab7728596a94
                                                          SSDEEP:12288:BqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgaBTA:BqDEvCTbMWu7rQYlBQcBiT6rprG8aVA
                                                          TLSH:40159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
                                                          File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

                                                          File Icon

                                                          Icon Hash:aaf3e3e3938382a0

                                                          Static PE Info

                                                          General

                                                          Entrypoint:0x420577
                                                          Entrypoint Section:.text
                                                          Digitally signed:false
                                                          Imagebase:0x400000
                                                          Subsystem:windows gui
                                                          Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                          DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                          Time Stamp:0x66FD7AB6 [Wed Oct 2 16:54:14 2024 UTC]
                                                          TLS Callbacks:
                                                          CLR (.Net) Version:
                                                          OS Version Major:5
                                                          OS Version Minor:1
                                                          File Version Major:5
                                                          File Version Minor:1
                                                          Subsystem Version Major:5
                                                          Subsystem Version Minor:1
                                                          Import Hash:948cc502fe9226992dce9417f952fce3

                                                          Entrypoint Preview

                                                          Instruction
                                                          call 00007F76188E86B3h
                                                          jmp 00007F76188E7FBFh
                                                          push ebp
                                                          mov ebp, esp
                                                          push esi
                                                          push dword ptr [ebp+08h]
                                                          mov esi, ecx
                                                          call 00007F76188E819Dh
                                                          mov dword ptr [esi], 0049FDF0h
                                                          mov eax, esi
                                                          pop esi
                                                          pop ebp
                                                          retn 0004h
                                                          and dword ptr [ecx+04h], 00000000h
                                                          mov eax, ecx
                                                          and dword ptr [ecx+08h], 00000000h
                                                          mov dword ptr [ecx+04h], 0049FDF8h
                                                          mov dword ptr [ecx], 0049FDF0h
                                                          ret
                                                          push ebp
                                                          mov ebp, esp
                                                          push esi
                                                          push dword ptr [ebp+08h]
                                                          mov esi, ecx
                                                          call 00007F76188E816Ah
                                                          mov dword ptr [esi], 0049FE0Ch
                                                          mov eax, esi
                                                          pop esi
                                                          pop ebp
                                                          retn 0004h
                                                          and dword ptr [ecx+04h], 00000000h
                                                          mov eax, ecx
                                                          and dword ptr [ecx+08h], 00000000h
                                                          mov dword ptr [ecx+04h], 0049FE14h
                                                          mov dword ptr [ecx], 0049FE0Ch
                                                          ret
                                                          push ebp
                                                          mov ebp, esp
                                                          push esi
                                                          mov esi, ecx
                                                          lea eax, dword ptr [esi+04h]
                                                          mov dword ptr [esi], 0049FDD0h
                                                          and dword ptr [eax], 00000000h
                                                          and dword ptr [eax+04h], 00000000h
                                                          push eax
                                                          mov eax, dword ptr [ebp+08h]
                                                          add eax, 04h
                                                          push eax
                                                          call 00007F76188EAD5Dh
                                                          pop ecx
                                                          pop ecx
                                                          mov eax, esi
                                                          pop esi
                                                          pop ebp
                                                          retn 0004h
                                                          lea eax, dword ptr [ecx+04h]
                                                          mov dword ptr [ecx], 0049FDD0h
                                                          push eax
                                                          call 00007F76188EADA8h
                                                          pop ecx
                                                          ret
                                                          push ebp
                                                          mov ebp, esp
                                                          push esi
                                                          mov esi, ecx
                                                          lea eax, dword ptr [esi+04h]
                                                          mov dword ptr [esi], 0049FDD0h
                                                          push eax
                                                          call 00007F76188EAD91h
                                                          test byte ptr [ebp+08h], 00000001h
                                                          pop ecx

                                                          Rich Headers

                                                          Programming Language:
                                                          • [ C ] VS2008 SP1 build 30729
                                                          • [IMP] VS2008 SP1 build 30729

                                                          Data Directories

                                                          NameVirtual AddressVirtual Size Is in Section
                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xc8e640x17c.rdata
                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xd40000x9944.rsrc
                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xde0000x7594.reloc
                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0xb0ff00x1c.rdata
                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_TLS0xc34000x18.rdata
                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb10100x40.rdata
                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IAT0x9c0000x894.rdata
                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                          Sections

                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                          .text0x10000x9ab1d0x9ac000a1473f3064dcbc32ef93c5c8a90f3a6False0.565500681542811data6.668273581389308IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                          .rdata0x9c0000x2fb820x2fc00c9cf2468b60bf4f80f136ed54b3989fbFalse0.35289185209424084data5.691811547483722IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          .data0xcc0000x706c0x480053b9025d545d65e23295e30afdbd16d9False0.04356553819444445DOS executable (block device driver @\273\)0.5846666986982398IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                          .rsrc0xd40000x99440x9a00a5277bcde916c1151b2304a04b4e2de9False0.3039519074675325data5.281076843595052IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          .reloc0xde0000x75940x7600c68ee8931a32d45eb82dc450ee40efc3False0.7628111758474576data6.7972128181359786IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                          Resources

                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                          RT_ICON0xd45a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                          RT_ICON0xd46d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                          RT_ICON0xd47f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                          RT_ICON0xd49200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                          RT_ICON0xd4c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                          RT_ICON0xd4d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                          RT_ICON0xd5bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                          RT_ICON0xd64800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                          RT_ICON0xd69e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                          RT_ICON0xd8f900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                          RT_ICON0xda0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                          RT_MENU0xda4a00x50dataEnglishGreat Britain0.9
                                                          RT_STRING0xda4f00x594dataEnglishGreat Britain0.3333333333333333
                                                          RT_STRING0xdaa840x68adataEnglishGreat Britain0.2735961768219833
                                                          RT_STRING0xdb1100x490dataEnglishGreat Britain0.3715753424657534
                                                          RT_STRING0xdb5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                                          RT_STRING0xdbb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                                          RT_STRING0xdc1f80x466dataEnglishGreat Britain0.3605683836589698
                                                          RT_STRING0xdc6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                          RT_RCDATA0xdc7b80xc0cdata1.0035667963683528
                                                          RT_GROUP_ICON0xdd3c40x76dataEnglishGreat Britain0.6610169491525424
                                                          RT_GROUP_ICON0xdd43c0x14dataEnglishGreat Britain1.25
                                                          RT_GROUP_ICON0xdd4500x14dataEnglishGreat Britain1.15
                                                          RT_GROUP_ICON0xdd4640x14dataEnglishGreat Britain1.25
                                                          RT_VERSION0xdd4780xdcdataEnglishGreat Britain0.6181818181818182
                                                          RT_MANIFEST0xdd5540x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                                          Imports

                                                          DLLImport
                                                          WSOCK32.dllgethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
                                                          VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
                                                          WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                          COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                                          MPR.dllWNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
                                                          WININET.dllHttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
                                                          PSAPI.DLLGetProcessMemoryInfo
                                                          IPHLPAPI.DLLIcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
                                                          USERENV.dllDestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
                                                          UxTheme.dllIsThemeActive
                                                          KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
                                                          USER32.dllGetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
                                                          GDI32.dllEndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
                                                          COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                                          ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
                                                          SHELL32.dllDragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
                                                          ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
                                                          OLEAUT32.dllCreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

                                                          Possible Origin

                                                          Language of compilation systemCountry where language is spokenMap
                                                          EnglishGreat Britain

                                                          Network Behavior

                                                          Network Port Distribution

                                                          TCP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Oct 2, 2024 19:07:55.214663029 CEST49671443192.168.2.7204.79.197.203
                                                          Oct 2, 2024 19:07:56.417721033 CEST49671443192.168.2.7204.79.197.203
                                                          Oct 2, 2024 19:07:56.714670897 CEST49674443192.168.2.7104.98.116.138
                                                          Oct 2, 2024 19:07:56.719062090 CEST49675443192.168.2.7104.98.116.138
                                                          Oct 2, 2024 19:07:56.745887995 CEST49672443192.168.2.7104.98.116.138
                                                          Oct 2, 2024 19:07:58.824018002 CEST49671443192.168.2.7204.79.197.203
                                                          Oct 2, 2024 19:08:02.882358074 CEST49677443192.168.2.720.50.201.200
                                                          Oct 2, 2024 19:08:03.261475086 CEST49677443192.168.2.720.50.201.200
                                                          Oct 2, 2024 19:08:03.636527061 CEST49671443192.168.2.7204.79.197.203
                                                          Oct 2, 2024 19:08:03.998568058 CEST49703443192.168.2.7142.250.186.78
                                                          Oct 2, 2024 19:08:03.998622894 CEST44349703142.250.186.78192.168.2.7
                                                          Oct 2, 2024 19:08:03.999080896 CEST49703443192.168.2.7142.250.186.78
                                                          Oct 2, 2024 19:08:04.000015974 CEST49703443192.168.2.7142.250.186.78
                                                          Oct 2, 2024 19:08:04.000030994 CEST44349703142.250.186.78192.168.2.7
                                                          Oct 2, 2024 19:08:04.012646914 CEST49677443192.168.2.720.50.201.200
                                                          Oct 2, 2024 19:08:04.689245939 CEST44349703142.250.186.78192.168.2.7
                                                          Oct 2, 2024 19:08:04.689527035 CEST49703443192.168.2.7142.250.186.78
                                                          Oct 2, 2024 19:08:04.689543962 CEST44349703142.250.186.78192.168.2.7
                                                          Oct 2, 2024 19:08:04.690145016 CEST44349703142.250.186.78192.168.2.7
                                                          Oct 2, 2024 19:08:04.690196991 CEST49703443192.168.2.7142.250.186.78
                                                          Oct 2, 2024 19:08:04.691379070 CEST44349703142.250.186.78192.168.2.7
                                                          Oct 2, 2024 19:08:04.691432953 CEST49703443192.168.2.7142.250.186.78
                                                          Oct 2, 2024 19:08:04.692624092 CEST49703443192.168.2.7142.250.186.78
                                                          Oct 2, 2024 19:08:04.692786932 CEST44349703142.250.186.78192.168.2.7
                                                          Oct 2, 2024 19:08:04.692811966 CEST49703443192.168.2.7142.250.186.78
                                                          Oct 2, 2024 19:08:04.735441923 CEST44349703142.250.186.78192.168.2.7
                                                          Oct 2, 2024 19:08:04.745526075 CEST49703443192.168.2.7142.250.186.78
                                                          Oct 2, 2024 19:08:04.745543957 CEST44349703142.250.186.78192.168.2.7
                                                          Oct 2, 2024 19:08:04.792412996 CEST49703443192.168.2.7142.250.186.78
                                                          Oct 2, 2024 19:08:04.975542068 CEST44349703142.250.186.78192.168.2.7
                                                          Oct 2, 2024 19:08:04.975745916 CEST44349703142.250.186.78192.168.2.7
                                                          Oct 2, 2024 19:08:04.975796938 CEST49703443192.168.2.7142.250.186.78
                                                          Oct 2, 2024 19:08:05.422930956 CEST49703443192.168.2.7142.250.186.78
                                                          Oct 2, 2024 19:08:05.422960043 CEST44349703142.250.186.78192.168.2.7
                                                          Oct 2, 2024 19:08:05.457463026 CEST49706443192.168.2.7216.58.206.46
                                                          Oct 2, 2024 19:08:05.457515001 CEST44349706216.58.206.46192.168.2.7
                                                          Oct 2, 2024 19:08:05.457798004 CEST49706443192.168.2.7216.58.206.46
                                                          Oct 2, 2024 19:08:05.457798004 CEST49706443192.168.2.7216.58.206.46
                                                          Oct 2, 2024 19:08:05.457838058 CEST44349706216.58.206.46192.168.2.7
                                                          Oct 2, 2024 19:08:05.511183977 CEST49677443192.168.2.720.50.201.200
                                                          Oct 2, 2024 19:08:06.106676102 CEST44349706216.58.206.46192.168.2.7
                                                          Oct 2, 2024 19:08:06.118942022 CEST49706443192.168.2.7216.58.206.46
                                                          Oct 2, 2024 19:08:06.118952036 CEST44349706216.58.206.46192.168.2.7
                                                          Oct 2, 2024 19:08:06.119530916 CEST44349706216.58.206.46192.168.2.7
                                                          Oct 2, 2024 19:08:06.120249987 CEST44349706216.58.206.46192.168.2.7
                                                          Oct 2, 2024 19:08:06.120277882 CEST49706443192.168.2.7216.58.206.46
                                                          Oct 2, 2024 19:08:06.120285034 CEST44349706216.58.206.46192.168.2.7
                                                          Oct 2, 2024 19:08:06.120347023 CEST49706443192.168.2.7216.58.206.46
                                                          Oct 2, 2024 19:08:06.127590895 CEST49706443192.168.2.7216.58.206.46
                                                          Oct 2, 2024 19:08:06.127809048 CEST49706443192.168.2.7216.58.206.46
                                                          Oct 2, 2024 19:08:06.127809048 CEST44349706216.58.206.46192.168.2.7
                                                          Oct 2, 2024 19:08:06.171415091 CEST44349706216.58.206.46192.168.2.7
                                                          Oct 2, 2024 19:08:06.183072090 CEST49706443192.168.2.7216.58.206.46
                                                          Oct 2, 2024 19:08:06.183089972 CEST44349706216.58.206.46192.168.2.7
                                                          Oct 2, 2024 19:08:06.229964972 CEST49706443192.168.2.7216.58.206.46
                                                          Oct 2, 2024 19:08:06.323741913 CEST49675443192.168.2.7104.98.116.138
                                                          Oct 2, 2024 19:08:06.323808908 CEST49674443192.168.2.7104.98.116.138
                                                          Oct 2, 2024 19:08:06.354963064 CEST49672443192.168.2.7104.98.116.138
                                                          Oct 2, 2024 19:08:06.447751045 CEST44349706216.58.206.46192.168.2.7
                                                          Oct 2, 2024 19:08:06.447827101 CEST49706443192.168.2.7216.58.206.46
                                                          Oct 2, 2024 19:08:06.447839975 CEST44349706216.58.206.46192.168.2.7
                                                          Oct 2, 2024 19:08:06.447999954 CEST44349706216.58.206.46192.168.2.7
                                                          Oct 2, 2024 19:08:06.448061943 CEST49706443192.168.2.7216.58.206.46
                                                          Oct 2, 2024 19:08:06.450220108 CEST49706443192.168.2.7216.58.206.46
                                                          Oct 2, 2024 19:08:06.450236082 CEST44349706216.58.206.46192.168.2.7
                                                          Oct 2, 2024 19:08:06.450248957 CEST49706443192.168.2.7216.58.206.46
                                                          Oct 2, 2024 19:08:06.450306892 CEST49706443192.168.2.7216.58.206.46
                                                          Oct 2, 2024 19:08:08.495433092 CEST49677443192.168.2.720.50.201.200
                                                          Oct 2, 2024 19:08:08.527472973 CEST49711443192.168.2.7216.58.206.36
                                                          Oct 2, 2024 19:08:08.527566910 CEST44349711216.58.206.36192.168.2.7
                                                          Oct 2, 2024 19:08:08.527760029 CEST49711443192.168.2.7216.58.206.36
                                                          Oct 2, 2024 19:08:08.528007984 CEST49711443192.168.2.7216.58.206.36
                                                          Oct 2, 2024 19:08:08.528045893 CEST44349711216.58.206.36192.168.2.7
                                                          Oct 2, 2024 19:08:08.540450096 CEST49712443192.168.2.7184.28.90.27
                                                          Oct 2, 2024 19:08:08.540496111 CEST44349712184.28.90.27192.168.2.7
                                                          Oct 2, 2024 19:08:08.540604115 CEST49712443192.168.2.7184.28.90.27
                                                          Oct 2, 2024 19:08:08.542243004 CEST49712443192.168.2.7184.28.90.27
                                                          Oct 2, 2024 19:08:08.542272091 CEST44349712184.28.90.27192.168.2.7
                                                          Oct 2, 2024 19:08:08.751560926 CEST44349699104.98.116.138192.168.2.7
                                                          Oct 2, 2024 19:08:08.751713037 CEST49699443192.168.2.7104.98.116.138
                                                          Oct 2, 2024 19:08:09.185225964 CEST44349712184.28.90.27192.168.2.7
                                                          Oct 2, 2024 19:08:09.185333014 CEST49712443192.168.2.7184.28.90.27
                                                          Oct 2, 2024 19:08:09.193908930 CEST44349711216.58.206.36192.168.2.7
                                                          Oct 2, 2024 19:08:09.194135904 CEST49711443192.168.2.7216.58.206.36
                                                          Oct 2, 2024 19:08:09.194143057 CEST44349711216.58.206.36192.168.2.7
                                                          Oct 2, 2024 19:08:09.195135117 CEST44349711216.58.206.36192.168.2.7
                                                          Oct 2, 2024 19:08:09.195182085 CEST49711443192.168.2.7216.58.206.36
                                                          Oct 2, 2024 19:08:09.196161985 CEST49711443192.168.2.7216.58.206.36
                                                          Oct 2, 2024 19:08:09.196214914 CEST44349711216.58.206.36192.168.2.7
                                                          Oct 2, 2024 19:08:09.201684952 CEST49712443192.168.2.7184.28.90.27
                                                          Oct 2, 2024 19:08:09.201698065 CEST44349712184.28.90.27192.168.2.7
                                                          Oct 2, 2024 19:08:09.201953888 CEST44349712184.28.90.27192.168.2.7
                                                          Oct 2, 2024 19:08:09.245765924 CEST49712443192.168.2.7184.28.90.27
                                                          Oct 2, 2024 19:08:09.246520042 CEST49711443192.168.2.7216.58.206.36
                                                          Oct 2, 2024 19:08:09.246527910 CEST44349711216.58.206.36192.168.2.7
                                                          Oct 2, 2024 19:08:09.287395954 CEST44349712184.28.90.27192.168.2.7
                                                          Oct 2, 2024 19:08:09.293385983 CEST49711443192.168.2.7216.58.206.36
                                                          Oct 2, 2024 19:08:09.501389027 CEST44349712184.28.90.27192.168.2.7
                                                          Oct 2, 2024 19:08:09.501462936 CEST44349712184.28.90.27192.168.2.7
                                                          Oct 2, 2024 19:08:09.501523018 CEST49712443192.168.2.7184.28.90.27
                                                          Oct 2, 2024 19:08:09.501652956 CEST49712443192.168.2.7184.28.90.27
                                                          Oct 2, 2024 19:08:09.501667976 CEST44349712184.28.90.27192.168.2.7
                                                          Oct 2, 2024 19:08:09.574568033 CEST49714443192.168.2.7184.28.90.27
                                                          Oct 2, 2024 19:08:09.574620962 CEST44349714184.28.90.27192.168.2.7
                                                          Oct 2, 2024 19:08:09.574759960 CEST49714443192.168.2.7184.28.90.27
                                                          Oct 2, 2024 19:08:09.575249910 CEST49714443192.168.2.7184.28.90.27
                                                          Oct 2, 2024 19:08:09.575268030 CEST44349714184.28.90.27192.168.2.7
                                                          Oct 2, 2024 19:08:10.221402884 CEST44349714184.28.90.27192.168.2.7
                                                          Oct 2, 2024 19:08:10.221491098 CEST49714443192.168.2.7184.28.90.27
                                                          Oct 2, 2024 19:08:10.223778963 CEST49714443192.168.2.7184.28.90.27
                                                          Oct 2, 2024 19:08:10.223789930 CEST44349714184.28.90.27192.168.2.7
                                                          Oct 2, 2024 19:08:10.224045992 CEST44349714184.28.90.27192.168.2.7
                                                          Oct 2, 2024 19:08:10.225157976 CEST49714443192.168.2.7184.28.90.27
                                                          Oct 2, 2024 19:08:10.267441988 CEST44349714184.28.90.27192.168.2.7
                                                          Oct 2, 2024 19:08:10.502589941 CEST44349714184.28.90.27192.168.2.7
                                                          Oct 2, 2024 19:08:10.502661943 CEST44349714184.28.90.27192.168.2.7
                                                          Oct 2, 2024 19:08:10.502760887 CEST49714443192.168.2.7184.28.90.27
                                                          Oct 2, 2024 19:08:10.504281044 CEST49714443192.168.2.7184.28.90.27
                                                          Oct 2, 2024 19:08:10.504302979 CEST44349714184.28.90.27192.168.2.7
                                                          Oct 2, 2024 19:08:13.245827913 CEST49671443192.168.2.7204.79.197.203
                                                          Oct 2, 2024 19:08:13.641011000 CEST49726443192.168.2.7216.58.206.78
                                                          Oct 2, 2024 19:08:13.641057968 CEST44349726216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:08:13.641834021 CEST49726443192.168.2.7216.58.206.78
                                                          Oct 2, 2024 19:08:13.641834021 CEST49726443192.168.2.7216.58.206.78
                                                          Oct 2, 2024 19:08:13.641868114 CEST44349726216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:08:14.302615881 CEST44349726216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:08:14.303128958 CEST49726443192.168.2.7216.58.206.78
                                                          Oct 2, 2024 19:08:14.303206921 CEST44349726216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:08:14.303606033 CEST44349726216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:08:14.303832054 CEST49726443192.168.2.7216.58.206.78
                                                          Oct 2, 2024 19:08:14.304337025 CEST44349726216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:08:14.304455042 CEST49726443192.168.2.7216.58.206.78
                                                          Oct 2, 2024 19:08:14.305452108 CEST49726443192.168.2.7216.58.206.78
                                                          Oct 2, 2024 19:08:14.305500031 CEST44349726216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:08:14.305695057 CEST49726443192.168.2.7216.58.206.78
                                                          Oct 2, 2024 19:08:14.305701017 CEST44349726216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:08:14.355127096 CEST49726443192.168.2.7216.58.206.78
                                                          Oct 2, 2024 19:08:14.448875904 CEST49677443192.168.2.720.50.201.200
                                                          Oct 2, 2024 19:08:14.627594948 CEST44349726216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:08:14.627643108 CEST44349726216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:08:14.627680063 CEST44349726216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:08:14.627810001 CEST49726443192.168.2.7216.58.206.78
                                                          Oct 2, 2024 19:08:14.627840996 CEST44349726216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:08:14.633610010 CEST44349726216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:08:14.633716106 CEST49726443192.168.2.7216.58.206.78
                                                          Oct 2, 2024 19:08:14.633729935 CEST44349726216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:08:14.640192032 CEST44349726216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:08:14.640222073 CEST44349726216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:08:14.640268087 CEST49726443192.168.2.7216.58.206.78
                                                          Oct 2, 2024 19:08:14.640279055 CEST44349726216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:08:14.640331030 CEST49726443192.168.2.7216.58.206.78
                                                          Oct 2, 2024 19:08:14.646260977 CEST44349726216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:08:14.646353960 CEST49726443192.168.2.7216.58.206.78
                                                          Oct 2, 2024 19:08:14.652345896 CEST44349726216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:08:14.652379036 CEST44349726216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:08:14.652452946 CEST49726443192.168.2.7216.58.206.78
                                                          Oct 2, 2024 19:08:14.652465105 CEST44349726216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:08:14.652504921 CEST49726443192.168.2.7216.58.206.78
                                                          Oct 2, 2024 19:08:14.719701052 CEST44349726216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:08:14.719754934 CEST44349726216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:08:14.719786882 CEST44349726216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:08:14.719909906 CEST49726443192.168.2.7216.58.206.78
                                                          Oct 2, 2024 19:08:14.719953060 CEST44349726216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:08:14.719969034 CEST49726443192.168.2.7216.58.206.78
                                                          Oct 2, 2024 19:08:14.722584009 CEST44349726216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:08:14.722609997 CEST44349726216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:08:14.722649097 CEST49726443192.168.2.7216.58.206.78
                                                          Oct 2, 2024 19:08:14.722661972 CEST44349726216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:08:14.722702026 CEST49726443192.168.2.7216.58.206.78
                                                          Oct 2, 2024 19:08:14.729125023 CEST44349726216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:08:14.729182005 CEST49726443192.168.2.7216.58.206.78
                                                          Oct 2, 2024 19:08:14.734971046 CEST44349726216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:08:14.735058069 CEST49726443192.168.2.7216.58.206.78
                                                          Oct 2, 2024 19:08:14.735066891 CEST44349726216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:08:14.741339922 CEST44349726216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:08:14.741413116 CEST49726443192.168.2.7216.58.206.78
                                                          Oct 2, 2024 19:08:14.741420984 CEST44349726216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:08:14.747687101 CEST44349726216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:08:14.747761011 CEST49726443192.168.2.7216.58.206.78
                                                          Oct 2, 2024 19:08:14.747771978 CEST44349726216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:08:14.747833014 CEST44349726216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:08:14.747879028 CEST49726443192.168.2.7216.58.206.78
                                                          Oct 2, 2024 19:08:15.072400093 CEST49726443192.168.2.7216.58.206.78
                                                          Oct 2, 2024 19:08:15.072454929 CEST44349726216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:08:15.103765011 CEST49729443192.168.2.7216.58.212.142
                                                          Oct 2, 2024 19:08:15.103820086 CEST44349729216.58.212.142192.168.2.7
                                                          Oct 2, 2024 19:08:15.103972912 CEST49729443192.168.2.7216.58.212.142
                                                          Oct 2, 2024 19:08:15.118423939 CEST49729443192.168.2.7216.58.212.142
                                                          Oct 2, 2024 19:08:15.118464947 CEST44349729216.58.212.142192.168.2.7
                                                          Oct 2, 2024 19:08:15.287271976 CEST49731443192.168.2.7216.58.212.142
                                                          Oct 2, 2024 19:08:15.287339926 CEST44349731216.58.212.142192.168.2.7
                                                          Oct 2, 2024 19:08:15.287412882 CEST49731443192.168.2.7216.58.212.142
                                                          Oct 2, 2024 19:08:15.287673950 CEST49731443192.168.2.7216.58.212.142
                                                          Oct 2, 2024 19:08:15.287692070 CEST44349731216.58.212.142192.168.2.7
                                                          Oct 2, 2024 19:08:15.981050014 CEST44349729216.58.212.142192.168.2.7
                                                          Oct 2, 2024 19:08:15.982223988 CEST49729443192.168.2.7216.58.212.142
                                                          Oct 2, 2024 19:08:15.982266903 CEST44349729216.58.212.142192.168.2.7
                                                          Oct 2, 2024 19:08:15.982637882 CEST44349729216.58.212.142192.168.2.7
                                                          Oct 2, 2024 19:08:15.982729912 CEST49729443192.168.2.7216.58.212.142
                                                          Oct 2, 2024 19:08:15.983314037 CEST44349729216.58.212.142192.168.2.7
                                                          Oct 2, 2024 19:08:15.983402014 CEST49729443192.168.2.7216.58.212.142
                                                          Oct 2, 2024 19:08:15.984431982 CEST49729443192.168.2.7216.58.212.142
                                                          Oct 2, 2024 19:08:15.984508038 CEST44349729216.58.212.142192.168.2.7
                                                          Oct 2, 2024 19:08:15.984689951 CEST49729443192.168.2.7216.58.212.142
                                                          Oct 2, 2024 19:08:15.984708071 CEST44349729216.58.212.142192.168.2.7
                                                          Oct 2, 2024 19:08:16.031100035 CEST49729443192.168.2.7216.58.212.142
                                                          Oct 2, 2024 19:08:16.166821003 CEST44349731216.58.212.142192.168.2.7
                                                          Oct 2, 2024 19:08:16.167167902 CEST49731443192.168.2.7216.58.212.142
                                                          Oct 2, 2024 19:08:16.167193890 CEST44349731216.58.212.142192.168.2.7
                                                          Oct 2, 2024 19:08:16.167583942 CEST44349731216.58.212.142192.168.2.7
                                                          Oct 2, 2024 19:08:16.167643070 CEST49731443192.168.2.7216.58.212.142
                                                          Oct 2, 2024 19:08:16.168328047 CEST44349731216.58.212.142192.168.2.7
                                                          Oct 2, 2024 19:08:16.168395996 CEST49731443192.168.2.7216.58.212.142
                                                          Oct 2, 2024 19:08:16.170038939 CEST49731443192.168.2.7216.58.212.142
                                                          Oct 2, 2024 19:08:16.170144081 CEST44349731216.58.212.142192.168.2.7
                                                          Oct 2, 2024 19:08:16.171123028 CEST49731443192.168.2.7216.58.212.142
                                                          Oct 2, 2024 19:08:16.171132088 CEST44349731216.58.212.142192.168.2.7
                                                          Oct 2, 2024 19:08:16.215199947 CEST49731443192.168.2.7216.58.212.142
                                                          Oct 2, 2024 19:08:16.280637980 CEST44349729216.58.212.142192.168.2.7
                                                          Oct 2, 2024 19:08:16.280715942 CEST44349729216.58.212.142192.168.2.7
                                                          Oct 2, 2024 19:08:16.280772924 CEST49729443192.168.2.7216.58.212.142
                                                          Oct 2, 2024 19:08:16.282063961 CEST49729443192.168.2.7216.58.212.142
                                                          Oct 2, 2024 19:08:16.282085896 CEST44349729216.58.212.142192.168.2.7
                                                          Oct 2, 2024 19:08:16.284444094 CEST49734443192.168.2.7216.58.212.142
                                                          Oct 2, 2024 19:08:16.284495115 CEST44349734216.58.212.142192.168.2.7
                                                          Oct 2, 2024 19:08:16.284553051 CEST49734443192.168.2.7216.58.212.142
                                                          Oct 2, 2024 19:08:16.285475016 CEST49734443192.168.2.7216.58.212.142
                                                          Oct 2, 2024 19:08:16.285490036 CEST44349734216.58.212.142192.168.2.7
                                                          Oct 2, 2024 19:08:16.471750021 CEST44349731216.58.212.142192.168.2.7
                                                          Oct 2, 2024 19:08:16.472395897 CEST49731443192.168.2.7216.58.212.142
                                                          Oct 2, 2024 19:08:16.472470999 CEST44349731216.58.212.142192.168.2.7
                                                          Oct 2, 2024 19:08:16.472527027 CEST49731443192.168.2.7216.58.212.142
                                                          Oct 2, 2024 19:08:16.472529888 CEST44349731216.58.212.142192.168.2.7
                                                          Oct 2, 2024 19:08:16.472568035 CEST49731443192.168.2.7216.58.212.142
                                                          Oct 2, 2024 19:08:16.473494053 CEST49736443192.168.2.7216.58.212.142
                                                          Oct 2, 2024 19:08:16.473522902 CEST44349736216.58.212.142192.168.2.7
                                                          Oct 2, 2024 19:08:16.473582983 CEST49736443192.168.2.7216.58.212.142
                                                          Oct 2, 2024 19:08:16.473901033 CEST49736443192.168.2.7216.58.212.142
                                                          Oct 2, 2024 19:08:16.473913908 CEST44349736216.58.212.142192.168.2.7
                                                          Oct 2, 2024 19:08:16.738500118 CEST49737443192.168.2.713.85.23.86
                                                          Oct 2, 2024 19:08:16.738560915 CEST4434973713.85.23.86192.168.2.7
                                                          Oct 2, 2024 19:08:16.738707066 CEST49737443192.168.2.713.85.23.86
                                                          Oct 2, 2024 19:08:16.740195990 CEST49737443192.168.2.713.85.23.86
                                                          Oct 2, 2024 19:08:16.740211010 CEST4434973713.85.23.86192.168.2.7
                                                          Oct 2, 2024 19:08:16.927537918 CEST44349734216.58.212.142192.168.2.7
                                                          Oct 2, 2024 19:08:16.927855015 CEST49734443192.168.2.7216.58.212.142
                                                          Oct 2, 2024 19:08:16.927865982 CEST44349734216.58.212.142192.168.2.7
                                                          Oct 2, 2024 19:08:16.928236008 CEST44349734216.58.212.142192.168.2.7
                                                          Oct 2, 2024 19:08:16.928291082 CEST49734443192.168.2.7216.58.212.142
                                                          Oct 2, 2024 19:08:16.928951025 CEST44349734216.58.212.142192.168.2.7
                                                          Oct 2, 2024 19:08:16.929006100 CEST49734443192.168.2.7216.58.212.142
                                                          Oct 2, 2024 19:08:16.929156065 CEST49734443192.168.2.7216.58.212.142
                                                          Oct 2, 2024 19:08:16.929219961 CEST44349734216.58.212.142192.168.2.7
                                                          Oct 2, 2024 19:08:16.929326057 CEST49734443192.168.2.7216.58.212.142
                                                          Oct 2, 2024 19:08:16.929332018 CEST44349734216.58.212.142192.168.2.7
                                                          Oct 2, 2024 19:08:16.929346085 CEST49734443192.168.2.7216.58.212.142
                                                          Oct 2, 2024 19:08:16.971396923 CEST44349734216.58.212.142192.168.2.7
                                                          Oct 2, 2024 19:08:16.980072975 CEST49734443192.168.2.7216.58.212.142
                                                          Oct 2, 2024 19:08:17.123519897 CEST44349736216.58.212.142192.168.2.7
                                                          Oct 2, 2024 19:08:17.123874903 CEST49736443192.168.2.7216.58.212.142
                                                          Oct 2, 2024 19:08:17.123915911 CEST44349736216.58.212.142192.168.2.7
                                                          Oct 2, 2024 19:08:17.124269962 CEST44349736216.58.212.142192.168.2.7
                                                          Oct 2, 2024 19:08:17.124336958 CEST49736443192.168.2.7216.58.212.142
                                                          Oct 2, 2024 19:08:17.124977112 CEST44349736216.58.212.142192.168.2.7
                                                          Oct 2, 2024 19:08:17.125036955 CEST49736443192.168.2.7216.58.212.142
                                                          Oct 2, 2024 19:08:17.125154972 CEST49736443192.168.2.7216.58.212.142
                                                          Oct 2, 2024 19:08:17.125224113 CEST44349736216.58.212.142192.168.2.7
                                                          Oct 2, 2024 19:08:17.125328064 CEST49736443192.168.2.7216.58.212.142
                                                          Oct 2, 2024 19:08:17.125343084 CEST44349736216.58.212.142192.168.2.7
                                                          Oct 2, 2024 19:08:17.125361919 CEST49736443192.168.2.7216.58.212.142
                                                          Oct 2, 2024 19:08:17.147356987 CEST44349734216.58.212.142192.168.2.7
                                                          Oct 2, 2024 19:08:17.147986889 CEST44349734216.58.212.142192.168.2.7
                                                          Oct 2, 2024 19:08:17.148066044 CEST49734443192.168.2.7216.58.212.142
                                                          Oct 2, 2024 19:08:17.148979902 CEST49734443192.168.2.7216.58.212.142
                                                          Oct 2, 2024 19:08:17.148997068 CEST44349734216.58.212.142192.168.2.7
                                                          Oct 2, 2024 19:08:17.168852091 CEST49736443192.168.2.7216.58.212.142
                                                          Oct 2, 2024 19:08:17.168870926 CEST44349736216.58.212.142192.168.2.7
                                                          Oct 2, 2024 19:08:17.341496944 CEST44349736216.58.212.142192.168.2.7
                                                          Oct 2, 2024 19:08:17.342056036 CEST44349736216.58.212.142192.168.2.7
                                                          Oct 2, 2024 19:08:17.342120886 CEST49736443192.168.2.7216.58.212.142
                                                          Oct 2, 2024 19:08:17.446477890 CEST4434973713.85.23.86192.168.2.7
                                                          Oct 2, 2024 19:08:17.446595907 CEST49737443192.168.2.713.85.23.86
                                                          Oct 2, 2024 19:08:17.549762964 CEST49736443192.168.2.7216.58.212.142
                                                          Oct 2, 2024 19:08:17.549803972 CEST44349736216.58.212.142192.168.2.7
                                                          Oct 2, 2024 19:08:17.564001083 CEST49737443192.168.2.713.85.23.86
                                                          Oct 2, 2024 19:08:17.564053059 CEST4434973713.85.23.86192.168.2.7
                                                          Oct 2, 2024 19:08:17.564408064 CEST4434973713.85.23.86192.168.2.7
                                                          Oct 2, 2024 19:08:17.606359005 CEST49737443192.168.2.713.85.23.86
                                                          Oct 2, 2024 19:08:17.729985952 CEST49699443192.168.2.7104.98.116.138
                                                          Oct 2, 2024 19:08:17.734875917 CEST44349699104.98.116.138192.168.2.7
                                                          Oct 2, 2024 19:08:17.742010117 CEST49743443192.168.2.7104.98.116.138
                                                          Oct 2, 2024 19:08:17.742069960 CEST44349743104.98.116.138192.168.2.7
                                                          Oct 2, 2024 19:08:17.742130041 CEST49743443192.168.2.7104.98.116.138
                                                          Oct 2, 2024 19:08:17.747834921 CEST49743443192.168.2.7104.98.116.138
                                                          Oct 2, 2024 19:08:17.747869015 CEST44349743104.98.116.138192.168.2.7
                                                          Oct 2, 2024 19:08:17.944380999 CEST49711443192.168.2.7216.58.206.36
                                                          Oct 2, 2024 19:08:17.991406918 CEST44349711216.58.206.36192.168.2.7
                                                          Oct 2, 2024 19:08:18.215291977 CEST44349711216.58.206.36192.168.2.7
                                                          Oct 2, 2024 19:08:18.215349913 CEST44349711216.58.206.36192.168.2.7
                                                          Oct 2, 2024 19:08:18.215379000 CEST44349711216.58.206.36192.168.2.7
                                                          Oct 2, 2024 19:08:18.215430021 CEST44349711216.58.206.36192.168.2.7
                                                          Oct 2, 2024 19:08:18.215533018 CEST44349711216.58.206.36192.168.2.7
                                                          Oct 2, 2024 19:08:18.215533972 CEST49711443192.168.2.7216.58.206.36
                                                          Oct 2, 2024 19:08:18.215583086 CEST49711443192.168.2.7216.58.206.36
                                                          Oct 2, 2024 19:08:18.218966961 CEST49737443192.168.2.713.85.23.86
                                                          Oct 2, 2024 19:08:18.224225998 CEST49711443192.168.2.7216.58.206.36
                                                          Oct 2, 2024 19:08:18.224263906 CEST44349711216.58.206.36192.168.2.7
                                                          Oct 2, 2024 19:08:18.259449005 CEST4434973713.85.23.86192.168.2.7
                                                          Oct 2, 2024 19:08:18.446592093 CEST4434973713.85.23.86192.168.2.7
                                                          Oct 2, 2024 19:08:18.446619987 CEST4434973713.85.23.86192.168.2.7
                                                          Oct 2, 2024 19:08:18.446629047 CEST4434973713.85.23.86192.168.2.7
                                                          Oct 2, 2024 19:08:18.446643114 CEST4434973713.85.23.86192.168.2.7
                                                          Oct 2, 2024 19:08:18.446674109 CEST4434973713.85.23.86192.168.2.7
                                                          Oct 2, 2024 19:08:18.446691036 CEST49737443192.168.2.713.85.23.86
                                                          Oct 2, 2024 19:08:18.446728945 CEST4434973713.85.23.86192.168.2.7
                                                          Oct 2, 2024 19:08:18.446753025 CEST49737443192.168.2.713.85.23.86
                                                          Oct 2, 2024 19:08:18.446779966 CEST49737443192.168.2.713.85.23.86
                                                          Oct 2, 2024 19:08:18.447263956 CEST4434973713.85.23.86192.168.2.7
                                                          Oct 2, 2024 19:08:18.447329998 CEST49737443192.168.2.713.85.23.86
                                                          Oct 2, 2024 19:08:18.447341919 CEST4434973713.85.23.86192.168.2.7
                                                          Oct 2, 2024 19:08:18.447413921 CEST4434973713.85.23.86192.168.2.7
                                                          Oct 2, 2024 19:08:18.447752953 CEST49737443192.168.2.713.85.23.86
                                                          Oct 2, 2024 19:08:19.181782961 CEST49737443192.168.2.713.85.23.86
                                                          Oct 2, 2024 19:08:19.181824923 CEST4434973713.85.23.86192.168.2.7
                                                          Oct 2, 2024 19:08:22.728179932 CEST49748443192.168.2.7216.58.212.142
                                                          Oct 2, 2024 19:08:22.728212118 CEST44349748216.58.212.142192.168.2.7
                                                          Oct 2, 2024 19:08:22.728311062 CEST49748443192.168.2.7216.58.212.142
                                                          Oct 2, 2024 19:08:22.728954077 CEST49748443192.168.2.7216.58.212.142
                                                          Oct 2, 2024 19:08:22.728965044 CEST44349748216.58.212.142192.168.2.7
                                                          Oct 2, 2024 19:08:23.357819080 CEST44349748216.58.212.142192.168.2.7
                                                          Oct 2, 2024 19:08:23.358398914 CEST49748443192.168.2.7216.58.212.142
                                                          Oct 2, 2024 19:08:23.358408928 CEST44349748216.58.212.142192.168.2.7
                                                          Oct 2, 2024 19:08:23.358958960 CEST44349748216.58.212.142192.168.2.7
                                                          Oct 2, 2024 19:08:23.359514952 CEST49748443192.168.2.7216.58.212.142
                                                          Oct 2, 2024 19:08:23.359584093 CEST44349748216.58.212.142192.168.2.7
                                                          Oct 2, 2024 19:08:23.359684944 CEST49748443192.168.2.7216.58.212.142
                                                          Oct 2, 2024 19:08:23.359699011 CEST49748443192.168.2.7216.58.212.142
                                                          Oct 2, 2024 19:08:23.359709978 CEST44349748216.58.212.142192.168.2.7
                                                          Oct 2, 2024 19:08:23.402537107 CEST49748443192.168.2.7216.58.212.142
                                                          Oct 2, 2024 19:08:23.677454948 CEST44349748216.58.212.142192.168.2.7
                                                          Oct 2, 2024 19:08:23.677632093 CEST44349748216.58.212.142192.168.2.7
                                                          Oct 2, 2024 19:08:23.677771091 CEST49748443192.168.2.7216.58.212.142
                                                          Oct 2, 2024 19:08:23.679187059 CEST49748443192.168.2.7216.58.212.142
                                                          Oct 2, 2024 19:08:23.679208994 CEST44349748216.58.212.142192.168.2.7
                                                          Oct 2, 2024 19:08:26.355134964 CEST49677443192.168.2.720.50.201.200
                                                          Oct 2, 2024 19:08:33.505816936 CEST6402153192.168.2.7162.159.36.2
                                                          Oct 2, 2024 19:08:33.510731936 CEST5364021162.159.36.2192.168.2.7
                                                          Oct 2, 2024 19:08:33.510848045 CEST6402153192.168.2.7162.159.36.2
                                                          Oct 2, 2024 19:08:33.515728951 CEST5364021162.159.36.2192.168.2.7
                                                          Oct 2, 2024 19:08:33.985640049 CEST6402153192.168.2.7162.159.36.2
                                                          Oct 2, 2024 19:08:33.991082907 CEST5364021162.159.36.2192.168.2.7
                                                          Oct 2, 2024 19:08:33.991141081 CEST6402153192.168.2.7162.159.36.2
                                                          Oct 2, 2024 19:08:34.006953001 CEST64022443192.168.2.720.3.187.198
                                                          Oct 2, 2024 19:08:34.006992102 CEST4436402220.3.187.198192.168.2.7
                                                          Oct 2, 2024 19:08:34.007179976 CEST64022443192.168.2.720.3.187.198
                                                          Oct 2, 2024 19:08:34.007503986 CEST64022443192.168.2.720.3.187.198
                                                          Oct 2, 2024 19:08:34.007517099 CEST4436402220.3.187.198192.168.2.7
                                                          Oct 2, 2024 19:08:34.837393999 CEST4436402220.3.187.198192.168.2.7
                                                          Oct 2, 2024 19:08:34.837553978 CEST64022443192.168.2.720.3.187.198
                                                          Oct 2, 2024 19:08:34.841120958 CEST64022443192.168.2.720.3.187.198
                                                          Oct 2, 2024 19:08:34.841150999 CEST4436402220.3.187.198192.168.2.7
                                                          Oct 2, 2024 19:08:34.841507912 CEST4436402220.3.187.198192.168.2.7
                                                          Oct 2, 2024 19:08:34.846853971 CEST64022443192.168.2.720.3.187.198
                                                          Oct 2, 2024 19:08:34.887429953 CEST4436402220.3.187.198192.168.2.7
                                                          Oct 2, 2024 19:08:35.081518888 CEST4436402220.3.187.198192.168.2.7
                                                          Oct 2, 2024 19:08:35.081597090 CEST4436402220.3.187.198192.168.2.7
                                                          Oct 2, 2024 19:08:35.081789970 CEST64022443192.168.2.720.3.187.198
                                                          Oct 2, 2024 19:08:35.081835032 CEST64022443192.168.2.720.3.187.198
                                                          Oct 2, 2024 19:08:35.081849098 CEST4436402220.3.187.198192.168.2.7
                                                          Oct 2, 2024 19:08:35.081865072 CEST64022443192.168.2.720.3.187.198
                                                          Oct 2, 2024 19:08:35.081868887 CEST4436402220.3.187.198192.168.2.7
                                                          Oct 2, 2024 19:08:35.111886024 CEST64023443192.168.2.713.85.23.86
                                                          Oct 2, 2024 19:08:35.111921072 CEST4436402313.85.23.86192.168.2.7
                                                          Oct 2, 2024 19:08:35.112001896 CEST64023443192.168.2.713.85.23.86
                                                          Oct 2, 2024 19:08:35.112502098 CEST64023443192.168.2.713.85.23.86
                                                          Oct 2, 2024 19:08:35.112515926 CEST4436402313.85.23.86192.168.2.7
                                                          Oct 2, 2024 19:08:35.824759960 CEST4436402313.85.23.86192.168.2.7
                                                          Oct 2, 2024 19:08:35.824860096 CEST64023443192.168.2.713.85.23.86
                                                          Oct 2, 2024 19:08:35.826503992 CEST64023443192.168.2.713.85.23.86
                                                          Oct 2, 2024 19:08:35.826509953 CEST4436402313.85.23.86192.168.2.7
                                                          Oct 2, 2024 19:08:35.826798916 CEST4436402313.85.23.86192.168.2.7
                                                          Oct 2, 2024 19:08:35.828360081 CEST64023443192.168.2.713.85.23.86
                                                          Oct 2, 2024 19:08:35.871400118 CEST4436402313.85.23.86192.168.2.7
                                                          Oct 2, 2024 19:08:35.994005919 CEST4436402313.85.23.86192.168.2.7
                                                          Oct 2, 2024 19:08:35.994093895 CEST4436402313.85.23.86192.168.2.7
                                                          Oct 2, 2024 19:08:35.994168043 CEST64023443192.168.2.713.85.23.86
                                                          Oct 2, 2024 19:08:35.994240999 CEST64023443192.168.2.713.85.23.86
                                                          Oct 2, 2024 19:08:35.994257927 CEST4436402313.85.23.86192.168.2.7
                                                          Oct 2, 2024 19:08:35.994276047 CEST64023443192.168.2.713.85.23.86
                                                          Oct 2, 2024 19:08:35.994281054 CEST4436402313.85.23.86192.168.2.7
                                                          Oct 2, 2024 19:08:37.810533047 CEST64024443192.168.2.74.175.87.197
                                                          Oct 2, 2024 19:08:37.810580015 CEST443640244.175.87.197192.168.2.7
                                                          Oct 2, 2024 19:08:37.810647011 CEST64024443192.168.2.74.175.87.197
                                                          Oct 2, 2024 19:08:37.811033964 CEST64024443192.168.2.74.175.87.197
                                                          Oct 2, 2024 19:08:37.811044931 CEST443640244.175.87.197192.168.2.7
                                                          Oct 2, 2024 19:08:38.625281096 CEST443640244.175.87.197192.168.2.7
                                                          Oct 2, 2024 19:08:38.625543118 CEST64024443192.168.2.74.175.87.197
                                                          Oct 2, 2024 19:08:38.627356052 CEST64024443192.168.2.74.175.87.197
                                                          Oct 2, 2024 19:08:38.627367973 CEST443640244.175.87.197192.168.2.7
                                                          Oct 2, 2024 19:08:38.627697945 CEST443640244.175.87.197192.168.2.7
                                                          Oct 2, 2024 19:08:38.628830910 CEST64024443192.168.2.74.175.87.197
                                                          Oct 2, 2024 19:08:38.671401978 CEST443640244.175.87.197192.168.2.7
                                                          Oct 2, 2024 19:08:38.970817089 CEST443640244.175.87.197192.168.2.7
                                                          Oct 2, 2024 19:08:38.970845938 CEST443640244.175.87.197192.168.2.7
                                                          Oct 2, 2024 19:08:38.970861912 CEST443640244.175.87.197192.168.2.7
                                                          Oct 2, 2024 19:08:38.970923901 CEST64024443192.168.2.74.175.87.197
                                                          Oct 2, 2024 19:08:38.970958948 CEST443640244.175.87.197192.168.2.7
                                                          Oct 2, 2024 19:08:38.971023083 CEST64024443192.168.2.74.175.87.197
                                                          Oct 2, 2024 19:08:38.971101046 CEST443640244.175.87.197192.168.2.7
                                                          Oct 2, 2024 19:08:38.971158981 CEST443640244.175.87.197192.168.2.7
                                                          Oct 2, 2024 19:08:38.971195936 CEST64024443192.168.2.74.175.87.197
                                                          Oct 2, 2024 19:08:39.058891058 CEST64024443192.168.2.74.175.87.197
                                                          Oct 2, 2024 19:08:39.058939934 CEST443640244.175.87.197192.168.2.7
                                                          Oct 2, 2024 19:08:39.323251009 CEST64025443192.168.2.74.175.87.197
                                                          Oct 2, 2024 19:08:39.323292971 CEST443640254.175.87.197192.168.2.7
                                                          Oct 2, 2024 19:08:39.323378086 CEST64025443192.168.2.74.175.87.197
                                                          Oct 2, 2024 19:08:39.323720932 CEST64025443192.168.2.74.175.87.197
                                                          Oct 2, 2024 19:08:39.323733091 CEST443640254.175.87.197192.168.2.7
                                                          Oct 2, 2024 19:08:40.113044977 CEST443640254.175.87.197192.168.2.7
                                                          Oct 2, 2024 19:08:40.113368988 CEST64025443192.168.2.74.175.87.197
                                                          Oct 2, 2024 19:08:40.114509106 CEST64025443192.168.2.74.175.87.197
                                                          Oct 2, 2024 19:08:40.114527941 CEST443640254.175.87.197192.168.2.7
                                                          Oct 2, 2024 19:08:40.114882946 CEST443640254.175.87.197192.168.2.7
                                                          Oct 2, 2024 19:08:40.115992069 CEST64025443192.168.2.74.175.87.197
                                                          Oct 2, 2024 19:08:40.163412094 CEST443640254.175.87.197192.168.2.7
                                                          Oct 2, 2024 19:08:40.447050095 CEST443640254.175.87.197192.168.2.7
                                                          Oct 2, 2024 19:08:40.447114944 CEST443640254.175.87.197192.168.2.7
                                                          Oct 2, 2024 19:08:40.447156906 CEST443640254.175.87.197192.168.2.7
                                                          Oct 2, 2024 19:08:40.447264910 CEST64025443192.168.2.74.175.87.197
                                                          Oct 2, 2024 19:08:40.447292089 CEST443640254.175.87.197192.168.2.7
                                                          Oct 2, 2024 19:08:40.447319031 CEST443640254.175.87.197192.168.2.7
                                                          Oct 2, 2024 19:08:40.447330952 CEST64025443192.168.2.74.175.87.197
                                                          Oct 2, 2024 19:08:40.447340012 CEST64025443192.168.2.74.175.87.197
                                                          Oct 2, 2024 19:08:40.447356939 CEST443640254.175.87.197192.168.2.7
                                                          Oct 2, 2024 19:08:40.447375059 CEST64025443192.168.2.74.175.87.197
                                                          Oct 2, 2024 19:08:40.447396994 CEST64025443192.168.2.74.175.87.197
                                                          Oct 2, 2024 19:08:40.447453022 CEST443640254.175.87.197192.168.2.7
                                                          Oct 2, 2024 19:08:40.447514057 CEST64025443192.168.2.74.175.87.197
                                                          Oct 2, 2024 19:08:40.447534084 CEST443640254.175.87.197192.168.2.7
                                                          Oct 2, 2024 19:08:40.447582006 CEST64025443192.168.2.74.175.87.197
                                                          Oct 2, 2024 19:08:40.447668076 CEST443640254.175.87.197192.168.2.7
                                                          Oct 2, 2024 19:08:40.447715044 CEST64025443192.168.2.74.175.87.197
                                                          Oct 2, 2024 19:08:40.449892998 CEST64025443192.168.2.74.175.87.197
                                                          Oct 2, 2024 19:08:40.449920893 CEST443640254.175.87.197192.168.2.7
                                                          Oct 2, 2024 19:08:40.449935913 CEST64025443192.168.2.74.175.87.197
                                                          Oct 2, 2024 19:08:40.449942112 CEST443640254.175.87.197192.168.2.7
                                                          Oct 2, 2024 19:08:45.681484938 CEST64026443192.168.2.7216.58.206.78
                                                          Oct 2, 2024 19:08:45.681529045 CEST44364026216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:08:45.681607008 CEST64026443192.168.2.7216.58.206.78
                                                          Oct 2, 2024 19:08:45.681876898 CEST64026443192.168.2.7216.58.206.78
                                                          Oct 2, 2024 19:08:45.681894064 CEST44364026216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:08:45.749142885 CEST64027443192.168.2.7216.58.206.78
                                                          Oct 2, 2024 19:08:45.749202013 CEST44364027216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:08:45.749288082 CEST64027443192.168.2.7216.58.206.78
                                                          Oct 2, 2024 19:08:45.749561071 CEST64027443192.168.2.7216.58.206.78
                                                          Oct 2, 2024 19:08:45.749573946 CEST44364027216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:08:46.322299957 CEST44364026216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:08:46.322743893 CEST64026443192.168.2.7216.58.206.78
                                                          Oct 2, 2024 19:08:46.322772980 CEST44364026216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:08:46.323188066 CEST44364026216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:08:46.323617935 CEST64026443192.168.2.7216.58.206.78
                                                          Oct 2, 2024 19:08:46.323705912 CEST44364026216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:08:46.323892117 CEST64026443192.168.2.7216.58.206.78
                                                          Oct 2, 2024 19:08:46.323930979 CEST64026443192.168.2.7216.58.206.78
                                                          Oct 2, 2024 19:08:46.324057102 CEST44364026216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:08:46.388381958 CEST44364027216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:08:46.389446020 CEST64027443192.168.2.7216.58.206.78
                                                          Oct 2, 2024 19:08:46.389480114 CEST44364027216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:08:46.389971018 CEST44364027216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:08:46.390290022 CEST64027443192.168.2.7216.58.206.78
                                                          Oct 2, 2024 19:08:46.390352964 CEST44364027216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:08:46.390475035 CEST64027443192.168.2.7216.58.206.78
                                                          Oct 2, 2024 19:08:46.390495062 CEST64027443192.168.2.7216.58.206.78
                                                          Oct 2, 2024 19:08:46.390503883 CEST44364027216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:08:46.624880075 CEST44364026216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:08:46.625461102 CEST44364026216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:08:46.625526905 CEST64026443192.168.2.7216.58.206.78
                                                          Oct 2, 2024 19:08:46.625721931 CEST64026443192.168.2.7216.58.206.78
                                                          Oct 2, 2024 19:08:46.625739098 CEST44364026216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:08:46.691582918 CEST44364027216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:08:46.692073107 CEST44364027216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:08:46.692154884 CEST64027443192.168.2.7216.58.206.78
                                                          Oct 2, 2024 19:08:46.692548037 CEST64027443192.168.2.7216.58.206.78
                                                          Oct 2, 2024 19:08:46.692591906 CEST44364027216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:08:47.045675993 CEST64028443192.168.2.7216.58.206.78
                                                          Oct 2, 2024 19:08:47.045784950 CEST44364028216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:08:47.045886993 CEST64028443192.168.2.7216.58.206.78
                                                          Oct 2, 2024 19:08:47.046098948 CEST64028443192.168.2.7216.58.206.78
                                                          Oct 2, 2024 19:08:47.046119928 CEST44364028216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:08:47.685489893 CEST44364028216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:08:47.685924053 CEST64028443192.168.2.7216.58.206.78
                                                          Oct 2, 2024 19:08:47.685957909 CEST44364028216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:08:47.686531067 CEST44364028216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:08:47.686841965 CEST64028443192.168.2.7216.58.206.78
                                                          Oct 2, 2024 19:08:47.686908960 CEST44364028216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:08:47.686985970 CEST64028443192.168.2.7216.58.206.78
                                                          Oct 2, 2024 19:08:47.687000036 CEST64028443192.168.2.7216.58.206.78
                                                          Oct 2, 2024 19:08:47.687009096 CEST44364028216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:08:47.903803110 CEST44364028216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:08:47.904170990 CEST44364028216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:08:47.904280901 CEST64028443192.168.2.7216.58.206.78
                                                          Oct 2, 2024 19:08:47.904736042 CEST64028443192.168.2.7216.58.206.78
                                                          Oct 2, 2024 19:08:47.904781103 CEST44364028216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:09:01.347580910 CEST44349743104.98.116.138192.168.2.7
                                                          Oct 2, 2024 19:09:01.347667933 CEST49743443192.168.2.7104.98.116.138
                                                          Oct 2, 2024 19:09:08.648042917 CEST64030443192.168.2.7142.250.186.164
                                                          Oct 2, 2024 19:09:08.648103952 CEST44364030142.250.186.164192.168.2.7
                                                          Oct 2, 2024 19:09:08.648191929 CEST64030443192.168.2.7142.250.186.164
                                                          Oct 2, 2024 19:09:08.648459911 CEST64030443192.168.2.7142.250.186.164
                                                          Oct 2, 2024 19:09:08.648473024 CEST44364030142.250.186.164192.168.2.7
                                                          Oct 2, 2024 19:09:09.345068932 CEST44364030142.250.186.164192.168.2.7
                                                          Oct 2, 2024 19:09:09.348172903 CEST64030443192.168.2.7142.250.186.164
                                                          Oct 2, 2024 19:09:09.348196030 CEST44364030142.250.186.164192.168.2.7
                                                          Oct 2, 2024 19:09:09.348732948 CEST44364030142.250.186.164192.168.2.7
                                                          Oct 2, 2024 19:09:09.349057913 CEST64030443192.168.2.7142.250.186.164
                                                          Oct 2, 2024 19:09:09.349133015 CEST44364030142.250.186.164192.168.2.7
                                                          Oct 2, 2024 19:09:09.402745962 CEST64030443192.168.2.7142.250.186.164
                                                          Oct 2, 2024 19:09:16.093189955 CEST64033443192.168.2.7216.58.206.78
                                                          Oct 2, 2024 19:09:16.093250036 CEST44364033216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:09:16.093362093 CEST64033443192.168.2.7216.58.206.78
                                                          Oct 2, 2024 19:09:16.093662977 CEST64033443192.168.2.7216.58.206.78
                                                          Oct 2, 2024 19:09:16.093677044 CEST44364033216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:09:16.095154047 CEST64034443192.168.2.7216.58.206.78
                                                          Oct 2, 2024 19:09:16.095164061 CEST44364034216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:09:16.095232964 CEST64034443192.168.2.7216.58.206.78
                                                          Oct 2, 2024 19:09:16.095540047 CEST64034443192.168.2.7216.58.206.78
                                                          Oct 2, 2024 19:09:16.095545053 CEST44364034216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:09:16.739229918 CEST44364034216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:09:16.739582062 CEST64034443192.168.2.7216.58.206.78
                                                          Oct 2, 2024 19:09:16.739614964 CEST44364034216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:09:16.740184069 CEST44364034216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:09:16.740468025 CEST64034443192.168.2.7216.58.206.78
                                                          Oct 2, 2024 19:09:16.740570068 CEST44364034216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:09:16.740627050 CEST64034443192.168.2.7216.58.206.78
                                                          Oct 2, 2024 19:09:16.740652084 CEST64034443192.168.2.7216.58.206.78
                                                          Oct 2, 2024 19:09:16.740660906 CEST44364034216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:09:16.816797972 CEST44364033216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:09:16.817131996 CEST64033443192.168.2.7216.58.206.78
                                                          Oct 2, 2024 19:09:16.817159891 CEST44364033216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:09:16.818461895 CEST44364033216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:09:16.818784952 CEST64033443192.168.2.7216.58.206.78
                                                          Oct 2, 2024 19:09:16.818941116 CEST64033443192.168.2.7216.58.206.78
                                                          Oct 2, 2024 19:09:16.818947077 CEST44364033216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:09:16.818988085 CEST64033443192.168.2.7216.58.206.78
                                                          Oct 2, 2024 19:09:16.818989992 CEST44364033216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:09:16.863401890 CEST44364033216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:09:16.965729952 CEST64033443192.168.2.7216.58.206.78
                                                          Oct 2, 2024 19:09:17.034986019 CEST44364033216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:09:17.035588980 CEST44364033216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:09:17.035670996 CEST64033443192.168.2.7216.58.206.78
                                                          Oct 2, 2024 19:09:17.036031008 CEST64033443192.168.2.7216.58.206.78
                                                          Oct 2, 2024 19:09:17.036051989 CEST44364033216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:09:17.045659065 CEST44364034216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:09:17.045814037 CEST44364034216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:09:17.045901060 CEST64034443192.168.2.7216.58.206.78
                                                          Oct 2, 2024 19:09:17.046235085 CEST64034443192.168.2.7216.58.206.78
                                                          Oct 2, 2024 19:09:17.046251059 CEST44364034216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:09:19.250967026 CEST44364030142.250.186.164192.168.2.7
                                                          Oct 2, 2024 19:09:19.251140118 CEST44364030142.250.186.164192.168.2.7
                                                          Oct 2, 2024 19:09:19.251221895 CEST64030443192.168.2.7142.250.186.164
                                                          Oct 2, 2024 19:09:26.637813091 CEST64030443192.168.2.7142.250.186.164
                                                          Oct 2, 2024 19:09:26.637857914 CEST44364030142.250.186.164192.168.2.7
                                                          Oct 2, 2024 19:09:47.719448090 CEST64036443192.168.2.7216.58.206.78
                                                          Oct 2, 2024 19:09:47.719558954 CEST44364036216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:09:47.719652891 CEST64036443192.168.2.7216.58.206.78
                                                          Oct 2, 2024 19:09:47.719928026 CEST64036443192.168.2.7216.58.206.78
                                                          Oct 2, 2024 19:09:47.719965935 CEST44364036216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:09:47.827349901 CEST64037443192.168.2.7216.58.206.78
                                                          Oct 2, 2024 19:09:47.827470064 CEST44364037216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:09:47.827573061 CEST64037443192.168.2.7216.58.206.78
                                                          Oct 2, 2024 19:09:47.827790022 CEST64037443192.168.2.7216.58.206.78
                                                          Oct 2, 2024 19:09:47.827815056 CEST44364037216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:09:48.365865946 CEST44364036216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:09:48.366282940 CEST64036443192.168.2.7216.58.206.78
                                                          Oct 2, 2024 19:09:48.366352081 CEST44364036216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:09:48.367331982 CEST44364036216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:09:48.367635012 CEST64036443192.168.2.7216.58.206.78
                                                          Oct 2, 2024 19:09:48.367779970 CEST44364036216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:09:48.367790937 CEST64036443192.168.2.7216.58.206.78
                                                          Oct 2, 2024 19:09:48.367822886 CEST64036443192.168.2.7216.58.206.78
                                                          Oct 2, 2024 19:09:48.367856979 CEST44364036216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:09:48.420017958 CEST64036443192.168.2.7216.58.206.78
                                                          Oct 2, 2024 19:09:48.485615015 CEST44364037216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:09:48.487812042 CEST64037443192.168.2.7216.58.206.78
                                                          Oct 2, 2024 19:09:48.487876892 CEST44364037216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:09:48.488416910 CEST44364037216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:09:48.488893986 CEST64037443192.168.2.7216.58.206.78
                                                          Oct 2, 2024 19:09:48.488991022 CEST44364037216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:09:48.489044905 CEST64037443192.168.2.7216.58.206.78
                                                          Oct 2, 2024 19:09:48.489068031 CEST64037443192.168.2.7216.58.206.78
                                                          Oct 2, 2024 19:09:48.489083052 CEST44364037216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:09:48.669759035 CEST44364036216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:09:48.670087099 CEST44364036216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:09:48.670171976 CEST64036443192.168.2.7216.58.206.78
                                                          Oct 2, 2024 19:09:48.670551062 CEST64036443192.168.2.7216.58.206.78
                                                          Oct 2, 2024 19:09:48.670593023 CEST44364036216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:09:48.792069912 CEST44364037216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:09:48.792319059 CEST44364037216.58.206.78192.168.2.7
                                                          Oct 2, 2024 19:09:48.792448997 CEST64037443192.168.2.7216.58.206.78
                                                          Oct 2, 2024 19:09:48.792829990 CEST64037443192.168.2.7216.58.206.78
                                                          Oct 2, 2024 19:09:48.792865038 CEST44364037216.58.206.78192.168.2.7

                                                          UDP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Oct 2, 2024 19:08:03.947079897 CEST5771853192.168.2.71.1.1.1
                                                          Oct 2, 2024 19:08:03.947268009 CEST5617253192.168.2.71.1.1.1
                                                          Oct 2, 2024 19:08:03.954135895 CEST53577181.1.1.1192.168.2.7
                                                          Oct 2, 2024 19:08:03.955097914 CEST53561721.1.1.1192.168.2.7
                                                          Oct 2, 2024 19:08:03.955159903 CEST53562841.1.1.1192.168.2.7
                                                          Oct 2, 2024 19:08:03.959886074 CEST53537701.1.1.1192.168.2.7
                                                          Oct 2, 2024 19:08:05.448458910 CEST5921553192.168.2.71.1.1.1
                                                          Oct 2, 2024 19:08:05.449487925 CEST5370753192.168.2.71.1.1.1
                                                          Oct 2, 2024 19:08:05.455748081 CEST53592151.1.1.1192.168.2.7
                                                          Oct 2, 2024 19:08:05.456157923 CEST53537071.1.1.1192.168.2.7
                                                          Oct 2, 2024 19:08:05.463813066 CEST53520951.1.1.1192.168.2.7
                                                          Oct 2, 2024 19:08:08.387429953 CEST5207853192.168.2.71.1.1.1
                                                          Oct 2, 2024 19:08:08.387813091 CEST6550453192.168.2.71.1.1.1
                                                          Oct 2, 2024 19:08:08.525861025 CEST53655041.1.1.1192.168.2.7
                                                          Oct 2, 2024 19:08:08.526057005 CEST53520781.1.1.1192.168.2.7
                                                          Oct 2, 2024 19:08:09.111432076 CEST123123192.168.2.713.95.65.251
                                                          Oct 2, 2024 19:08:09.313050985 CEST12312313.95.65.251192.168.2.7
                                                          Oct 2, 2024 19:08:11.075229883 CEST53494821.1.1.1192.168.2.7
                                                          Oct 2, 2024 19:08:13.628734112 CEST5279353192.168.2.71.1.1.1
                                                          Oct 2, 2024 19:08:13.629564047 CEST5908953192.168.2.71.1.1.1
                                                          Oct 2, 2024 19:08:13.636249065 CEST53527931.1.1.1192.168.2.7
                                                          Oct 2, 2024 19:08:13.636838913 CEST53590891.1.1.1192.168.2.7
                                                          Oct 2, 2024 19:08:15.094163895 CEST5259453192.168.2.71.1.1.1
                                                          Oct 2, 2024 19:08:15.094400883 CEST6057253192.168.2.71.1.1.1
                                                          Oct 2, 2024 19:08:15.101784945 CEST53605721.1.1.1192.168.2.7
                                                          Oct 2, 2024 19:08:15.101810932 CEST53525941.1.1.1192.168.2.7
                                                          Oct 2, 2024 19:08:16.324350119 CEST53607501.1.1.1192.168.2.7
                                                          Oct 2, 2024 19:08:22.617707968 CEST53607791.1.1.1192.168.2.7
                                                          Oct 2, 2024 19:08:33.505140066 CEST5349200162.159.36.2192.168.2.7
                                                          Oct 2, 2024 19:08:33.995210886 CEST5575553192.168.2.71.1.1.1
                                                          Oct 2, 2024 19:08:34.004971981 CEST53557551.1.1.1192.168.2.7
                                                          Oct 2, 2024 19:08:45.671674013 CEST6215153192.168.2.71.1.1.1
                                                          Oct 2, 2024 19:08:45.678798914 CEST53621511.1.1.1192.168.2.7
                                                          Oct 2, 2024 19:09:03.331365108 CEST138138192.168.2.7192.168.2.255
                                                          Oct 2, 2024 19:09:08.473315001 CEST4941853192.168.2.71.1.1.1
                                                          Oct 2, 2024 19:09:08.480645895 CEST53494181.1.1.1192.168.2.7

                                                          DNS Queries

                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                          Oct 2, 2024 19:08:03.947079897 CEST192.168.2.71.1.1.10x479aStandard query (0)youtube.comA (IP address)IN (0x0001)false
                                                          Oct 2, 2024 19:08:03.947268009 CEST192.168.2.71.1.1.10x71d2Standard query (0)youtube.com65IN (0x0001)false
                                                          Oct 2, 2024 19:08:05.448458910 CEST192.168.2.71.1.1.10x23fdStandard query (0)www.youtube.comA (IP address)IN (0x0001)false
                                                          Oct 2, 2024 19:08:05.449487925 CEST192.168.2.71.1.1.10xb004Standard query (0)www.youtube.com65IN (0x0001)false
                                                          Oct 2, 2024 19:08:08.387429953 CEST192.168.2.71.1.1.10xa632Standard query (0)www.google.comA (IP address)IN (0x0001)false
                                                          Oct 2, 2024 19:08:08.387813091 CEST192.168.2.71.1.1.10x7ffdStandard query (0)www.google.com65IN (0x0001)false
                                                          Oct 2, 2024 19:08:13.628734112 CEST192.168.2.71.1.1.10x3dbaStandard query (0)accounts.youtube.comA (IP address)IN (0x0001)false
                                                          Oct 2, 2024 19:08:13.629564047 CEST192.168.2.71.1.1.10xb20eStandard query (0)accounts.youtube.com65IN (0x0001)false
                                                          Oct 2, 2024 19:08:15.094163895 CEST192.168.2.71.1.1.10xeb94Standard query (0)play.google.comA (IP address)IN (0x0001)false
                                                          Oct 2, 2024 19:08:15.094400883 CEST192.168.2.71.1.1.10xe2c3Standard query (0)play.google.com65IN (0x0001)false
                                                          Oct 2, 2024 19:08:33.995210886 CEST192.168.2.71.1.1.10xb7d7Standard query (0)198.187.3.20.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                                                          Oct 2, 2024 19:08:45.671674013 CEST192.168.2.71.1.1.10x3aecStandard query (0)play.google.comA (IP address)IN (0x0001)false
                                                          Oct 2, 2024 19:09:08.473315001 CEST192.168.2.71.1.1.10x5a81Standard query (0)www.google.comA (IP address)IN (0x0001)false

                                                          DNS Answers

                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                          Oct 2, 2024 19:08:03.954135895 CEST1.1.1.1192.168.2.70x479aNo error (0)youtube.com142.250.186.78A (IP address)IN (0x0001)false
                                                          Oct 2, 2024 19:08:03.955097914 CEST1.1.1.1192.168.2.70x71d2No error (0)youtube.com65IN (0x0001)false
                                                          Oct 2, 2024 19:08:05.455748081 CEST1.1.1.1192.168.2.70x23fdNo error (0)www.youtube.comyoutube-ui.l.google.comCNAME (Canonical name)IN (0x0001)false
                                                          Oct 2, 2024 19:08:05.455748081 CEST1.1.1.1192.168.2.70x23fdNo error (0)youtube-ui.l.google.com216.58.206.46A (IP address)IN (0x0001)false
                                                          Oct 2, 2024 19:08:05.455748081 CEST1.1.1.1192.168.2.70x23fdNo error (0)youtube-ui.l.google.com142.250.181.238A (IP address)IN (0x0001)false
                                                          Oct 2, 2024 19:08:05.455748081 CEST1.1.1.1192.168.2.70x23fdNo error (0)youtube-ui.l.google.com142.250.185.238A (IP address)IN (0x0001)false
                                                          Oct 2, 2024 19:08:05.455748081 CEST1.1.1.1192.168.2.70x23fdNo error (0)youtube-ui.l.google.com142.250.184.238A (IP address)IN (0x0001)false
                                                          Oct 2, 2024 19:08:05.455748081 CEST1.1.1.1192.168.2.70x23fdNo error (0)youtube-ui.l.google.com172.217.16.206A (IP address)IN (0x0001)false
                                                          Oct 2, 2024 19:08:05.455748081 CEST1.1.1.1192.168.2.70x23fdNo error (0)youtube-ui.l.google.com142.250.186.174A (IP address)IN (0x0001)false
                                                          Oct 2, 2024 19:08:05.455748081 CEST1.1.1.1192.168.2.70x23fdNo error (0)youtube-ui.l.google.com216.58.206.78A (IP address)IN (0x0001)false
                                                          Oct 2, 2024 19:08:05.455748081 CEST1.1.1.1192.168.2.70x23fdNo error (0)youtube-ui.l.google.com142.250.186.78A (IP address)IN (0x0001)false
                                                          Oct 2, 2024 19:08:05.455748081 CEST1.1.1.1192.168.2.70x23fdNo error (0)youtube-ui.l.google.com142.250.185.206A (IP address)IN (0x0001)false
                                                          Oct 2, 2024 19:08:05.455748081 CEST1.1.1.1192.168.2.70x23fdNo error (0)youtube-ui.l.google.com172.217.16.142A (IP address)IN (0x0001)false
                                                          Oct 2, 2024 19:08:05.455748081 CEST1.1.1.1192.168.2.70x23fdNo error (0)youtube-ui.l.google.com172.217.18.14A (IP address)IN (0x0001)false
                                                          Oct 2, 2024 19:08:05.455748081 CEST1.1.1.1192.168.2.70x23fdNo error (0)youtube-ui.l.google.com142.250.186.110A (IP address)IN (0x0001)false
                                                          Oct 2, 2024 19:08:05.455748081 CEST1.1.1.1192.168.2.70x23fdNo error (0)youtube-ui.l.google.com142.250.186.46A (IP address)IN (0x0001)false
                                                          Oct 2, 2024 19:08:05.455748081 CEST1.1.1.1192.168.2.70x23fdNo error (0)youtube-ui.l.google.com142.250.186.142A (IP address)IN (0x0001)false
                                                          Oct 2, 2024 19:08:05.455748081 CEST1.1.1.1192.168.2.70x23fdNo error (0)youtube-ui.l.google.com172.217.18.110A (IP address)IN (0x0001)false
                                                          Oct 2, 2024 19:08:05.455748081 CEST1.1.1.1192.168.2.70x23fdNo error (0)youtube-ui.l.google.com142.250.184.206A (IP address)IN (0x0001)false
                                                          Oct 2, 2024 19:08:05.456157923 CEST1.1.1.1192.168.2.70xb004No error (0)www.youtube.comyoutube-ui.l.google.comCNAME (Canonical name)IN (0x0001)false
                                                          Oct 2, 2024 19:08:05.456157923 CEST1.1.1.1192.168.2.70xb004No error (0)youtube-ui.l.google.com65IN (0x0001)false
                                                          Oct 2, 2024 19:08:08.525861025 CEST1.1.1.1192.168.2.70x7ffdNo error (0)www.google.com65IN (0x0001)false
                                                          Oct 2, 2024 19:08:08.526057005 CEST1.1.1.1192.168.2.70xa632No error (0)www.google.com216.58.206.36A (IP address)IN (0x0001)false
                                                          Oct 2, 2024 19:08:13.636249065 CEST1.1.1.1192.168.2.70x3dbaNo error (0)accounts.youtube.comwww3.l.google.comCNAME (Canonical name)IN (0x0001)false
                                                          Oct 2, 2024 19:08:13.636249065 CEST1.1.1.1192.168.2.70x3dbaNo error (0)www3.l.google.com216.58.206.78A (IP address)IN (0x0001)false
                                                          Oct 2, 2024 19:08:13.636838913 CEST1.1.1.1192.168.2.70xb20eNo error (0)accounts.youtube.comwww3.l.google.comCNAME (Canonical name)IN (0x0001)false
                                                          Oct 2, 2024 19:08:15.101810932 CEST1.1.1.1192.168.2.70xeb94No error (0)play.google.com216.58.212.142A (IP address)IN (0x0001)false
                                                          Oct 2, 2024 19:08:34.004971981 CEST1.1.1.1192.168.2.70xb7d7Name error (3)198.187.3.20.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                                                          Oct 2, 2024 19:08:45.678798914 CEST1.1.1.1192.168.2.70x3aecNo error (0)play.google.com216.58.206.78A (IP address)IN (0x0001)false
                                                          Oct 2, 2024 19:09:08.480645895 CEST1.1.1.1192.168.2.70x5a81No error (0)www.google.com142.250.186.164A (IP address)IN (0x0001)false

                                                          HTTP Request Dependency Graph

                                                          • youtube.com
                                                          • www.youtube.com
                                                          • fs.microsoft.com
                                                          • https:
                                                            • accounts.youtube.com
                                                            • play.google.com
                                                            • www.google.com
                                                          • slscr.update.microsoft.com
                                                          • fe3cr.delivery.mp.microsoft.com

                                                          HTTPS Proxied Packets

                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          0192.168.2.749703142.250.186.784431432C:\Program Files\Google\Chrome\Application\chrome.exe
                                                          TimestampBytes transferredDirectionData
                                                          2024-10-02 17:08:04 UTC839OUTGET /account?=https://accounts.google.com/v3/signin/challenge/pwd HTTP/1.1
                                                          Host: youtube.com
                                                          Connection: keep-alive
                                                          sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                                                          sec-ch-ua-mobile: ?0
                                                          sec-ch-ua-platform: "Windows"
                                                          Upgrade-Insecure-Requests: 1
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          X-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIk6HLAQiFoM0BCNy9zQEIucrNAQii0c0BCIrTzQEIpNbNAQj01s0BCKfYzQEI+cDUFRj1yc0BGOuNpRc=
                                                          Sec-Fetch-Site: none
                                                          Sec-Fetch-Mode: navigate
                                                          Sec-Fetch-User: ?1
                                                          Sec-Fetch-Dest: document
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-US,en;q=0.9
                                                          2024-10-02 17:08:04 UTC1726INHTTP/1.1 301 Moved Permanently
                                                          Content-Type: application/binary
                                                          X-Content-Type-Options: nosniff
                                                          Expires: Wed, 02 Oct 2024 17:08:04 GMT
                                                          Date: Wed, 02 Oct 2024 17:08:04 GMT
                                                          Cache-Control: private, max-age=31536000
                                                          Location: https://www.youtube.com/account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd
                                                          X-Frame-Options: SAMEORIGIN
                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                          Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                          Origin-Trial: AmhMBR6zCLzDDxpW+HfpP67BqwIknWnyMOXOQGfzYswFmJe+fgaI6XZgAzcxOrzNtP7hEDsOo1jdjFnVr2IdxQ4AAAB4eyJvcmlnaW4iOiJodHRwczovL3lvdXR1YmUuY29tOjQ0MyIsImZlYXR1cmUiOiJXZWJWaWV3WFJlcXVlc3RlZFdpdGhEZXByZWNhdGlvbiIsImV4cGlyeSI6MTc1ODA2NzE5OSwiaXNTdWJkb21haW4iOnRydWV9
                                                          Content-Security-Policy: require-trusted-types-for 'script';report-uri /cspreport
                                                          Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="youtube_main"
                                                          Report-To: {"group":"youtube_main","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/youtube_main"}]}
                                                          Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                          Vary: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                          Server: ESF
                                                          Content-Length: 0
                                                          X-XSS-Protection: 0
                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                          Connection: close


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          1192.168.2.749706216.58.206.464431432C:\Program Files\Google\Chrome\Application\chrome.exe
                                                          TimestampBytes transferredDirectionData
                                                          2024-10-02 17:08:06 UTC857OUTGET /account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd HTTP/1.1
                                                          Host: www.youtube.com
                                                          Connection: keep-alive
                                                          Upgrade-Insecure-Requests: 1
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          X-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIk6HLAQiFoM0BCNy9zQEIucrNAQii0c0BCIrTzQEIpNbNAQj01s0BCKfYzQEI+cDUFRj1yc0BGOuNpRc=
                                                          Sec-Fetch-Site: none
                                                          Sec-Fetch-Mode: navigate
                                                          Sec-Fetch-User: ?1
                                                          Sec-Fetch-Dest: document
                                                          sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                                                          sec-ch-ua-mobile: ?0
                                                          sec-ch-ua-platform: "Windows"
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-US,en;q=0.9
                                                          2024-10-02 17:08:06 UTC2634INHTTP/1.1 303 See Other
                                                          Content-Type: application/binary
                                                          X-Content-Type-Options: nosniff
                                                          Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                          Pragma: no-cache
                                                          Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                          Date: Wed, 02 Oct 2024 17:08:06 GMT
                                                          Location: https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%253F%253Dhttps%25253A%25252F%25252Faccounts.google.com%25252Fv3%25252Fsignin%25252Fchallenge%25252Fpwd%26feature%3Dredirect_login&hl=en
                                                          X-Frame-Options: SAMEORIGIN
                                                          Strict-Transport-Security: max-age=31536000
                                                          Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="youtube_main"
                                                          Origin-Trial: AmhMBR6zCLzDDxpW+HfpP67BqwIknWnyMOXOQGfzYswFmJe+fgaI6XZgAzcxOrzNtP7hEDsOo1jdjFnVr2IdxQ4AAAB4eyJvcmlnaW4iOiJodHRwczovL3lvdXR1YmUuY29tOjQ0MyIsImZlYXR1cmUiOiJXZWJWaWV3WFJlcXVlc3RlZFdpdGhEZXByZWNhdGlvbiIsImV4cGlyeSI6MTc1ODA2NzE5OSwiaXNTdWJkb21haW4iOnRydWV9
                                                          Content-Security-Policy: require-trusted-types-for 'script'
                                                          Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                          Report-To: {"group":"youtube_main","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/youtube_main"}]}
                                                          Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                          Vary: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                          P3P: CP="This is not a P3P policy! See http://support.google.com/accounts/answer/151657?hl=en for more info."
                                                          Server: ESF
                                                          Content-Length: 0
                                                          X-XSS-Protection: 0
                                                          Set-Cookie: GPS=1; Domain=.youtube.com; Expires=Wed, 02-Oct-2024 17:38:06 GMT; Path=/; Secure; HttpOnly
                                                          Set-Cookie: YSC=6pxwXY986Is; Domain=.youtube.com; Path=/; Secure; HttpOnly; SameSite=none; Partitioned
                                                          Set-Cookie: VISITOR_INFO1_LIVE=LDSuoF0QZEg; Domain=.youtube.com; Expires=Mon, 31-Mar-2025 17:08:06 GMT; Path=/; Secure; HttpOnly; SameSite=none; Partitioned
                                                          Set-Cookie: VISITOR_PRIVACY_METADATA=CgJVUxIEGgAgNw%3D%3D; Domain=.youtube.com; Expires=Mon, 31-Mar-2025 17:08:06 GMT; Path=/; Secure; HttpOnly; SameSite=none; Partitioned
                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                          Connection: close


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          2192.168.2.749712184.28.90.27443
                                                          TimestampBytes transferredDirectionData
                                                          2024-10-02 17:08:09 UTC161OUTHEAD /fs/windows/config.json HTTP/1.1
                                                          Connection: Keep-Alive
                                                          Accept: */*
                                                          Accept-Encoding: identity
                                                          User-Agent: Microsoft BITS/7.8
                                                          Host: fs.microsoft.com
                                                          2024-10-02 17:08:09 UTC466INHTTP/1.1 200 OK
                                                          Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json
                                                          Content-Type: application/octet-stream
                                                          ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7"
                                                          Last-Modified: Tue, 16 May 2017 22:58:00 GMT
                                                          Server: ECAcc (lpl/EF06)
                                                          X-CID: 11
                                                          X-Ms-ApiVersion: Distribute 1.2
                                                          X-Ms-Region: prod-neu-z1
                                                          Cache-Control: public, max-age=85061
                                                          Date: Wed, 02 Oct 2024 17:08:09 GMT
                                                          Connection: close
                                                          X-CID: 2


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          3192.168.2.749714184.28.90.27443
                                                          TimestampBytes transferredDirectionData
                                                          2024-10-02 17:08:10 UTC239OUTGET /fs/windows/config.json HTTP/1.1
                                                          Connection: Keep-Alive
                                                          Accept: */*
                                                          Accept-Encoding: identity
                                                          If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT
                                                          Range: bytes=0-2147483646
                                                          User-Agent: Microsoft BITS/7.8
                                                          Host: fs.microsoft.com
                                                          2024-10-02 17:08:10 UTC514INHTTP/1.1 200 OK
                                                          ApiVersion: Distribute 1.1
                                                          Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json
                                                          Content-Type: application/octet-stream
                                                          ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7"
                                                          Last-Modified: Tue, 16 May 2017 22:58:00 GMT
                                                          Server: ECAcc (lpl/EF06)
                                                          X-CID: 11
                                                          X-Ms-ApiVersion: Distribute 1.2
                                                          X-Ms-Region: prod-weu-z1
                                                          Cache-Control: public, max-age=85004
                                                          Date: Wed, 02 Oct 2024 17:08:10 GMT
                                                          Content-Length: 55
                                                          Connection: close
                                                          X-CID: 2
                                                          2024-10-02 17:08:10 UTC55INData Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d
                                                          Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          4192.168.2.749726216.58.206.784431432C:\Program Files\Google\Chrome\Application\chrome.exe
                                                          TimestampBytes transferredDirectionData
                                                          2024-10-02 17:08:14 UTC1224OUTGET /accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=1484300216&timestamp=1727888893272 HTTP/1.1
                                                          Host: accounts.youtube.com
                                                          Connection: keep-alive
                                                          sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                                                          sec-ch-ua-mobile: ?0
                                                          sec-ch-ua-full-version: "117.0.5938.134"
                                                          sec-ch-ua-arch: "x86"
                                                          sec-ch-ua-platform: "Windows"
                                                          sec-ch-ua-platform-version: "10.0.0"
                                                          sec-ch-ua-model: ""
                                                          sec-ch-ua-bitness: "64"
                                                          sec-ch-ua-wow64: ?0
                                                          sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134"
                                                          Upgrade-Insecure-Requests: 1
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          X-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIk6HLAQiFoM0BCNy9zQEIucrNAQii0c0BCIrTzQEIpNbNAQj01s0BCKfYzQEI+cDUFRj1yc0BGOuNpRc=
                                                          Sec-Fetch-Site: cross-site
                                                          Sec-Fetch-Mode: navigate
                                                          Sec-Fetch-User: ?1
                                                          Sec-Fetch-Dest: iframe
                                                          Referer: https://accounts.google.com/
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-US,en;q=0.9
                                                          2024-10-02 17:08:14 UTC1969INHTTP/1.1 200 OK
                                                          Content-Type: text/html; charset=utf-8
                                                          X-Frame-Options: ALLOW-FROM https://accounts.google.com
                                                          Content-Security-Policy: frame-ancestors https://accounts.google.com
                                                          Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/AccountsDomainCookiesCheckConnectionHttp/cspreport
                                                          Content-Security-Policy: script-src 'report-sample' 'nonce-JV8f6upz5V1hsMZpPt8Ezw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/AccountsDomainCookiesCheckConnectionHttp/cspreport;worker-src 'self'
                                                          Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/AccountsDomainCookiesCheckConnectionHttp/cspreport/allowlist
                                                          Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                          Pragma: no-cache
                                                          Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                          Date: Wed, 02 Oct 2024 17:08:14 GMT
                                                          Cross-Origin-Resource-Policy: cross-origin
                                                          Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                          Cross-Origin-Opener-Policy: same-origin
                                                          Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                          reporting-endpoints: default="/_/AccountsDomainCookiesCheckConnectionHttp/web-reports?context=eJzjstDikmJw1pBikPj6kkkNiJ3SZ7AGAHHSv_OsBUB8ufsS63UgVu25xGoMxEUSV1gbgFiIh-Pf76_b2QROLL37gVFJLym_MD4zJTWvJLOkMiU_NzEzLzk_Pzsztbg4tagstSjeyMDIxMDSyEjPwCK-wAAAFAougA"
                                                          Server: ESF
                                                          X-XSS-Protection: 0
                                                          X-Content-Type-Options: nosniff
                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                          Accept-Ranges: none
                                                          Vary: Accept-Encoding
                                                          Connection: close
                                                          Transfer-Encoding: chunked
                                                          2024-10-02 17:08:14 UTC1969INData Raw: 37 36 31 39 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 20 6e 6f 6e 63 65 3d 22 4a 56 38 66 36 75 70 7a 35 56 31 68 73 4d 5a 70 50 74 38 45 7a 77 22 3e 22 75 73 65 20 73 74 72 69 63 74 22 3b 74 68 69 73 2e 64 65 66 61 75 6c 74 5f 41 63 63 6f 75 6e 74 73 44 6f 6d 61 69 6e 63 6f 6f 6b 69 65 73 43 68 65 63 6b 63 6f 6e 6e 65 63 74 69 6f 6e 4a 73 3d 74 68 69 73 2e 64 65 66 61 75 6c 74 5f 41 63 63 6f 75 6e 74 73 44 6f 6d 61 69 6e 63 6f 6f 6b 69 65 73 43 68 65 63 6b 63 6f 6e 6e 65 63 74 69 6f 6e 4a 73 7c 7c 7b 7d 3b 28 66 75 6e 63 74 69 6f 6e 28 5f 29 7b 76 61 72 20 77 69 6e 64 6f 77 3d 74 68 69 73 3b 0a 74 72 79 7b 0a 5f 2e 5f 46 5f 74 6f 67 67 6c 65 73 5f 69 6e 69 74 69 61 6c 69 7a 65 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 28 74 79 70 65 6f
                                                          Data Ascii: 7619<html><head><script nonce="JV8f6upz5V1hsMZpPt8Ezw">"use strict";this.default_AccountsDomaincookiesCheckconnectionJs=this.default_AccountsDomaincookiesCheckconnectionJs||{};(function(_){var window=this;try{_._F_toggles_initialize=function(a){(typeo
                                                          2024-10-02 17:08:14 UTC1969INData Raw: 54 72 69 64 65 6e 74 5c 2f 28 5c 64 2e 5c 64 29 2f 2e 65 78 65 63 28 62 29 2c 0a 63 5b 31 5d 3d 3d 22 37 2e 30 22 29 69 66 28 62 26 26 62 5b 31 5d 29 73 77 69 74 63 68 28 62 5b 31 5d 29 7b 63 61 73 65 20 22 34 2e 30 22 3a 61 3d 22 38 2e 30 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 35 2e 30 22 3a 61 3d 22 39 2e 30 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 36 2e 30 22 3a 61 3d 22 31 30 2e 30 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 37 2e 30 22 3a 61 3d 22 31 31 2e 30 22 7d 65 6c 73 65 20 61 3d 22 37 2e 30 22 3b 65 6c 73 65 20 61 3d 63 5b 31 5d 3b 62 3d 61 7d 65 6c 73 65 20 62 3d 22 22 3b 72 65 74 75 72 6e 20 62 7d 76 61 72 20 64 3d 52 65 67 45 78 70 28 22 28 5b 41 2d 5a 5d 5b 5c 5c 77 20 5d 2b 29 2f 28 5b 5e 5c 5c 73 5d 2b 29 5c 5c 73 2a 28 3f 3a 5c 5c 28
                                                          Data Ascii: Trident\/(\d.\d)/.exec(b),c[1]=="7.0")if(b&&b[1])switch(b[1]){case "4.0":a="8.0";break;case "5.0":a="9.0";break;case "6.0":a="10.0";break;case "7.0":a="11.0"}else a="7.0";else a=c[1];b=a}else b="";return b}var d=RegExp("([A-Z][\\w ]+)/([^\\s]+)\\s*(?:\\(
                                                          2024-10-02 17:08:14 UTC1969INData Raw: 74 63 68 28 74 79 70 65 6f 66 20 61 29 7b 63 61 73 65 20 22 6e 75 6d 62 65 72 22 3a 72 65 74 75 72 6e 20 69 73 46 69 6e 69 74 65 28 61 29 3f 61 3a 53 74 72 69 6e 67 28 61 29 3b 63 61 73 65 20 22 62 69 67 69 6e 74 22 3a 72 65 74 75 72 6e 28 41 61 3f 0a 61 3e 3d 42 61 26 26 61 3c 3d 43 61 3a 61 5b 30 5d 3d 3d 3d 22 2d 22 3f 75 61 28 61 2c 44 61 29 3a 75 61 28 61 2c 45 61 29 29 3f 4e 75 6d 62 65 72 28 61 29 3a 53 74 72 69 6e 67 28 61 29 3b 63 61 73 65 20 22 62 6f 6f 6c 65 61 6e 22 3a 72 65 74 75 72 6e 20 61 3f 31 3a 30 3b 63 61 73 65 20 22 6f 62 6a 65 63 74 22 3a 69 66 28 61 29 69 66 28 41 72 72 61 79 2e 69 73 41 72 72 61 79 28 61 29 29 7b 69 66 28 43 28 61 29 29 72 65 74 75 72 6e 7d 65 6c 73 65 20 69 66 28 46 61 26 26 61 21 3d 6e 75 6c 6c 26 26 61 20 69 6e
                                                          Data Ascii: tch(typeof a){case "number":return isFinite(a)?a:String(a);case "bigint":return(Aa?a>=Ba&&a<=Ca:a[0]==="-"?ua(a,Da):ua(a,Ea))?Number(a):String(a);case "boolean":return a?1:0;case "object":if(a)if(Array.isArray(a)){if(C(a))return}else if(Fa&&a!=null&&a in
                                                          2024-10-02 17:08:14 UTC1969INData Raw: 7b 76 61 72 20 62 3b 69 66 28 61 26 26 28 62 3d 51 61 29 21 3d 6e 75 6c 6c 26 26 62 2e 68 61 73 28 61 29 26 26 28 62 3d 61 2e 43 29 29 66 6f 72 28 76 61 72 20 63 3d 30 3b 63 3c 62 2e 6c 65 6e 67 74 68 3b 63 2b 2b 29 7b 76 61 72 20 64 3d 62 5b 63 5d 3b 69 66 28 63 3d 3d 3d 62 2e 6c 65 6e 67 74 68 2d 31 26 26 41 28 64 29 29 66 6f 72 28 76 61 72 20 65 20 69 6e 20 64 29 7b 76 61 72 20 66 3d 64 5b 65 5d 3b 41 72 72 61 79 2e 69 73 41 72 72 61 79 28 66 29 26 26 0a 52 61 28 66 2c 61 29 7d 65 6c 73 65 20 41 72 72 61 79 2e 69 73 41 72 72 61 79 28 64 29 26 26 52 61 28 64 2c 61 29 7d 61 3d 45 3f 61 2e 43 3a 4d 61 28 61 2e 43 2c 50 61 2c 76 6f 69 64 20 30 2c 76 6f 69 64 20 30 2c 21 31 29 3b 65 3d 21 45 3b 69 66 28 62 3d 61 2e 6c 65 6e 67 74 68 29 7b 64 3d 61 5b 62 2d
                                                          Data Ascii: {var b;if(a&&(b=Qa)!=null&&b.has(a)&&(b=a.C))for(var c=0;c<b.length;c++){var d=b[c];if(c===b.length-1&&A(d))for(var e in d){var f=d[e];Array.isArray(f)&&Ra(f,a)}else Array.isArray(d)&&Ra(d,a)}a=E?a.C:Ma(a.C,Pa,void 0,void 0,!1);e=!E;if(b=a.length){d=a[b-
                                                          2024-10-02 17:08:14 UTC1969INData Raw: 6f 6c 2e 69 74 65 72 61 74 6f 72 22 2c 66 75 6e 63 74 69 6f 6e 28 61 29 7b 69 66 28 61 29 72 65 74 75 72 6e 20 61 3b 61 3d 53 79 6d 62 6f 6c 28 22 63 22 29 3b 66 6f 72 28 76 61 72 20 62 3d 22 41 72 72 61 79 20 49 6e 74 38 41 72 72 61 79 20 55 69 6e 74 38 41 72 72 61 79 20 55 69 6e 74 38 43 6c 61 6d 70 65 64 41 72 72 61 79 20 49 6e 74 31 36 41 72 72 61 79 20 55 69 6e 74 31 36 41 72 72 61 79 20 49 6e 74 33 32 41 72 72 61 79 20 55 69 6e 74 33 32 41 72 72 61 79 20 46 6c 6f 61 74 33 32 41 72 72 61 79 20 46 6c 6f 61 74 36 34 41 72 72 61 79 22 2e 73 70 6c 69 74 28 22 20 22 29 2c 63 3d 30 3b 63 3c 62 2e 6c 65 6e 67 74 68 3b 63 2b 2b 29 7b 76 61 72 20 64 3d 57 61 5b 62 5b 63 5d 5d 3b 74 79 70 65 6f 66 20 64 3d 3d 3d 22 66 75 6e 63 74 69 6f 6e 22 26 26 74 79 70 65
                                                          Data Ascii: ol.iterator",function(a){if(a)return a;a=Symbol("c");for(var b="Array Int8Array Uint8Array Uint8ClampedArray Int16Array Uint16Array Int32Array Uint32Array Float32Array Float64Array".split(" "),c=0;c<b.length;c++){var d=Wa[b[c]];typeof d==="function"&&type
                                                          2024-10-02 17:08:14 UTC1969INData Raw: 29 3b 65 28 22 66 72 65 65 7a 65 22 29 3b 65 28 22 70 72 65 76 65 6e 74 45 78 74 65 6e 73 69 6f 6e 73 22 29 3b 65 28 22 73 65 61 6c 22 29 3b 76 61 72 20 68 3d 30 2c 67 3d 66 75 6e 63 74 69 6f 6e 28 6b 29 7b 74 68 69 73 2e 67 3d 28 68 2b 3d 4d 61 74 68 2e 72 61 6e 64 6f 6d 28 29 2b 31 29 2e 74 6f 53 74 72 69 6e 67 28 29 3b 69 66 28 6b 29 7b 6b 3d 48 28 6b 29 3b 66 6f 72 28 76 61 72 20 6c 3b 21 28 6c 3d 6b 2e 6e 65 78 74 28 29 29 2e 64 6f 6e 65 3b 29 6c 3d 6c 2e 76 61 6c 75 65 2c 74 68 69 73 2e 73 65 74 28 6c 5b 30 5d 2c 6c 5b 31 5d 29 7d 7d 3b 67 2e 70 72 6f 74 6f 74 79 70 65 2e 73 65 74 3d 66 75 6e 63 74 69 6f 6e 28 6b 2c 6c 29 7b 69 66 28 21 63 28 6b 29 29 74 68 72 6f 77 20 45 72 72 6f 72 28 22 69 22 29 3b 64 28 6b 29 3b 69 66 28 21 49 28 6b 2c 66 29 29
                                                          Data Ascii: );e("freeze");e("preventExtensions");e("seal");var h=0,g=function(k){this.g=(h+=Math.random()+1).toString();if(k){k=H(k);for(var l;!(l=k.next()).done;)l=l.value,this.set(l[0],l[1])}};g.prototype.set=function(k,l){if(!c(k))throw Error("i");d(k);if(!I(k,f))
                                                          2024-10-02 17:08:14 UTC1969INData Raw: 75 72 6e 20 67 2e 76 61 6c 75 65 7d 29 7d 3b 63 2e 70 72 6f 74 6f 74 79 70 65 2e 66 6f 72 45 61 63 68 3d 66 75 6e 63 74 69 6f 6e 28 67 2c 6b 29 7b 66 6f 72 28 76 61 72 20 6c 3d 74 68 69 73 2e 65 6e 74 72 69 65 73 28 29 2c 6d 3b 21 28 6d 3d 6c 2e 6e 65 78 74 28 29 29 2e 64 6f 6e 65 3b 29 6d 3d 0a 6d 2e 76 61 6c 75 65 2c 67 2e 63 61 6c 6c 28 6b 2c 6d 5b 31 5d 2c 6d 5b 30 5d 2c 74 68 69 73 29 7d 3b 63 2e 70 72 6f 74 6f 74 79 70 65 5b 53 79 6d 62 6f 6c 2e 69 74 65 72 61 74 6f 72 5d 3d 63 2e 70 72 6f 74 6f 74 79 70 65 2e 65 6e 74 72 69 65 73 3b 76 61 72 20 64 3d 66 75 6e 63 74 69 6f 6e 28 67 2c 6b 29 7b 76 61 72 20 6c 3d 6b 26 26 74 79 70 65 6f 66 20 6b 3b 6c 3d 3d 22 6f 62 6a 65 63 74 22 7c 7c 6c 3d 3d 22 66 75 6e 63 74 69 6f 6e 22 3f 62 2e 68 61 73 28 6b 29
                                                          Data Ascii: urn g.value})};c.prototype.forEach=function(g,k){for(var l=this.entries(),m;!(m=l.next()).done;)m=m.value,g.call(k,m[1],m[0],this)};c.prototype[Symbol.iterator]=c.prototype.entries;var d=function(g,k){var l=k&&typeof k;l=="object"||l=="function"?b.has(k)
                                                          2024-10-02 17:08:14 UTC1969INData Raw: 6f 6e 28 61 29 7b 72 65 74 75 72 6e 20 61 3f 61 3a 66 75 6e 63 74 69 6f 6e 28 62 29 7b 72 65 74 75 72 6e 20 74 79 70 65 6f 66 20 62 3d 3d 3d 22 6e 75 6d 62 65 72 22 26 26 69 73 4e 61 4e 28 62 29 7d 7d 29 3b 76 61 72 20 66 62 3d 66 62 7c 7c 7b 7d 2c 71 3d 74 68 69 73 7c 7c 73 65 6c 66 2c 67 62 3d 71 2e 5f 46 5f 74 6f 67 67 6c 65 73 7c 7c 5b 5d 2c 68 62 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 61 3d 61 2e 73 70 6c 69 74 28 22 2e 22 29 3b 66 6f 72 28 76 61 72 20 62 3d 71 2c 63 3d 30 3b 63 3c 61 2e 6c 65 6e 67 74 68 3b 63 2b 2b 29 69 66 28 62 3d 62 5b 61 5b 63 5d 5d 2c 62 3d 3d 6e 75 6c 6c 29 72 65 74 75 72 6e 20 6e 75 6c 6c 3b 72 65 74 75 72 6e 20 62 7d 2c 69 62 3d 22 63 6c 6f 73 75 72 65 5f 75 69 64 5f 22 2b 28 4d 61 74 68 2e 72 61 6e 64 6f 6d 28 29 2a 31 45
                                                          Data Ascii: on(a){return a?a:function(b){return typeof b==="number"&&isNaN(b)}});var fb=fb||{},q=this||self,gb=q._F_toggles||[],hb=function(a){a=a.split(".");for(var b=q,c=0;c<a.length;c++)if(b=b[a[c]],b==null)return null;return b},ib="closure_uid_"+(Math.random()*1E
                                                          2024-10-02 17:08:14 UTC1969INData Raw: 74 65 78 74 5f 5f 39 38 34 33 38 32 3d 7b 7d 29 3b 61 2e 5f 5f 63 6c 6f 73 75 72 65 5f 5f 65 72 72 6f 72 5f 5f 63 6f 6e 74 65 78 74 5f 5f 39 38 34 33 38 32 2e 73 65 76 65 72 69 74 79 3d 62 7d 3b 76 61 72 20 71 62 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 29 7b 63 3d 63 7c 7c 71 3b 76 61 72 20 64 3d 63 2e 6f 6e 65 72 72 6f 72 2c 65 3d 21 21 62 3b 63 2e 6f 6e 65 72 72 6f 72 3d 66 75 6e 63 74 69 6f 6e 28 66 2c 68 2c 67 2c 6b 2c 6c 29 7b 64 26 26 64 28 66 2c 68 2c 67 2c 6b 2c 6c 29 3b 61 28 7b 6d 65 73 73 61 67 65 3a 66 2c 66 69 6c 65 4e 61 6d 65 3a 68 2c 6c 69 6e 65 3a 67 2c 6c 69 6e 65 4e 75 6d 62 65 72 3a 67 2c 63 61 3a 6b 2c 65 72 72 6f 72 3a 6c 7d 29 3b 72 65 74 75 72 6e 20 65 7d 7d 2c 74 62 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 76 61 72 20 62 3d 68
                                                          Data Ascii: text__984382={});a.__closure__error__context__984382.severity=b};var qb=function(a,b,c){c=c||q;var d=c.onerror,e=!!b;c.onerror=function(f,h,g,k,l){d&&d(f,h,g,k,l);a({message:f,fileName:h,line:g,lineNumber:g,ca:k,error:l});return e}},tb=function(a){var b=h
                                                          2024-10-02 17:08:14 UTC1969INData Raw: 22 6e 75 6d 62 65 72 22 3a 66 3d 53 74 72 69 6e 67 28 66 29 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 62 6f 6f 6c 65 61 6e 22 3a 66 3d 66 3f 22 74 72 75 65 22 3a 22 66 61 6c 73 65 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 66 75 6e 63 74 69 6f 6e 22 3a 66 3d 28 66 3d 73 62 28 66 29 29 3f 66 3a 22 5b 66 6e 5d 22 3b 62 72 65 61 6b 3b 64 65 66 61 75 6c 74 3a 66 3d 0a 74 79 70 65 6f 66 20 66 7d 66 2e 6c 65 6e 67 74 68 3e 34 30 26 26 28 66 3d 66 2e 73 6c 69 63 65 28 30 2c 34 30 29 2b 22 2e 2e 2e 22 29 3b 63 2e 70 75 73 68 28 66 29 7d 62 2e 70 75 73 68 28 61 29 3b 63 2e 70 75 73 68 28 22 29 5c 6e 22 29 3b 74 72 79 7b 63 2e 70 75 73 68 28 77 62 28 61 2e 63 61 6c 6c 65 72 2c 62 29 29 7d 63 61 74 63 68 28 68 29 7b 63 2e 70 75 73 68 28 22 5b 65 78 63 65 70 74 69 6f 6e
                                                          Data Ascii: "number":f=String(f);break;case "boolean":f=f?"true":"false";break;case "function":f=(f=sb(f))?f:"[fn]";break;default:f=typeof f}f.length>40&&(f=f.slice(0,40)+"...");c.push(f)}b.push(a);c.push(")\n");try{c.push(wb(a.caller,b))}catch(h){c.push("[exception


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          5192.168.2.749729216.58.212.1424431432C:\Program Files\Google\Chrome\Application\chrome.exe
                                                          TimestampBytes transferredDirectionData
                                                          2024-10-02 17:08:15 UTC549OUTOPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1
                                                          Host: play.google.com
                                                          Connection: keep-alive
                                                          Accept: */*
                                                          Access-Control-Request-Method: POST
                                                          Access-Control-Request-Headers: x-goog-authuser
                                                          Origin: https://accounts.google.com
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                          Sec-Fetch-Mode: cors
                                                          Sec-Fetch-Site: same-site
                                                          Sec-Fetch-Dest: empty
                                                          Referer: https://accounts.google.com/
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-US,en;q=0.9
                                                          2024-10-02 17:08:16 UTC520INHTTP/1.1 200 OK
                                                          Access-Control-Allow-Origin: https://accounts.google.com
                                                          Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                          Access-Control-Max-Age: 86400
                                                          Access-Control-Allow-Credentials: true
                                                          Access-Control-Allow-Headers: X-Playlog-Web,authorization,origin,x-goog-authuser
                                                          Content-Type: text/plain; charset=UTF-8
                                                          Date: Wed, 02 Oct 2024 17:08:16 GMT
                                                          Server: Playlog
                                                          Content-Length: 0
                                                          X-XSS-Protection: 0
                                                          X-Frame-Options: SAMEORIGIN
                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                          Connection: close


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          6192.168.2.749731216.58.212.1424431432C:\Program Files\Google\Chrome\Application\chrome.exe
                                                          TimestampBytes transferredDirectionData
                                                          2024-10-02 17:08:16 UTC549OUTOPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1
                                                          Host: play.google.com
                                                          Connection: keep-alive
                                                          Accept: */*
                                                          Access-Control-Request-Method: POST
                                                          Access-Control-Request-Headers: x-goog-authuser
                                                          Origin: https://accounts.google.com
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                          Sec-Fetch-Mode: cors
                                                          Sec-Fetch-Site: same-site
                                                          Sec-Fetch-Dest: empty
                                                          Referer: https://accounts.google.com/
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-US,en;q=0.9
                                                          2024-10-02 17:08:16 UTC520INHTTP/1.1 200 OK
                                                          Access-Control-Allow-Origin: https://accounts.google.com
                                                          Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                          Access-Control-Max-Age: 86400
                                                          Access-Control-Allow-Credentials: true
                                                          Access-Control-Allow-Headers: X-Playlog-Web,authorization,origin,x-goog-authuser
                                                          Content-Type: text/plain; charset=UTF-8
                                                          Date: Wed, 02 Oct 2024 17:08:16 GMT
                                                          Server: Playlog
                                                          Content-Length: 0
                                                          X-XSS-Protection: 0
                                                          X-Frame-Options: SAMEORIGIN
                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                          Connection: close


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          7192.168.2.749734216.58.212.1424431432C:\Program Files\Google\Chrome\Application\chrome.exe
                                                          TimestampBytes transferredDirectionData
                                                          2024-10-02 17:08:16 UTC1112OUTPOST /log?format=json&hasfast=true&authuser=0 HTTP/1.1
                                                          Host: play.google.com
                                                          Connection: keep-alive
                                                          Content-Length: 507
                                                          sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                                                          sec-ch-ua-mobile: ?0
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                          sec-ch-ua-arch: "x86"
                                                          Content-Type: application/x-www-form-urlencoded;charset=UTF-8
                                                          sec-ch-ua-full-version: "117.0.5938.134"
                                                          sec-ch-ua-platform-version: "10.0.0"
                                                          X-Goog-AuthUser: 0
                                                          sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134"
                                                          sec-ch-ua-bitness: "64"
                                                          sec-ch-ua-model: ""
                                                          sec-ch-ua-wow64: ?0
                                                          sec-ch-ua-platform: "Windows"
                                                          Accept: */*
                                                          Origin: https://accounts.google.com
                                                          X-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIk6HLAQiFoM0BCNy9zQEIucrNAQii0c0BCIrTzQEIpNbNAQj01s0BCKfYzQEI+cDUFRj1yc0BGOuNpRc=
                                                          Sec-Fetch-Site: same-site
                                                          Sec-Fetch-Mode: cors
                                                          Sec-Fetch-Dest: empty
                                                          Referer: https://accounts.google.com/
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-US,en;q=0.9
                                                          2024-10-02 17:08:16 UTC507OUTData Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 34 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 38 38 38 39 34 34 37 35 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c
                                                          Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.134"],[1,0,0,0,0]]],1828,[["1727888894475",null,null,null
                                                          2024-10-02 17:08:17 UTC933INHTTP/1.1 200 OK
                                                          Access-Control-Allow-Origin: https://accounts.google.com
                                                          Cross-Origin-Resource-Policy: cross-origin
                                                          Access-Control-Allow-Credentials: true
                                                          Access-Control-Allow-Headers: X-Playlog-Web
                                                          Set-Cookie: NID=518=tUe7EK79a3Eq4KuHikf5HTA3aub_EBxTDaoK-io6brp5LkZNuPF1_ac9L54eMYf4B-KZRHe66u_n4v842L9_-hBaXbmoPGZbwiURWfJ1jvRITkMKeNzSKcqx5-UEfqABz5Vv_5rVpyG7sX8ho8ZgPM2Bm7hMLAhcvdpFdepiTEBM7UpFOF8; expires=Thu, 03-Apr-2025 17:08:17 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none
                                                          P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                          Content-Type: text/plain; charset=UTF-8
                                                          Date: Wed, 02 Oct 2024 17:08:17 GMT
                                                          Server: Playlog
                                                          Cache-Control: private
                                                          X-XSS-Protection: 0
                                                          X-Frame-Options: SAMEORIGIN
                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                          Accept-Ranges: none
                                                          Vary: Accept-Encoding
                                                          Expires: Wed, 02 Oct 2024 17:08:17 GMT
                                                          Connection: close
                                                          Transfer-Encoding: chunked
                                                          2024-10-02 17:08:17 UTC137INData Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a
                                                          Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
                                                          2024-10-02 17:08:17 UTC5INData Raw: 30 0d 0a 0d 0a
                                                          Data Ascii: 0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          8192.168.2.749736216.58.212.1424431432C:\Program Files\Google\Chrome\Application\chrome.exe
                                                          TimestampBytes transferredDirectionData
                                                          2024-10-02 17:08:17 UTC1112OUTPOST /log?format=json&hasfast=true&authuser=0 HTTP/1.1
                                                          Host: play.google.com
                                                          Connection: keep-alive
                                                          Content-Length: 519
                                                          sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                                                          sec-ch-ua-mobile: ?0
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                          sec-ch-ua-arch: "x86"
                                                          Content-Type: application/x-www-form-urlencoded;charset=UTF-8
                                                          sec-ch-ua-full-version: "117.0.5938.134"
                                                          sec-ch-ua-platform-version: "10.0.0"
                                                          X-Goog-AuthUser: 0
                                                          sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134"
                                                          sec-ch-ua-bitness: "64"
                                                          sec-ch-ua-model: ""
                                                          sec-ch-ua-wow64: ?0
                                                          sec-ch-ua-platform: "Windows"
                                                          Accept: */*
                                                          Origin: https://accounts.google.com
                                                          X-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIk6HLAQiFoM0BCNy9zQEIucrNAQii0c0BCIrTzQEIpNbNAQj01s0BCKfYzQEI+cDUFRj1yc0BGOuNpRc=
                                                          Sec-Fetch-Site: same-site
                                                          Sec-Fetch-Mode: cors
                                                          Sec-Fetch-Dest: empty
                                                          Referer: https://accounts.google.com/
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-US,en;q=0.9
                                                          2024-10-02 17:08:17 UTC519OUTData Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 34 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 38 38 38 39 34 38 33 31 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c
                                                          Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.134"],[1,0,0,0,0]]],1828,[["1727888894831",null,null,null
                                                          2024-10-02 17:08:17 UTC932INHTTP/1.1 200 OK
                                                          Access-Control-Allow-Origin: https://accounts.google.com
                                                          Cross-Origin-Resource-Policy: cross-origin
                                                          Access-Control-Allow-Credentials: true
                                                          Access-Control-Allow-Headers: X-Playlog-Web
                                                          Set-Cookie: NID=518=mw5dS35IUArFNqfBh-1DPq_dIHjS5CGwXkW95-xyUCBHiiEdGGEkS9j3P84dxoXHwnpqON_Y854aIPBouTmTa-t7HgdjI0TRhQ3o-iV0tZEp1z1UZ3L4YWVD3jc6zsbR71sIbEhZ2ABwt6jItUAgvSO82qrkwThJSVQo5TIUYmKoxNxfEA; expires=Thu, 03-Apr-2025 17:08:17 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none
                                                          P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                          Content-Type: text/plain; charset=UTF-8
                                                          Date: Wed, 02 Oct 2024 17:08:17 GMT
                                                          Server: Playlog
                                                          Cache-Control: private
                                                          X-XSS-Protection: 0
                                                          X-Frame-Options: SAMEORIGIN
                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                          Accept-Ranges: none
                                                          Vary: Accept-Encoding
                                                          Expires: Wed, 02 Oct 2024 17:08:17 GMT
                                                          Connection: close
                                                          Transfer-Encoding: chunked
                                                          2024-10-02 17:08:17 UTC137INData Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a
                                                          Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
                                                          2024-10-02 17:08:17 UTC5INData Raw: 30 0d 0a 0d 0a
                                                          Data Ascii: 0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          9192.168.2.749711216.58.206.364431432C:\Program Files\Google\Chrome\Application\chrome.exe
                                                          TimestampBytes transferredDirectionData
                                                          2024-10-02 17:08:17 UTC1201OUTGET /favicon.ico HTTP/1.1
                                                          Host: www.google.com
                                                          Connection: keep-alive
                                                          sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                                                          sec-ch-ua-mobile: ?0
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                          sec-ch-ua-arch: "x86"
                                                          sec-ch-ua-full-version: "117.0.5938.134"
                                                          sec-ch-ua-platform-version: "10.0.0"
                                                          sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134"
                                                          sec-ch-ua-bitness: "64"
                                                          sec-ch-ua-model: ""
                                                          sec-ch-ua-wow64: ?0
                                                          sec-ch-ua-platform: "Windows"
                                                          Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
                                                          X-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIk6HLAQiFoM0BCNy9zQEIucrNAQii0c0BCIrTzQEIpNbNAQj01s0BCKfYzQEI+cDUFRj1yc0BGOuNpRc=
                                                          Sec-Fetch-Site: same-site
                                                          Sec-Fetch-Mode: no-cors
                                                          Sec-Fetch-Dest: image
                                                          Referer: https://accounts.google.com/
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-US,en;q=0.9
                                                          Cookie: NID=518=mw5dS35IUArFNqfBh-1DPq_dIHjS5CGwXkW95-xyUCBHiiEdGGEkS9j3P84dxoXHwnpqON_Y854aIPBouTmTa-t7HgdjI0TRhQ3o-iV0tZEp1z1UZ3L4YWVD3jc6zsbR71sIbEhZ2ABwt6jItUAgvSO82qrkwThJSVQo5TIUYmKoxNxfEA
                                                          2024-10-02 17:08:18 UTC706INHTTP/1.1 200 OK
                                                          Accept-Ranges: bytes
                                                          Cross-Origin-Resource-Policy: cross-origin
                                                          Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="static-on-bigtable"
                                                          Report-To: {"group":"static-on-bigtable","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/static-on-bigtable"}]}
                                                          Content-Length: 5430
                                                          X-Content-Type-Options: nosniff
                                                          Server: sffe
                                                          X-XSS-Protection: 0
                                                          Date: Wed, 02 Oct 2024 13:38:50 GMT
                                                          Expires: Thu, 10 Oct 2024 13:38:50 GMT
                                                          Cache-Control: public, max-age=691200
                                                          Last-Modified: Tue, 22 Oct 2019 18:30:00 GMT
                                                          Content-Type: image/x-icon
                                                          Vary: Accept-Encoding
                                                          Age: 12568
                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                          Connection: close
                                                          2024-10-02 17:08:18 UTC684INData Raw: 00 00 01 00 02 00 10 10 00 00 01 00 20 00 68 04 00 00 26 00 00 00 20 20 00 00 01 00 20 00 a8 10 00 00 8e 04 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 20 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 30 fd fd fd 96 fd fd fd d8 fd fd fd f9 fd fd fd f9 fd fd fd d7 fd fd fd 94 fe fe fe 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 09 fd fd fd 99 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 95 ff ff ff 08 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 09 fd fd fd c1 ff ff ff ff fa fd f9 ff b4 d9 a7 ff 76 ba 5d ff 58 ab 3a ff 58 aa 3a ff 72 b8 59 ff ac d5 9d ff f8 fb f6 ff ff
                                                          Data Ascii: h& ( 0.v]X:X:rY
                                                          2024-10-02 17:08:18 UTC1390INData Raw: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d8 fd fd fd 99 ff ff ff ff 92 cf fb ff 37 52 ec ff 38 46 ea ff d0 d4 fa ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 96 fe fe fe 32 ff ff ff ff f9 f9 fe ff 56 62 ed ff 35 43 ea ff 3b 49 eb ff 95 9c f4 ff cf d2 fa ff d1 d4 fa ff 96 9d f4 ff 52 5e ed ff e1 e3 fc ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 30 00 00 00 00 fd fd fd 9d ff ff ff ff e8 ea fd ff 58 63 ee ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 6c 76 f0 ff ff ff ff ff ff ff ff ff fd fd fd 98 00 00 00 00 00 00 00 00 ff ff ff 0a fd fd fd c3 ff ff ff ff f9 f9 fe ff a5 ac f6 ff 5d 69 ee ff 3c
                                                          Data Ascii: 7R8F2Vb5C;IR^0Xc5C5C5C5C5C5Clv]i<
                                                          2024-10-02 17:08:18 UTC1390INData Raw: ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d0 ff ff ff 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fd fd fd 8b ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff b1 d8 a3 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 60 a5 35 ff ca 8e 3e ff f9 c1 9f ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 87 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 25 fd fd fd fb ff ff ff ff ff ff ff ff ff ff ff ff c2 e0 b7 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 6e b6 54 ff 9f ce 8d ff b7 da aa ff b8 db ab ff a5 d2 95 ff 7b bc 64 ff 54 a8 35 ff 53 a8 34 ff 77 a0 37 ff e3 89 41 ff f4 85 42 ff f4 85 42
                                                          Data Ascii: S4S4S4S4S4S4S4S4S4S4S4S4S4S4`5>%S4S4S4S4S4S4nT{dT5S4w7ABB
                                                          2024-10-02 17:08:18 UTC1390INData Raw: 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff fb d5 bf ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd ea fd fd fd cb ff ff ff ff ff ff ff ff ff ff ff ff 46 cd fc ff 05 bc fb ff 05 bc fb ff 05 bc fb ff 21 ae f9 ff fb fb ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd c8 fd fd fd 9c ff ff ff ff ff ff ff ff ff ff ff ff 86 df fd ff 05 bc fb ff 05 bc fb ff 15 93 f5 ff 34 49 eb ff b3 b8 f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                                          Data Ascii: BBBBBBBF!4I
                                                          2024-10-02 17:08:18 UTC576INData Raw: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d2 fe fe fe 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 0a fd fd fd 8d fd fd fd fc ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd fb fd fd fd 8b fe fe fe 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 27 fd fd fd 9f fd fd fd f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                                          Data Ascii: $'


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          10192.168.2.74973713.85.23.86443
                                                          TimestampBytes transferredDirectionData
                                                          2024-10-02 17:08:18 UTC306OUTGET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=CPDyww1OOnssaDW&MD=wyszWg9z HTTP/1.1
                                                          Connection: Keep-Alive
                                                          Accept: */*
                                                          User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33
                                                          Host: slscr.update.microsoft.com
                                                          2024-10-02 17:08:18 UTC560INHTTP/1.1 200 OK
                                                          Cache-Control: no-cache
                                                          Pragma: no-cache
                                                          Content-Type: application/octet-stream
                                                          Expires: -1
                                                          Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT
                                                          ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880"
                                                          MS-CorrelationId: 0e2ccd6f-60ad-4ec7-9866-df18b2f48f5a
                                                          MS-RequestId: 1c6f7556-0136-4ada-97c3-3e9db1f71b5f
                                                          MS-CV: C4Y7DdjDyUOEWsRO.0
                                                          X-Microsoft-SLSClientCache: 2880
                                                          Content-Disposition: attachment; filename=environment.cab
                                                          X-Content-Type-Options: nosniff
                                                          Date: Wed, 02 Oct 2024 17:08:18 GMT
                                                          Connection: close
                                                          Content-Length: 24490
                                                          2024-10-02 17:08:18 UTC15824INData Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58
                                                          Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
                                                          2024-10-02 17:08:18 UTC8666INData Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31
                                                          Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          11192.168.2.749748216.58.212.1424431432C:\Program Files\Google\Chrome\Application\chrome.exe
                                                          TimestampBytes transferredDirectionData
                                                          2024-10-02 17:08:23 UTC1286OUTPOST /log?format=json&hasfast=true&authuser=0 HTTP/1.1
                                                          Host: play.google.com
                                                          Connection: keep-alive
                                                          Content-Length: 1218
                                                          sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                                                          sec-ch-ua-mobile: ?0
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                          sec-ch-ua-arch: "x86"
                                                          Content-Type: text/plain;charset=UTF-8
                                                          sec-ch-ua-full-version: "117.0.5938.134"
                                                          sec-ch-ua-platform-version: "10.0.0"
                                                          X-Goog-AuthUser: 0
                                                          sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134"
                                                          sec-ch-ua-bitness: "64"
                                                          sec-ch-ua-model: ""
                                                          sec-ch-ua-wow64: ?0
                                                          sec-ch-ua-platform: "Windows"
                                                          Accept: */*
                                                          Origin: https://accounts.google.com
                                                          X-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIk6HLAQiFoM0BCNy9zQEIucrNAQii0c0BCIrTzQEIpNbNAQj01s0BCKfYzQEI+cDUFRj1yc0BGOuNpRc=
                                                          Sec-Fetch-Site: same-site
                                                          Sec-Fetch-Mode: cors
                                                          Sec-Fetch-Dest: empty
                                                          Referer: https://accounts.google.com/
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-US,en;q=0.9
                                                          Cookie: NID=518=mw5dS35IUArFNqfBh-1DPq_dIHjS5CGwXkW95-xyUCBHiiEdGGEkS9j3P84dxoXHwnpqON_Y854aIPBouTmTa-t7HgdjI0TRhQ3o-iV0tZEp1z1UZ3L4YWVD3jc6zsbR71sIbEhZ2ABwt6jItUAgvSO82qrkwThJSVQo5TIUYmKoxNxfEA
                                                          2024-10-02 17:08:23 UTC1218OUTData Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 34 22 5d 2c 5b 34 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 35 35 38 2c 5b 5b 22 31 37 32 37 38 38 38 38 39 32 30 30 30 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c
                                                          Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,null,null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.134"],[4,0,0,0,0]]],558,[["1727888892000",null,null,null,
                                                          2024-10-02 17:08:23 UTC940INHTTP/1.1 200 OK
                                                          Access-Control-Allow-Origin: https://accounts.google.com
                                                          Cross-Origin-Resource-Policy: cross-origin
                                                          Access-Control-Allow-Credentials: true
                                                          Access-Control-Allow-Headers: X-Playlog-Web
                                                          Set-Cookie: NID=518=pd4xqzs0DRPttcdS7-yvQTSq8TxdcYPPrkf_LF4eaX0xkCVUBtY11brxJh4cMgECf5eVO0S9kDYf3K_j7_J2GYHLozTyy-9LsuIrGqJcg4nef98Hb8obCRQKaahQT--HFK3Fncfbgs5zvLzzKq5zVzWPwsi3hr1Z-ZjY3DhPMaWBWVk243YO05UVsg; expires=Thu, 03-Apr-2025 17:08:23 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none
                                                          P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                          Content-Type: text/plain; charset=UTF-8
                                                          Date: Wed, 02 Oct 2024 17:08:23 GMT
                                                          Server: Playlog
                                                          Cache-Control: private
                                                          X-XSS-Protection: 0
                                                          X-Frame-Options: SAMEORIGIN
                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                          Accept-Ranges: none
                                                          Vary: Accept-Encoding
                                                          Expires: Wed, 02 Oct 2024 17:08:23 GMT
                                                          Connection: close
                                                          Transfer-Encoding: chunked
                                                          2024-10-02 17:08:23 UTC137INData Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a
                                                          Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
                                                          2024-10-02 17:08:23 UTC5INData Raw: 30 0d 0a 0d 0a
                                                          Data Ascii: 0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          12192.168.2.76402220.3.187.198443
                                                          TimestampBytes transferredDirectionData
                                                          2024-10-02 17:08:34 UTC142OUTGET /clientwebservice/ping HTTP/1.1
                                                          Connection: Keep-Alive
                                                          User-Agent: DNS resiliency checker/1.0
                                                          Host: fe3cr.delivery.mp.microsoft.com
                                                          2024-10-02 17:08:35 UTC234INHTTP/1.1 200 OK
                                                          Cache-Control: no-cache
                                                          Pragma: no-cache
                                                          Expires: -1
                                                          Server: Microsoft-IIS/10.0
                                                          X-Powered-By: ASP.NET
                                                          X-Content-Type-Options: nosniff
                                                          Date: Wed, 02 Oct 2024 17:08:34 GMT
                                                          Connection: close
                                                          Content-Length: 0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          13192.168.2.76402313.85.23.86443
                                                          TimestampBytes transferredDirectionData
                                                          2024-10-02 17:08:35 UTC124OUTGET /sls/ping HTTP/1.1
                                                          Connection: Keep-Alive
                                                          User-Agent: DNS resiliency checker/1.0
                                                          Host: slscr.update.microsoft.com
                                                          2024-10-02 17:08:35 UTC318INHTTP/1.1 200 OK
                                                          Cache-Control: no-cache
                                                          Pragma: no-cache
                                                          Expires: -1
                                                          MS-CV: jHOzxZBRhkK7v7gR.0
                                                          MS-RequestId: fde03089-da8f-4910-a1c3-34903baa85a2
                                                          MS-CorrelationId: 8e98f9e0-d083-458d-9572-4d50c8eddf92
                                                          X-Content-Type-Options: nosniff
                                                          Date: Wed, 02 Oct 2024 17:08:34 GMT
                                                          Connection: close
                                                          Content-Length: 0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          14192.168.2.7640244.175.87.197443
                                                          TimestampBytes transferredDirectionData
                                                          2024-10-02 17:08:38 UTC306OUTGET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=CPDyww1OOnssaDW&MD=wyszWg9z HTTP/1.1
                                                          Connection: Keep-Alive
                                                          Accept: */*
                                                          User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33
                                                          Host: slscr.update.microsoft.com
                                                          2024-10-02 17:08:38 UTC560INHTTP/1.1 200 OK
                                                          Cache-Control: no-cache
                                                          Pragma: no-cache
                                                          Content-Type: application/octet-stream
                                                          Expires: -1
                                                          Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT
                                                          ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880"
                                                          MS-CorrelationId: 735aeeda-4f02-4a85-8a32-6ce64ea54177
                                                          MS-RequestId: 2c693ca8-4980-4ceb-b8b6-4adf73159b44
                                                          MS-CV: krG4TRlHo0m/VT26.0
                                                          X-Microsoft-SLSClientCache: 2880
                                                          Content-Disposition: attachment; filename=environment.cab
                                                          X-Content-Type-Options: nosniff
                                                          Date: Wed, 02 Oct 2024 17:08:38 GMT
                                                          Connection: close
                                                          Content-Length: 24490
                                                          2024-10-02 17:08:38 UTC15824INData Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58
                                                          Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
                                                          2024-10-02 17:08:38 UTC8666INData Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31
                                                          Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          15192.168.2.7640254.175.87.197443
                                                          TimestampBytes transferredDirectionData
                                                          2024-10-02 17:08:40 UTC306OUTGET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=CPDyww1OOnssaDW&MD=wyszWg9z HTTP/1.1
                                                          Connection: Keep-Alive
                                                          Accept: */*
                                                          User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33
                                                          Host: slscr.update.microsoft.com
                                                          2024-10-02 17:08:40 UTC560INHTTP/1.1 200 OK
                                                          Cache-Control: no-cache
                                                          Pragma: no-cache
                                                          Content-Type: application/octet-stream
                                                          Expires: -1
                                                          Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT
                                                          ETag: "vic+p1MiJJ+/WMnK08jaWnCBGDfvkGRzPk9f8ZadQHg=_1440"
                                                          MS-CorrelationId: ff169564-1b90-4218-8d44-9d40ae6d5905
                                                          MS-RequestId: e694d653-c3b2-4e6d-90c6-341528e3c86d
                                                          MS-CV: 0b8fk+L35UCtVJpH.0
                                                          X-Microsoft-SLSClientCache: 1440
                                                          Content-Disposition: attachment; filename=environment.cab
                                                          X-Content-Type-Options: nosniff
                                                          Date: Wed, 02 Oct 2024 17:08:40 GMT
                                                          Connection: close
                                                          Content-Length: 30005
                                                          2024-10-02 17:08:40 UTC15824INData Raw: 4d 53 43 46 00 00 00 00 8d 2b 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 5b 49 00 00 14 00 00 00 00 00 10 00 8d 2b 00 00 a8 49 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 72 4d 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 fe f6 51 be 21 2b 72 4d 43 4b ed 7c 05 58 54 eb da f6 14 43 49 37 0a 02 d2 b9 86 0e 41 52 a4 1b 24 a5 bb 43 24 44 18 94 90 92 52 41 3a 05 09 95 ee 54 b0 00 91 2e e9 12 10 04 11 c9 6f 10 b7 a2 67 9f bd cf 3e ff b7 ff b3 bf 73 ed e1 9a 99 f5 c6 7a d7 bb de f5 3e cf fd 3c f7 dc 17 4a 1a 52 e7 41 a8 97 1e 14 f4 e5 25 7d f4 05 82 82 c1 20 30 08 06 ba c3 05 02 11 7f a9 c1 ff d2 87 5c 1e f4 ed 65 8e 7a 1f f6 0a 40 03 1d 7b f9 83 2c 1c 2f db b8 3a 39 3a 58 38 ba 73 5e
                                                          Data Ascii: MSCF+D[I+IdrMenvironment.cabQ!+rMCK|XTCI7AR$C$DRA:T.og>sz><JRA%} 0\ez@{,/:9:X8s^
                                                          2024-10-02 17:08:40 UTC14181INData Raw: 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 26 30 24 06 03 55 04 03 13 1d 4d 69 63 72 6f 73 6f 66 74 20 54 69 6d 65 2d 53 74 61 6d 70 20 50 43 41 20 32 30 31 30 30 1e 17 0d 32 33 31 30 31 32 31 39 30 37 32 35 5a 17 0d 32 35 30 31 31 30 31 39 30 37 32 35 5a 30 81 d2 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 2d 30 2b 06 03 55 04 0b 13 24 4d 69 63 72 6f
                                                          Data Ascii: UUS10UWashington10URedmond10UMicrosoft Corporation1&0$UMicrosoft Time-Stamp PCA 20100231012190725Z250110190725Z010UUS10UWashington10URedmond10UMicrosoft Corporation1-0+U$Micro


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          16192.168.2.764026216.58.206.784431432C:\Program Files\Google\Chrome\Application\chrome.exe
                                                          TimestampBytes transferredDirectionData
                                                          2024-10-02 17:08:46 UTC1317OUTPOST /log?format=json&hasfast=true&authuser=0 HTTP/1.1
                                                          Host: play.google.com
                                                          Connection: keep-alive
                                                          Content-Length: 1119
                                                          sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                                                          sec-ch-ua-mobile: ?0
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                          sec-ch-ua-arch: "x86"
                                                          Content-Type: application/x-www-form-urlencoded;charset=UTF-8
                                                          sec-ch-ua-full-version: "117.0.5938.134"
                                                          sec-ch-ua-platform-version: "10.0.0"
                                                          X-Goog-AuthUser: 0
                                                          sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134"
                                                          sec-ch-ua-bitness: "64"
                                                          sec-ch-ua-model: ""
                                                          sec-ch-ua-wow64: ?0
                                                          sec-ch-ua-platform: "Windows"
                                                          Accept: */*
                                                          Origin: https://accounts.google.com
                                                          X-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIk6HLAQiFoM0BCNy9zQEIucrNAQii0c0BCIrTzQEIpNbNAQj01s0BCKfYzQEI+cDUFRj1yc0BGOuNpRc=
                                                          Sec-Fetch-Site: same-site
                                                          Sec-Fetch-Mode: cors
                                                          Sec-Fetch-Dest: empty
                                                          Referer: https://accounts.google.com/
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-US,en;q=0.9
                                                          Cookie: NID=518=pd4xqzs0DRPttcdS7-yvQTSq8TxdcYPPrkf_LF4eaX0xkCVUBtY11brxJh4cMgECf5eVO0S9kDYf3K_j7_J2GYHLozTyy-9LsuIrGqJcg4nef98Hb8obCRQKaahQT--HFK3Fncfbgs5zvLzzKq5zVzWPwsi3hr1Z-ZjY3DhPMaWBWVk243YO05UVsg
                                                          2024-10-02 17:08:46 UTC1119OUTData Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 34 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 38 38 39 32 35 33 33 37 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c
                                                          Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.134"],[1,0,0,0,0]]],1828,[["1727888925337",null,null,null
                                                          2024-10-02 17:08:46 UTC523INHTTP/1.1 200 OK
                                                          Access-Control-Allow-Origin: https://accounts.google.com
                                                          Cross-Origin-Resource-Policy: cross-origin
                                                          Access-Control-Allow-Credentials: true
                                                          Access-Control-Allow-Headers: X-Playlog-Web
                                                          Content-Type: text/plain; charset=UTF-8
                                                          Date: Wed, 02 Oct 2024 17:08:46 GMT
                                                          Server: Playlog
                                                          Cache-Control: private
                                                          X-XSS-Protection: 0
                                                          X-Frame-Options: SAMEORIGIN
                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                          Accept-Ranges: none
                                                          Vary: Accept-Encoding
                                                          Connection: close
                                                          Transfer-Encoding: chunked
                                                          2024-10-02 17:08:46 UTC137INData Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a
                                                          Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
                                                          2024-10-02 17:08:46 UTC5INData Raw: 30 0d 0a 0d 0a
                                                          Data Ascii: 0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          17192.168.2.764027216.58.206.784431432C:\Program Files\Google\Chrome\Application\chrome.exe
                                                          TimestampBytes transferredDirectionData
                                                          2024-10-02 17:08:46 UTC1317OUTPOST /log?format=json&hasfast=true&authuser=0 HTTP/1.1
                                                          Host: play.google.com
                                                          Connection: keep-alive
                                                          Content-Length: 1390
                                                          sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                                                          sec-ch-ua-mobile: ?0
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                          sec-ch-ua-arch: "x86"
                                                          Content-Type: application/x-www-form-urlencoded;charset=UTF-8
                                                          sec-ch-ua-full-version: "117.0.5938.134"
                                                          sec-ch-ua-platform-version: "10.0.0"
                                                          X-Goog-AuthUser: 0
                                                          sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134"
                                                          sec-ch-ua-bitness: "64"
                                                          sec-ch-ua-model: ""
                                                          sec-ch-ua-wow64: ?0
                                                          sec-ch-ua-platform: "Windows"
                                                          Accept: */*
                                                          Origin: https://accounts.google.com
                                                          X-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIk6HLAQiFoM0BCNy9zQEIucrNAQii0c0BCIrTzQEIpNbNAQj01s0BCKfYzQEI+cDUFRj1yc0BGOuNpRc=
                                                          Sec-Fetch-Site: same-site
                                                          Sec-Fetch-Mode: cors
                                                          Sec-Fetch-Dest: empty
                                                          Referer: https://accounts.google.com/
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-US,en;q=0.9
                                                          Cookie: NID=518=pd4xqzs0DRPttcdS7-yvQTSq8TxdcYPPrkf_LF4eaX0xkCVUBtY11brxJh4cMgECf5eVO0S9kDYf3K_j7_J2GYHLozTyy-9LsuIrGqJcg4nef98Hb8obCRQKaahQT--HFK3Fncfbgs5zvLzzKq5zVzWPwsi3hr1Z-ZjY3DhPMaWBWVk243YO05UVsg
                                                          2024-10-02 17:08:46 UTC1390OUTData Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 34 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 38 38 39 32 35 34 31 35 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c
                                                          Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.134"],[1,0,0,0,0]]],1828,[["1727888925415",null,null,null
                                                          2024-10-02 17:08:46 UTC523INHTTP/1.1 200 OK
                                                          Access-Control-Allow-Origin: https://accounts.google.com
                                                          Cross-Origin-Resource-Policy: cross-origin
                                                          Access-Control-Allow-Credentials: true
                                                          Access-Control-Allow-Headers: X-Playlog-Web
                                                          Content-Type: text/plain; charset=UTF-8
                                                          Date: Wed, 02 Oct 2024 17:08:46 GMT
                                                          Server: Playlog
                                                          Cache-Control: private
                                                          X-XSS-Protection: 0
                                                          X-Frame-Options: SAMEORIGIN
                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                          Accept-Ranges: none
                                                          Vary: Accept-Encoding
                                                          Connection: close
                                                          Transfer-Encoding: chunked
                                                          2024-10-02 17:08:46 UTC137INData Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a
                                                          Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
                                                          2024-10-02 17:08:46 UTC5INData Raw: 30 0d 0a 0d 0a
                                                          Data Ascii: 0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          18192.168.2.764028216.58.206.784431432C:\Program Files\Google\Chrome\Application\chrome.exe
                                                          TimestampBytes transferredDirectionData
                                                          2024-10-02 17:08:47 UTC1276OUTPOST /log?hasfast=true&authuser=0&format=json HTTP/1.1
                                                          Host: play.google.com
                                                          Connection: keep-alive
                                                          Content-Length: 864
                                                          sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                                                          sec-ch-ua-mobile: ?0
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                          sec-ch-ua-arch: "x86"
                                                          sec-ch-ua-full-version: "117.0.5938.134"
                                                          Content-Type: text/plain;charset=UTF-8
                                                          sec-ch-ua-platform-version: "10.0.0"
                                                          sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134"
                                                          sec-ch-ua-bitness: "64"
                                                          sec-ch-ua-model: ""
                                                          sec-ch-ua-wow64: ?0
                                                          sec-ch-ua-platform: "Windows"
                                                          Accept: */*
                                                          Origin: https://accounts.google.com
                                                          X-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIk6HLAQiFoM0BCNy9zQEIucrNAQii0c0BCIrTzQEIpNbNAQj01s0BCKfYzQEI+cDUFRj1yc0BGOuNpRc=
                                                          Sec-Fetch-Site: same-site
                                                          Sec-Fetch-Mode: no-cors
                                                          Sec-Fetch-Dest: empty
                                                          Referer: https://accounts.google.com/
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-US,en;q=0.9
                                                          Cookie: NID=518=pd4xqzs0DRPttcdS7-yvQTSq8TxdcYPPrkf_LF4eaX0xkCVUBtY11brxJh4cMgECf5eVO0S9kDYf3K_j7_J2GYHLozTyy-9LsuIrGqJcg4nef98Hb8obCRQKaahQT--HFK3Fncfbgs5zvLzzKq5zVzWPwsi3hr1Z-ZjY3DhPMaWBWVk243YO05UVsg
                                                          2024-10-02 17:08:47 UTC864OUTData Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 62 6f 71 5f 69 64 65 6e 74 69 74 79 66 72 6f 6e 74 65 6e 64 61 75 74 68 75 69 73 65 72 76 65 72 5f 32 30 32 34 30 39 32 39 2e 30 37 5f 70 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 34 22 5d 2c 5b 33 2c 30 2c 30
                                                          Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"boq_identityfrontendauthuiserver_20240929.07_p0",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.134"],[3,0,0
                                                          2024-10-02 17:08:47 UTC523INHTTP/1.1 200 OK
                                                          Access-Control-Allow-Origin: https://accounts.google.com
                                                          Cross-Origin-Resource-Policy: cross-origin
                                                          Access-Control-Allow-Credentials: true
                                                          Access-Control-Allow-Headers: X-Playlog-Web
                                                          Content-Type: text/plain; charset=UTF-8
                                                          Date: Wed, 02 Oct 2024 17:08:47 GMT
                                                          Server: Playlog
                                                          Cache-Control: private
                                                          X-XSS-Protection: 0
                                                          X-Frame-Options: SAMEORIGIN
                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                          Accept-Ranges: none
                                                          Vary: Accept-Encoding
                                                          Connection: close
                                                          Transfer-Encoding: chunked
                                                          2024-10-02 17:08:47 UTC137INData Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a
                                                          Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
                                                          2024-10-02 17:08:47 UTC5INData Raw: 30 0d 0a 0d 0a
                                                          Data Ascii: 0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          19192.168.2.764034216.58.206.784431432C:\Program Files\Google\Chrome\Application\chrome.exe
                                                          TimestampBytes transferredDirectionData
                                                          2024-10-02 17:09:16 UTC1317OUTPOST /log?format=json&hasfast=true&authuser=0 HTTP/1.1
                                                          Host: play.google.com
                                                          Connection: keep-alive
                                                          Content-Length: 1348
                                                          sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                                                          sec-ch-ua-mobile: ?0
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                          sec-ch-ua-arch: "x86"
                                                          Content-Type: application/x-www-form-urlencoded;charset=UTF-8
                                                          sec-ch-ua-full-version: "117.0.5938.134"
                                                          sec-ch-ua-platform-version: "10.0.0"
                                                          X-Goog-AuthUser: 0
                                                          sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134"
                                                          sec-ch-ua-bitness: "64"
                                                          sec-ch-ua-model: ""
                                                          sec-ch-ua-wow64: ?0
                                                          sec-ch-ua-platform: "Windows"
                                                          Accept: */*
                                                          Origin: https://accounts.google.com
                                                          X-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIk6HLAQiFoM0BCNy9zQEIucrNAQii0c0BCIrTzQEIpNbNAQj01s0BCKfYzQEI+cDUFRj1yc0BGOuNpRc=
                                                          Sec-Fetch-Site: same-site
                                                          Sec-Fetch-Mode: cors
                                                          Sec-Fetch-Dest: empty
                                                          Referer: https://accounts.google.com/
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-US,en;q=0.9
                                                          Cookie: NID=518=pd4xqzs0DRPttcdS7-yvQTSq8TxdcYPPrkf_LF4eaX0xkCVUBtY11brxJh4cMgECf5eVO0S9kDYf3K_j7_J2GYHLozTyy-9LsuIrGqJcg4nef98Hb8obCRQKaahQT--HFK3Fncfbgs5zvLzzKq5zVzWPwsi3hr1Z-ZjY3DhPMaWBWVk243YO05UVsg
                                                          2024-10-02 17:09:16 UTC1348OUTData Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 34 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 39 32 35 38 32 30 30 36 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c
                                                          Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.134"],[1,0,0,0,0]]],1828,[["1727892582006",null,null,null
                                                          2024-10-02 17:09:17 UTC523INHTTP/1.1 200 OK
                                                          Access-Control-Allow-Origin: https://accounts.google.com
                                                          Cross-Origin-Resource-Policy: cross-origin
                                                          Access-Control-Allow-Credentials: true
                                                          Access-Control-Allow-Headers: X-Playlog-Web
                                                          Content-Type: text/plain; charset=UTF-8
                                                          Date: Wed, 02 Oct 2024 17:09:16 GMT
                                                          Server: Playlog
                                                          Cache-Control: private
                                                          X-XSS-Protection: 0
                                                          X-Frame-Options: SAMEORIGIN
                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                          Accept-Ranges: none
                                                          Vary: Accept-Encoding
                                                          Connection: close
                                                          Transfer-Encoding: chunked
                                                          2024-10-02 17:09:17 UTC137INData Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a
                                                          Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
                                                          2024-10-02 17:09:17 UTC5INData Raw: 30 0d 0a 0d 0a
                                                          Data Ascii: 0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          20192.168.2.764033216.58.206.784431432C:\Program Files\Google\Chrome\Application\chrome.exe
                                                          TimestampBytes transferredDirectionData
                                                          2024-10-02 17:09:16 UTC1317OUTPOST /log?format=json&hasfast=true&authuser=0 HTTP/1.1
                                                          Host: play.google.com
                                                          Connection: keep-alive
                                                          Content-Length: 1328
                                                          sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                                                          sec-ch-ua-mobile: ?0
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                          sec-ch-ua-arch: "x86"
                                                          Content-Type: application/x-www-form-urlencoded;charset=UTF-8
                                                          sec-ch-ua-full-version: "117.0.5938.134"
                                                          sec-ch-ua-platform-version: "10.0.0"
                                                          X-Goog-AuthUser: 0
                                                          sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134"
                                                          sec-ch-ua-bitness: "64"
                                                          sec-ch-ua-model: ""
                                                          sec-ch-ua-wow64: ?0
                                                          sec-ch-ua-platform: "Windows"
                                                          Accept: */*
                                                          Origin: https://accounts.google.com
                                                          X-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIk6HLAQiFoM0BCNy9zQEIucrNAQii0c0BCIrTzQEIpNbNAQj01s0BCKfYzQEI+cDUFRj1yc0BGOuNpRc=
                                                          Sec-Fetch-Site: same-site
                                                          Sec-Fetch-Mode: cors
                                                          Sec-Fetch-Dest: empty
                                                          Referer: https://accounts.google.com/
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-US,en;q=0.9
                                                          Cookie: NID=518=pd4xqzs0DRPttcdS7-yvQTSq8TxdcYPPrkf_LF4eaX0xkCVUBtY11brxJh4cMgECf5eVO0S9kDYf3K_j7_J2GYHLozTyy-9LsuIrGqJcg4nef98Hb8obCRQKaahQT--HFK3Fncfbgs5zvLzzKq5zVzWPwsi3hr1Z-ZjY3DhPMaWBWVk243YO05UVsg
                                                          2024-10-02 17:09:16 UTC1328OUTData Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 34 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 39 32 35 38 32 30 30 37 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c
                                                          Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.134"],[1,0,0,0,0]]],1828,[["1727892582007",null,null,null
                                                          2024-10-02 17:09:17 UTC523INHTTP/1.1 200 OK
                                                          Access-Control-Allow-Origin: https://accounts.google.com
                                                          Cross-Origin-Resource-Policy: cross-origin
                                                          Access-Control-Allow-Credentials: true
                                                          Access-Control-Allow-Headers: X-Playlog-Web
                                                          Content-Type: text/plain; charset=UTF-8
                                                          Date: Wed, 02 Oct 2024 17:09:16 GMT
                                                          Server: Playlog
                                                          Cache-Control: private
                                                          X-XSS-Protection: 0
                                                          X-Frame-Options: SAMEORIGIN
                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                          Accept-Ranges: none
                                                          Vary: Accept-Encoding
                                                          Connection: close
                                                          Transfer-Encoding: chunked
                                                          2024-10-02 17:09:17 UTC137INData Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a
                                                          Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
                                                          2024-10-02 17:09:17 UTC5INData Raw: 30 0d 0a 0d 0a
                                                          Data Ascii: 0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          21192.168.2.764036216.58.206.784431432C:\Program Files\Google\Chrome\Application\chrome.exe
                                                          TimestampBytes transferredDirectionData
                                                          2024-10-02 17:09:48 UTC1317OUTPOST /log?format=json&hasfast=true&authuser=0 HTTP/1.1
                                                          Host: play.google.com
                                                          Connection: keep-alive
                                                          Content-Length: 1261
                                                          sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                                                          sec-ch-ua-mobile: ?0
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                          sec-ch-ua-arch: "x86"
                                                          Content-Type: application/x-www-form-urlencoded;charset=UTF-8
                                                          sec-ch-ua-full-version: "117.0.5938.134"
                                                          sec-ch-ua-platform-version: "10.0.0"
                                                          X-Goog-AuthUser: 0
                                                          sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134"
                                                          sec-ch-ua-bitness: "64"
                                                          sec-ch-ua-model: ""
                                                          sec-ch-ua-wow64: ?0
                                                          sec-ch-ua-platform: "Windows"
                                                          Accept: */*
                                                          Origin: https://accounts.google.com
                                                          X-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIk6HLAQiFoM0BCNy9zQEIucrNAQii0c0BCIrTzQEIpNbNAQj01s0BCKfYzQEI+cDUFRj1yc0BGOuNpRc=
                                                          Sec-Fetch-Site: same-site
                                                          Sec-Fetch-Mode: cors
                                                          Sec-Fetch-Dest: empty
                                                          Referer: https://accounts.google.com/
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-US,en;q=0.9
                                                          Cookie: NID=518=pd4xqzs0DRPttcdS7-yvQTSq8TxdcYPPrkf_LF4eaX0xkCVUBtY11brxJh4cMgECf5eVO0S9kDYf3K_j7_J2GYHLozTyy-9LsuIrGqJcg4nef98Hb8obCRQKaahQT--HFK3Fncfbgs5zvLzzKq5zVzWPwsi3hr1Z-ZjY3DhPMaWBWVk243YO05UVsg
                                                          2024-10-02 17:09:48 UTC1261OUTData Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 34 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 39 32 36 31 33 36 33 30 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c
                                                          Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.134"],[1,0,0,0,0]]],1828,[["1727892613630",null,null,null
                                                          2024-10-02 17:09:48 UTC523INHTTP/1.1 200 OK
                                                          Access-Control-Allow-Origin: https://accounts.google.com
                                                          Cross-Origin-Resource-Policy: cross-origin
                                                          Access-Control-Allow-Credentials: true
                                                          Access-Control-Allow-Headers: X-Playlog-Web
                                                          Content-Type: text/plain; charset=UTF-8
                                                          Date: Wed, 02 Oct 2024 17:09:48 GMT
                                                          Server: Playlog
                                                          Cache-Control: private
                                                          X-XSS-Protection: 0
                                                          X-Frame-Options: SAMEORIGIN
                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                          Accept-Ranges: none
                                                          Vary: Accept-Encoding
                                                          Connection: close
                                                          Transfer-Encoding: chunked
                                                          2024-10-02 17:09:48 UTC137INData Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a
                                                          Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
                                                          2024-10-02 17:09:48 UTC5INData Raw: 30 0d 0a 0d 0a
                                                          Data Ascii: 0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          22192.168.2.764037216.58.206.784431432C:\Program Files\Google\Chrome\Application\chrome.exe
                                                          TimestampBytes transferredDirectionData
                                                          2024-10-02 17:09:48 UTC1317OUTPOST /log?format=json&hasfast=true&authuser=0 HTTP/1.1
                                                          Host: play.google.com
                                                          Connection: keep-alive
                                                          Content-Length: 1121
                                                          sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                                                          sec-ch-ua-mobile: ?0
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                          sec-ch-ua-arch: "x86"
                                                          Content-Type: application/x-www-form-urlencoded;charset=UTF-8
                                                          sec-ch-ua-full-version: "117.0.5938.134"
                                                          sec-ch-ua-platform-version: "10.0.0"
                                                          X-Goog-AuthUser: 0
                                                          sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134"
                                                          sec-ch-ua-bitness: "64"
                                                          sec-ch-ua-model: ""
                                                          sec-ch-ua-wow64: ?0
                                                          sec-ch-ua-platform: "Windows"
                                                          Accept: */*
                                                          Origin: https://accounts.google.com
                                                          X-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIk6HLAQiFoM0BCNy9zQEIucrNAQii0c0BCIrTzQEIpNbNAQj01s0BCKfYzQEI+cDUFRj1yc0BGOuNpRc=
                                                          Sec-Fetch-Site: same-site
                                                          Sec-Fetch-Mode: cors
                                                          Sec-Fetch-Dest: empty
                                                          Referer: https://accounts.google.com/
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-US,en;q=0.9
                                                          Cookie: NID=518=pd4xqzs0DRPttcdS7-yvQTSq8TxdcYPPrkf_LF4eaX0xkCVUBtY11brxJh4cMgECf5eVO0S9kDYf3K_j7_J2GYHLozTyy-9LsuIrGqJcg4nef98Hb8obCRQKaahQT--HFK3Fncfbgs5zvLzzKq5zVzWPwsi3hr1Z-ZjY3DhPMaWBWVk243YO05UVsg
                                                          2024-10-02 17:09:48 UTC1121OUTData Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 34 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 39 32 36 31 33 37 34 30 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c
                                                          Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.134"],[1,0,0,0,0]]],1828,[["1727892613740",null,null,null
                                                          2024-10-02 17:09:48 UTC523INHTTP/1.1 200 OK
                                                          Access-Control-Allow-Origin: https://accounts.google.com
                                                          Cross-Origin-Resource-Policy: cross-origin
                                                          Access-Control-Allow-Credentials: true
                                                          Access-Control-Allow-Headers: X-Playlog-Web
                                                          Content-Type: text/plain; charset=UTF-8
                                                          Date: Wed, 02 Oct 2024 17:09:48 GMT
                                                          Server: Playlog
                                                          Cache-Control: private
                                                          X-XSS-Protection: 0
                                                          X-Frame-Options: SAMEORIGIN
                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                          Accept-Ranges: none
                                                          Vary: Accept-Encoding
                                                          Connection: close
                                                          Transfer-Encoding: chunked
                                                          2024-10-02 17:09:48 UTC137INData Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a
                                                          Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
                                                          2024-10-02 17:09:48 UTC5INData Raw: 30 0d 0a 0d 0a
                                                          Data Ascii: 0


                                                          Statistics

                                                          CPU Usage

                                                          Click to jump to process

                                                          Memory Usage

                                                          Click to jump to process

                                                          High Level Behavior Distribution

                                                          Click to dive into process behavior distribution

                                                          Behavior

                                                          Click to jump to process

                                                          System Behavior

                                                          General

                                                          Target ID:0
                                                          Start time:13:08:00
                                                          Start date:02/10/2024
                                                          Path:C:\Users\user\Desktop\file.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Users\user\Desktop\file.exe"
                                                          Imagebase:0x7c0000
                                                          File size:918'528 bytes
                                                          MD5 hash:AA9949BD15875A5926FBF69EE1CBAB14
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:low
                                                          Has exited:true

                                                          General

                                                          Target ID:1
                                                          Start time:13:08:00
                                                          Start date:02/10/2024
                                                          Path:C:\Windows\SysWOW64\taskkill.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:taskkill /F /IM chrome.exe /T
                                                          Imagebase:0xd00000
                                                          File size:74'240 bytes
                                                          MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:moderate
                                                          Has exited:true

                                                          General

                                                          Target ID:2
                                                          Start time:13:08:00
                                                          Start date:02/10/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff75da10000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:4
                                                          Start time:13:08:02
                                                          Start date:02/10/2024
                                                          Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-infobars
                                                          Imagebase:0x7ff6c4390000
                                                          File size:3'242'272 bytes
                                                          MD5 hash:5BBFA6CBDF4C254EB368D534F9E23C92
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:false

                                                          General

                                                          Target ID:8
                                                          Start time:13:08:03
                                                          Start date:02/10/2024
                                                          Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2100 --field-trial-handle=2024,i,9003555246335183954,2073049887589838962,262144 /prefetch:8
                                                          Imagebase:0x7ff6c4390000
                                                          File size:3'242'272 bytes
                                                          MD5 hash:5BBFA6CBDF4C254EB368D534F9E23C92
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:false

                                                          General

                                                          Target ID:15
                                                          Start time:13:08:14
                                                          Start date:02/10/2024
                                                          Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5564 --field-trial-handle=2024,i,9003555246335183954,2073049887589838962,262144 /prefetch:8
                                                          Imagebase:0x7ff6c4390000
                                                          File size:3'242'272 bytes
                                                          MD5 hash:5BBFA6CBDF4C254EB368D534F9E23C92
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:false

                                                          General

                                                          Target ID:16
                                                          Start time:13:08:14
                                                          Start date:02/10/2024
                                                          Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5528 --field-trial-handle=2024,i,9003555246335183954,2073049887589838962,262144 /prefetch:8
                                                          Imagebase:0x7ff6c4390000
                                                          File size:3'242'272 bytes
                                                          MD5 hash:5BBFA6CBDF4C254EB368D534F9E23C92
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          Disassembly

                                                          Reset < >

                                                            Execution Graph

                                                            Execution Coverage:2.1%
                                                            Dynamic/Decrypted Code Coverage:0%
                                                            Signature Coverage:4.6%
                                                            Total number of Nodes:1604
                                                            Total number of Limit Nodes:53
                                                            execution_graph 94861 7cdddc 94864 7cb710 94861->94864 94865 7cb72b 94864->94865 94866 810146 94865->94866 94867 8100f8 94865->94867 94875 7cb750 94865->94875 94930 8458a2 348 API calls 2 library calls 94866->94930 94870 810102 94867->94870 94873 81010f 94867->94873 94867->94875 94928 845d33 348 API calls 94870->94928 94891 7cba20 94873->94891 94929 8461d0 348 API calls 2 library calls 94873->94929 94879 7dd336 40 API calls 94875->94879 94881 7cba4e 94875->94881 94883 810322 94875->94883 94890 7cbbe0 40 API calls 94875->94890 94875->94891 94895 7cec40 94875->94895 94919 7ca81b 41 API calls 94875->94919 94920 7dd2f0 40 API calls 94875->94920 94921 7da01b 348 API calls 94875->94921 94922 7e0242 5 API calls __Init_thread_wait 94875->94922 94923 7dedcd 22 API calls 94875->94923 94924 7e00a3 29 API calls __onexit 94875->94924 94925 7e01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 94875->94925 94926 7dee53 82 API calls 94875->94926 94927 7de5ca 348 API calls 94875->94927 94931 7caceb 23 API calls ISource 94875->94931 94932 81f6bf 23 API calls 94875->94932 94933 7ca8c7 22 API calls __fread_nolock 94875->94933 94877 8103d9 94877->94877 94879->94875 94934 845c0c 82 API calls 94883->94934 94890->94875 94891->94881 94935 83359c 82 API calls __wsopen_s 94891->94935 94896 7cec76 ISource 94895->94896 94897 7dfddb 22 API calls 94896->94897 94899 814beb 94896->94899 94900 7cfef7 94896->94900 94902 814b0b 94896->94902 94903 814600 94896->94903 94907 7e0242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 94896->94907 94908 7ca8c7 22 API calls 94896->94908 94911 7ced9d ISource 94896->94911 94912 7cfbe3 94896->94912 94913 7ca961 22 API calls 94896->94913 94914 7e00a3 29 API calls pre_c_initialization 94896->94914 94917 7e01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 94896->94917 94918 7cf3ae ISource 94896->94918 94936 7d01e0 348 API calls 2 library calls 94896->94936 94937 7d06a0 41 API calls ISource 94896->94937 94897->94896 94943 83359c 82 API calls __wsopen_s 94899->94943 94900->94911 94939 7ca8c7 22 API calls __fread_nolock 94900->94939 94941 83359c 82 API calls __wsopen_s 94902->94941 94903->94911 94938 7ca8c7 22 API calls __fread_nolock 94903->94938 94907->94896 94908->94896 94911->94875 94912->94911 94915 814bdc 94912->94915 94912->94918 94913->94896 94914->94896 94942 83359c 82 API calls __wsopen_s 94915->94942 94917->94896 94918->94911 94940 83359c 82 API calls __wsopen_s 94918->94940 94919->94875 94920->94875 94921->94875 94922->94875 94923->94875 94924->94875 94925->94875 94926->94875 94927->94875 94928->94873 94929->94891 94930->94875 94931->94875 94932->94875 94933->94875 94934->94891 94935->94877 94936->94896 94937->94896 94938->94911 94939->94911 94940->94911 94941->94911 94942->94899 94943->94911 94944 812a00 94959 7cd7b0 ISource 94944->94959 94945 7cdb11 PeekMessageW 94945->94959 94946 7cd807 GetInputState 94946->94945 94946->94959 94947 811cbe TranslateAcceleratorW 94947->94959 94949 7cdb8f PeekMessageW 94949->94959 94950 7cdb73 TranslateMessage DispatchMessageW 94950->94949 94951 7cda04 timeGetTime 94951->94959 94952 7cdbaf Sleep 94952->94959 94953 812b74 Sleep 94966 812a51 94953->94966 94955 811dda timeGetTime 95103 7de300 23 API calls 94955->95103 94959->94945 94959->94946 94959->94947 94959->94949 94959->94950 94959->94951 94959->94952 94959->94953 94959->94955 94961 7cd9d5 94959->94961 94959->94966 94972 7cec40 348 API calls 94959->94972 94976 7cdd50 94959->94976 94983 7d1310 94959->94983 95038 7cbf40 94959->95038 95096 7dedf6 94959->95096 95101 7cdfd0 348 API calls 3 library calls 94959->95101 95102 7de551 timeGetTime 94959->95102 95104 833a2a 23 API calls 94959->95104 95105 83359c 82 API calls __wsopen_s 94959->95105 94960 812c0b GetExitCodeProcess 94964 812c21 WaitForSingleObject 94960->94964 94965 812c37 CloseHandle 94960->94965 94962 8529bf GetForegroundWindow 94962->94966 94964->94959 94964->94965 94965->94966 94966->94959 94966->94960 94966->94961 94966->94962 94967 812ca9 Sleep 94966->94967 95106 845658 23 API calls 94966->95106 95107 82e97b QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 94966->95107 95108 7de551 timeGetTime 94966->95108 95109 82d4dc 47 API calls 94966->95109 94967->94959 94972->94959 94977 7cdd6f 94976->94977 94979 7cdd83 94976->94979 95110 7cd260 94977->95110 95142 83359c 82 API calls __wsopen_s 94979->95142 94980 7cdd7a 94980->94959 94982 812f75 94982->94982 94984 7d1376 94983->94984 94985 7d17b0 94983->94985 94986 816331 94984->94986 95185 7d1940 94984->95185 95236 7e0242 5 API calls __Init_thread_wait 94985->95236 95247 84709c 348 API calls 94986->95247 94988 7d17ba 94991 7d17fb 94988->94991 95237 7c9cb3 94988->95237 94997 816346 94991->94997 94999 7d182c 94991->94999 94992 81633d 94992->94959 94995 7d1940 9 API calls 94996 7d13b6 94995->94996 94996->94991 94998 7d13ec 94996->94998 95248 83359c 82 API calls __wsopen_s 94997->95248 94998->94997 95022 7d1408 __fread_nolock 94998->95022 95244 7caceb 23 API calls ISource 94999->95244 95002 7d1839 95245 7dd217 348 API calls 95002->95245 95003 7d17d4 95243 7e01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 95003->95243 95006 81636e 95249 83359c 82 API calls __wsopen_s 95006->95249 95007 7d152f 95009 8163d1 95007->95009 95010 7d153c 95007->95010 95251 845745 54 API calls _wcslen 95009->95251 95012 7d1940 9 API calls 95010->95012 95014 7d1549 95012->95014 95013 7dfddb 22 API calls 95013->95022 95017 8164fa 95014->95017 95019 7d1940 9 API calls 95014->95019 95015 7d1872 95015->94986 95246 7dfaeb 23 API calls 95015->95246 95016 7dfe0b 22 API calls 95016->95022 95026 816369 95017->95026 95253 83359c 82 API calls __wsopen_s 95017->95253 95024 7d1563 95019->95024 95021 7cec40 348 API calls 95021->95022 95022->95002 95022->95006 95022->95007 95022->95013 95022->95016 95022->95021 95023 8163b2 95022->95023 95022->95026 95250 83359c 82 API calls __wsopen_s 95023->95250 95024->95017 95029 7d15c7 ISource 95024->95029 95252 7ca8c7 22 API calls __fread_nolock 95024->95252 95026->94959 95028 7d1940 9 API calls 95028->95029 95029->95015 95029->95017 95029->95026 95029->95028 95031 7d167b ISource 95029->95031 95195 7df645 95029->95195 95202 84abf7 95029->95202 95207 84a67c CreateToolhelp32Snapshot Process32FirstW 95029->95207 95227 84ab67 95029->95227 95230 835c5a 95029->95230 95030 7d171d 95030->94959 95031->95030 95235 7dce17 22 API calls ISource 95031->95235 95556 7cadf0 95038->95556 95040 7cbf9d 95041 7cbfa9 95040->95041 95042 8104b6 95040->95042 95044 7cc01e 95041->95044 95045 8104c6 95041->95045 95575 83359c 82 API calls __wsopen_s 95042->95575 95561 7cac91 95044->95561 95576 83359c 82 API calls __wsopen_s 95045->95576 95048 827120 22 API calls 95065 7cc039 ISource __fread_nolock 95048->95065 95049 7cc7da 95053 7dfe0b 22 API calls 95049->95053 95058 7cc808 __fread_nolock 95053->95058 95055 8104f5 95059 81055a 95055->95059 95577 7dd217 348 API calls 95055->95577 95061 7dfe0b 22 API calls 95058->95061 95083 7cc603 95059->95083 95578 83359c 82 API calls __wsopen_s 95059->95578 95060 81091a 95588 833209 23 API calls 95060->95588 95067 7cc350 ISource __fread_nolock 95061->95067 95062 7caf8a 22 API calls 95062->95065 95065->95048 95065->95049 95065->95055 95065->95058 95065->95059 95065->95060 95065->95062 95066 7cec40 348 API calls 95065->95066 95068 8108a5 95065->95068 95071 810591 95065->95071 95073 8108f6 95065->95073 95077 7cbbe0 40 API calls 95065->95077 95080 7cc237 95065->95080 95065->95083 95084 7dfddb 22 API calls 95065->95084 95090 8109bf 95065->95090 95094 7dfe0b 22 API calls 95065->95094 95565 7cad81 95065->95565 95580 827099 22 API calls __fread_nolock 95065->95580 95581 845745 54 API calls _wcslen 95065->95581 95582 7daa42 22 API calls ISource 95065->95582 95583 82f05c 40 API calls 95065->95583 95584 7ca993 41 API calls 95065->95584 95585 7caceb 23 API calls ISource 95065->95585 95066->95065 95095 7cc3ac 95067->95095 95574 7dce17 22 API calls ISource 95067->95574 95069 7cec40 348 API calls 95068->95069 95072 8108cf 95069->95072 95579 83359c 82 API calls __wsopen_s 95071->95579 95072->95083 95586 7ca81b 41 API calls 95072->95586 95587 83359c 82 API calls __wsopen_s 95073->95587 95077->95065 95081 7cc253 95080->95081 95589 7ca8c7 22 API calls __fread_nolock 95080->95589 95085 810976 95081->95085 95088 7cc297 ISource 95081->95088 95083->94959 95084->95065 95590 7caceb 23 API calls ISource 95085->95590 95088->95090 95572 7caceb 23 API calls ISource 95088->95572 95090->95083 95591 83359c 82 API calls __wsopen_s 95090->95591 95091 7cc335 95091->95090 95092 7cc342 95091->95092 95573 7ca704 22 API calls ISource 95092->95573 95094->95065 95095->94959 95097 7dee09 95096->95097 95098 7dee12 95096->95098 95097->94959 95098->95097 95099 7dee36 IsDialogMessageW 95098->95099 95100 81efaf GetClassLongW 95098->95100 95099->95097 95099->95098 95100->95098 95100->95099 95101->94959 95102->94959 95103->94959 95104->94959 95105->94959 95106->94966 95107->94966 95108->94966 95109->94966 95111 7cec40 348 API calls 95110->95111 95115 7cd29d 95111->95115 95113 7cd30b ISource 95113->94980 95114 7cd6d5 95114->95113 95126 7dfe0b 22 API calls 95114->95126 95115->95113 95115->95114 95116 7cd3c3 95115->95116 95122 7cd4b8 95115->95122 95125 7dfddb 22 API calls 95115->95125 95128 811bc4 95115->95128 95137 7cd429 ISource __fread_nolock 95115->95137 95116->95114 95118 7cd3ce 95116->95118 95117 7cd5ff 95119 811bb5 95117->95119 95120 7cd614 95117->95120 95143 7dfddb 95118->95143 95168 845705 23 API calls 95119->95168 95123 7dfddb 22 API calls 95120->95123 95154 7dfe0b 95122->95154 95134 7cd46a 95123->95134 95125->95115 95131 7cd3d5 __fread_nolock 95126->95131 95169 83359c 82 API calls __wsopen_s 95128->95169 95129 7dfddb 22 API calls 95130 7cd3f6 95129->95130 95130->95137 95153 7cbec0 348 API calls 95130->95153 95131->95129 95131->95130 95133 811ba4 95167 83359c 82 API calls __wsopen_s 95133->95167 95134->94980 95137->95117 95137->95133 95137->95134 95138 811b7f 95137->95138 95140 811b5d 95137->95140 95164 7c1f6f 348 API calls 95137->95164 95166 83359c 82 API calls __wsopen_s 95138->95166 95165 83359c 82 API calls __wsopen_s 95140->95165 95142->94982 95146 7dfde0 95143->95146 95145 7dfdfa 95145->95131 95146->95145 95148 7dfdfc 95146->95148 95170 7eea0c 95146->95170 95177 7e4ead 7 API calls 2 library calls 95146->95177 95149 7e066d 95148->95149 95178 7e32a4 RaiseException 95148->95178 95179 7e32a4 RaiseException 95149->95179 95151 7e068a 95151->95131 95153->95137 95156 7dfddb 95154->95156 95155 7eea0c ___std_exception_copy 21 API calls 95155->95156 95156->95155 95157 7dfdfa 95156->95157 95160 7dfdfc 95156->95160 95182 7e4ead 7 API calls 2 library calls 95156->95182 95157->95137 95159 7e066d 95184 7e32a4 RaiseException 95159->95184 95160->95159 95183 7e32a4 RaiseException 95160->95183 95162 7e068a 95162->95137 95164->95137 95165->95134 95166->95134 95167->95134 95168->95128 95169->95113 95175 7f3820 FindHandlerForForeignException 95170->95175 95171 7f385e 95181 7ef2d9 20 API calls _abort 95171->95181 95172 7f3849 RtlAllocateHeap 95174 7f385c 95172->95174 95172->95175 95174->95146 95175->95171 95175->95172 95180 7e4ead 7 API calls 2 library calls 95175->95180 95177->95146 95178->95149 95179->95151 95180->95175 95181->95174 95182->95156 95183->95159 95184->95162 95186 7d1981 95185->95186 95190 7d195d 95185->95190 95254 7e0242 5 API calls __Init_thread_wait 95186->95254 95188 7d198b 95188->95190 95255 7e01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 95188->95255 95194 7d13a0 95190->95194 95256 7e0242 5 API calls __Init_thread_wait 95190->95256 95191 7d8727 95191->95194 95257 7e01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 95191->95257 95194->94995 95258 7cb567 95195->95258 95197 7df659 95198 7df661 timeGetTime 95197->95198 95199 81f2dc Sleep 95197->95199 95200 7cb567 39 API calls 95198->95200 95201 7df677 95200->95201 95201->95029 95264 84aff9 95202->95264 95204 84ac54 95204->95029 95205 84ac0c 95205->95204 95355 7caceb 23 API calls ISource 95205->95355 95215 84a6c3 95207->95215 95208 7ca961 22 API calls 95208->95215 95209 7c9cb3 22 API calls 95209->95215 95212 7c7510 53 API calls 95212->95215 95215->95208 95215->95209 95215->95212 95216 84a796 Process32NextW 95215->95216 95414 7c525f 95215->95414 95456 7c6350 95215->95456 95471 7dce60 41 API calls 95215->95471 95472 84b574 22 API calls __fread_nolock 95215->95472 95216->95215 95217 84a7aa CloseHandle 95216->95217 95465 7c63eb 95217->95465 95221 84a7cd 95474 7d04f0 22 API calls 95221->95474 95223 84a87d 95223->95029 95225 7d04f0 22 API calls 95226 84a7d9 95225->95226 95226->95223 95226->95225 95475 7c62b5 22 API calls 95226->95475 95228 84aff9 217 API calls 95227->95228 95229 84ab79 95228->95229 95229->95029 95231 7c7510 53 API calls 95230->95231 95232 835c6d 95231->95232 95551 82dbbe lstrlenW 95232->95551 95234 835c77 95234->95029 95235->95031 95236->94988 95238 7c9cc2 _wcslen 95237->95238 95239 7dfe0b 22 API calls 95238->95239 95240 7c9cea __fread_nolock 95239->95240 95241 7dfddb 22 API calls 95240->95241 95242 7c9d00 95241->95242 95242->95003 95243->94991 95244->95002 95245->95015 95246->95015 95247->94992 95248->95026 95249->95026 95250->95026 95251->95024 95252->95029 95253->95026 95254->95188 95255->95190 95256->95191 95257->95194 95259 7cb578 95258->95259 95260 7cb57f 95258->95260 95259->95260 95263 7e62d1 39 API calls _strftime 95259->95263 95260->95197 95262 7cb5c2 95262->95197 95263->95262 95265 84b01d ___scrt_fastfail 95264->95265 95266 84b094 95265->95266 95267 84b058 95265->95267 95270 7cb567 39 API calls 95266->95270 95274 84b08b 95266->95274 95268 7cb567 39 API calls 95267->95268 95271 84b063 95268->95271 95269 84b0ed 95356 7c7510 95269->95356 95273 84b0a5 95270->95273 95271->95274 95278 7cb567 39 API calls 95271->95278 95277 7cb567 39 API calls 95273->95277 95274->95269 95275 7cb567 39 API calls 95274->95275 95275->95269 95277->95274 95279 84b078 95278->95279 95281 7cb567 39 API calls 95279->95281 95281->95274 95282 84b115 95283 84b11f 95282->95283 95284 84b1d8 95282->95284 95286 7c7510 53 API calls 95283->95286 95285 84b20a GetCurrentDirectoryW 95284->95285 95287 7c7510 53 API calls 95284->95287 95288 7dfe0b 22 API calls 95285->95288 95289 84b130 95286->95289 95290 84b1ef 95287->95290 95291 84b22f GetCurrentDirectoryW 95288->95291 95292 7c7620 22 API calls 95289->95292 95293 7c7620 22 API calls 95290->95293 95294 84b23c 95291->95294 95295 84b13a 95292->95295 95296 84b1f9 _wcslen 95293->95296 95298 84b275 95294->95298 95386 7c9c6e 22 API calls 95294->95386 95297 7c7510 53 API calls 95295->95297 95296->95285 95296->95298 95299 84b14b 95297->95299 95306 84b287 95298->95306 95307 84b28b 95298->95307 95301 7c7620 22 API calls 95299->95301 95303 84b155 95301->95303 95302 84b255 95387 7c9c6e 22 API calls 95302->95387 95305 7c7510 53 API calls 95303->95305 95309 84b166 95305->95309 95311 84b2f8 95306->95311 95312 84b39a CreateProcessW 95306->95312 95389 8307c0 10 API calls 95307->95389 95308 84b265 95388 7c9c6e 22 API calls 95308->95388 95314 7c7620 22 API calls 95309->95314 95392 8211c8 39 API calls 95311->95392 95332 84b32f _wcslen 95312->95332 95317 84b170 95314->95317 95315 84b294 95390 8306e6 10 API calls 95315->95390 95320 84b1a6 GetSystemDirectoryW 95317->95320 95324 7c7510 53 API calls 95317->95324 95319 84b2fd 95322 84b323 95319->95322 95323 84b32a 95319->95323 95326 7dfe0b 22 API calls 95320->95326 95321 84b2aa 95391 8305a7 8 API calls 95321->95391 95393 821201 128 API calls 2 library calls 95322->95393 95394 8214ce 6 API calls 95323->95394 95329 84b187 95324->95329 95327 84b1cb GetSystemDirectoryW 95326->95327 95327->95294 95334 7c7620 22 API calls 95329->95334 95331 84b2d0 95331->95306 95335 84b3d6 GetLastError 95332->95335 95336 84b42f CloseHandle 95332->95336 95333 84b328 95333->95332 95339 84b191 _wcslen 95334->95339 95347 84b41a 95335->95347 95337 84b43f 95336->95337 95350 84b49a 95336->95350 95340 84b446 CloseHandle 95337->95340 95341 84b451 95337->95341 95339->95294 95339->95320 95340->95341 95342 84b463 95341->95342 95343 84b458 CloseHandle 95341->95343 95345 84b475 95342->95345 95346 84b46a CloseHandle 95342->95346 95343->95342 95344 84b4a6 95344->95347 95395 8309d9 34 API calls 95345->95395 95346->95345 95383 830175 95347->95383 95350->95344 95353 84b4d2 CloseHandle 95350->95353 95352 84b486 95396 84b536 25 API calls 95352->95396 95353->95347 95355->95204 95357 7c7525 95356->95357 95373 7c7522 95356->95373 95358 7c752d 95357->95358 95359 7c755b 95357->95359 95397 7e51c6 26 API calls 95358->95397 95362 7c756d 95359->95362 95368 80500f 95359->95368 95369 8050f6 95359->95369 95398 7dfb21 51 API calls 95362->95398 95363 80510e 95363->95363 95366 7dfddb 22 API calls 95370 7c7547 95366->95370 95367 7c753d 95367->95366 95372 7dfe0b 22 API calls 95368->95372 95374 805088 95368->95374 95400 7e5183 26 API calls 95369->95400 95371 7c9cb3 22 API calls 95370->95371 95371->95373 95375 805058 95372->95375 95379 7c7620 95373->95379 95399 7dfb21 51 API calls 95374->95399 95376 7dfddb 22 API calls 95375->95376 95377 80507f 95376->95377 95378 7c9cb3 22 API calls 95377->95378 95378->95374 95380 7c762a _wcslen 95379->95380 95381 7dfe0b 22 API calls 95380->95381 95382 7c763f 95381->95382 95382->95282 95401 83030f 95383->95401 95386->95302 95387->95308 95388->95298 95389->95315 95390->95321 95391->95331 95392->95319 95393->95333 95394->95332 95395->95352 95396->95350 95397->95367 95398->95367 95399->95369 95400->95363 95402 830321 CloseHandle 95401->95402 95403 830329 95401->95403 95402->95403 95404 830336 95403->95404 95405 83032e CloseHandle 95403->95405 95406 830343 95404->95406 95407 83033b CloseHandle 95404->95407 95405->95404 95408 830350 95406->95408 95409 830348 CloseHandle 95406->95409 95407->95406 95410 830355 CloseHandle 95408->95410 95411 83035d 95408->95411 95409->95408 95410->95411 95412 830362 CloseHandle 95411->95412 95413 83017d 95411->95413 95412->95413 95413->95205 95476 7ca961 95414->95476 95417 7ca961 22 API calls 95418 7c527d 95417->95418 95419 7ca961 22 API calls 95418->95419 95420 7c5285 95419->95420 95421 7ca961 22 API calls 95420->95421 95422 7c528d 95421->95422 95423 803df5 95422->95423 95424 7c52c1 95422->95424 95503 7ca8c7 22 API calls __fread_nolock 95423->95503 95426 7c6d25 22 API calls 95424->95426 95428 7c52cf 95426->95428 95427 803dfe 95504 7ca6c3 95427->95504 95494 7c93b2 95428->95494 95431 7c52d9 95433 7c5304 95431->95433 95434 7c6d25 22 API calls 95431->95434 95432 7c5349 95481 7c6d25 95432->95481 95433->95432 95435 7c5325 95433->95435 95445 803e20 95433->95445 95437 7c52fa 95434->95437 95435->95432 95498 7c4c6d 95435->95498 95439 7c93b2 22 API calls 95437->95439 95438 7c535a 95441 7c5370 95438->95441 95501 7ca8c7 22 API calls __fread_nolock 95438->95501 95439->95433 95442 7c5384 95441->95442 95502 7ca8c7 22 API calls __fread_nolock 95441->95502 95446 7c538f 95442->95446 95523 7ca8c7 22 API calls __fread_nolock 95442->95523 95510 7c6b57 95445->95510 95453 7c539a 95446->95453 95524 7ca8c7 22 API calls __fread_nolock 95446->95524 95449 7c6d25 22 API calls 95449->95432 95451 803ee0 95451->95432 95454 7c4c6d 22 API calls 95451->95454 95522 7c49bd 22 API calls __fread_nolock 95451->95522 95453->95215 95454->95451 95457 804a51 95456->95457 95458 7c6362 95456->95458 95543 7c4a88 22 API calls __fread_nolock 95457->95543 95533 7c6373 95458->95533 95461 7c636e 95461->95215 95462 804a5b 95463 804a67 95462->95463 95544 7ca8c7 22 API calls __fread_nolock 95462->95544 95466 7c63f3 95465->95466 95467 7dfddb 22 API calls 95466->95467 95468 7c6401 95467->95468 95550 7c6a26 22 API calls 95468->95550 95470 7c6409 95473 7c6a50 22 API calls 95470->95473 95471->95215 95472->95215 95473->95221 95474->95226 95475->95226 95477 7dfe0b 22 API calls 95476->95477 95478 7ca976 95477->95478 95479 7dfddb 22 API calls 95478->95479 95480 7c5275 95479->95480 95480->95417 95482 7c6d34 95481->95482 95483 7c6d91 95481->95483 95482->95483 95485 7c6d3f 95482->95485 95484 7c93b2 22 API calls 95483->95484 95490 7c6d62 __fread_nolock 95484->95490 95486 7c6d5a 95485->95486 95487 804c9d 95485->95487 95525 7c6f34 22 API calls 95486->95525 95488 7dfddb 22 API calls 95487->95488 95491 804ca7 95488->95491 95490->95438 95492 7dfe0b 22 API calls 95491->95492 95493 804cda 95492->95493 95495 7c93c0 95494->95495 95496 7c93c9 __fread_nolock 95494->95496 95495->95496 95526 7caec9 95495->95526 95496->95431 95496->95496 95499 7caec9 22 API calls 95498->95499 95500 7c4c78 95499->95500 95500->95432 95500->95449 95501->95441 95502->95442 95503->95427 95505 7ca6dd 95504->95505 95506 7ca6d0 95504->95506 95507 7dfddb 22 API calls 95505->95507 95506->95433 95508 7ca6e7 95507->95508 95509 7dfe0b 22 API calls 95508->95509 95509->95506 95511 804ba1 95510->95511 95512 7c6b67 _wcslen 95510->95512 95513 7c93b2 22 API calls 95511->95513 95515 7c6b7d 95512->95515 95516 7c6ba2 95512->95516 95514 804baa 95513->95514 95514->95514 95532 7c6f34 22 API calls 95515->95532 95518 7dfddb 22 API calls 95516->95518 95519 7c6bae 95518->95519 95521 7dfe0b 22 API calls 95519->95521 95520 7c6b85 __fread_nolock 95520->95451 95521->95520 95522->95451 95523->95446 95524->95453 95525->95490 95527 7caedc 95526->95527 95531 7caed9 __fread_nolock 95526->95531 95528 7dfddb 22 API calls 95527->95528 95529 7caee7 95528->95529 95530 7dfe0b 22 API calls 95529->95530 95530->95531 95531->95496 95532->95520 95534 7c63b6 __fread_nolock 95533->95534 95535 7c6382 95533->95535 95534->95461 95535->95534 95536 804a82 95535->95536 95537 7c63a9 95535->95537 95539 7dfddb 22 API calls 95536->95539 95545 7ca587 95537->95545 95540 804a91 95539->95540 95541 7dfe0b 22 API calls 95540->95541 95542 804ac5 __fread_nolock 95541->95542 95543->95462 95544->95463 95547 7ca59d 95545->95547 95549 7ca598 __fread_nolock 95545->95549 95546 80f80f 95547->95546 95548 7dfe0b 22 API calls 95547->95548 95548->95549 95549->95534 95550->95470 95552 82dc06 95551->95552 95553 82dbdc GetFileAttributesW 95551->95553 95552->95234 95553->95552 95554 82dbe8 FindFirstFileW 95553->95554 95554->95552 95555 82dbf9 FindClose 95554->95555 95555->95552 95557 7cae01 95556->95557 95560 7cae1c ISource 95556->95560 95558 7caec9 22 API calls 95557->95558 95559 7cae09 CharUpperBuffW 95558->95559 95559->95560 95560->95040 95562 7cacae 95561->95562 95563 7cacd1 95562->95563 95592 83359c 82 API calls __wsopen_s 95562->95592 95563->95065 95566 80fadb 95565->95566 95567 7cad92 95565->95567 95568 7dfddb 22 API calls 95567->95568 95569 7cad99 95568->95569 95593 7cadcd 95569->95593 95572->95091 95573->95067 95574->95067 95575->95045 95576->95083 95577->95059 95578->95083 95579->95083 95580->95065 95581->95065 95582->95065 95583->95065 95584->95065 95585->95065 95586->95073 95587->95083 95588->95080 95589->95081 95590->95090 95591->95083 95592->95563 95597 7caddd 95593->95597 95594 7cadb6 95594->95065 95595 7dfddb 22 API calls 95595->95597 95596 7ca961 22 API calls 95596->95597 95597->95594 95597->95595 95597->95596 95599 7cadcd 22 API calls 95597->95599 95600 7ca8c7 22 API calls __fread_nolock 95597->95600 95599->95597 95600->95597 95601 802402 95604 7c1410 95601->95604 95605 7c144f mciSendStringW 95604->95605 95606 8024b8 DestroyWindow 95604->95606 95607 7c146b 95605->95607 95609 7c16c6 95605->95609 95611 8024c4 95606->95611 95608 7c1479 95607->95608 95607->95611 95637 7c182e 95608->95637 95609->95607 95610 7c16d5 UnregisterHotKey 95609->95610 95610->95609 95613 802509 95611->95613 95614 8024e2 FindClose 95611->95614 95615 8024d8 95611->95615 95619 80251c FreeLibrary 95613->95619 95620 80252d 95613->95620 95614->95611 95615->95611 95643 7c6246 CloseHandle 95615->95643 95618 7c148e 95618->95620 95625 7c149c 95618->95625 95619->95613 95621 802541 VirtualFree 95620->95621 95628 7c1509 95620->95628 95621->95620 95622 7c14f8 CoUninitialize 95622->95628 95623 7c1514 95627 7c1524 95623->95627 95624 802589 95630 802598 ISource 95624->95630 95644 8332eb 6 API calls ISource 95624->95644 95625->95622 95641 7c1944 VirtualFreeEx CloseHandle 95627->95641 95628->95623 95628->95624 95633 802627 95630->95633 95645 8264d4 22 API calls ISource 95630->95645 95632 7c153a 95632->95630 95634 7c161f 95632->95634 95633->95633 95634->95633 95642 7c1876 CloseHandle InternetCloseHandle InternetCloseHandle WaitForSingleObject 95634->95642 95636 7c16c1 95639 7c183b 95637->95639 95638 7c1480 95638->95613 95638->95618 95639->95638 95646 82702a 22 API calls 95639->95646 95641->95632 95642->95636 95643->95615 95644->95624 95645->95630 95646->95639 95647 7cf7bf 95648 7cfcb6 95647->95648 95649 7cf7d3 95647->95649 95684 7caceb 23 API calls ISource 95648->95684 95651 7cfcc2 95649->95651 95652 7dfddb 22 API calls 95649->95652 95685 7caceb 23 API calls ISource 95651->95685 95654 7cf7e5 95652->95654 95654->95651 95655 7cf83e 95654->95655 95656 7cfd3d 95654->95656 95658 7d1310 348 API calls 95655->95658 95674 7ced9d ISource 95655->95674 95686 831155 22 API calls 95656->95686 95679 7cec76 ISource 95658->95679 95659 814beb 95692 83359c 82 API calls __wsopen_s 95659->95692 95661 7cfef7 95661->95674 95688 7ca8c7 22 API calls __fread_nolock 95661->95688 95662 7dfddb 22 API calls 95662->95679 95664 7cf3ae ISource 95664->95674 95689 83359c 82 API calls __wsopen_s 95664->95689 95665 814b0b 95690 83359c 82 API calls __wsopen_s 95665->95690 95666 814600 95666->95674 95687 7ca8c7 22 API calls __fread_nolock 95666->95687 95670 7ca8c7 22 API calls 95670->95679 95673 7e0242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 95673->95679 95675 7cfbe3 95675->95664 95675->95674 95678 814bdc 95675->95678 95676 7ca961 22 API calls 95676->95679 95677 7e00a3 29 API calls pre_c_initialization 95677->95679 95691 83359c 82 API calls __wsopen_s 95678->95691 95679->95659 95679->95661 95679->95662 95679->95664 95679->95665 95679->95666 95679->95670 95679->95673 95679->95674 95679->95675 95679->95676 95679->95677 95681 7e01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 95679->95681 95682 7d01e0 348 API calls 2 library calls 95679->95682 95683 7d06a0 41 API calls ISource 95679->95683 95681->95679 95682->95679 95683->95679 95684->95651 95685->95656 95686->95674 95687->95674 95688->95674 95689->95674 95690->95674 95691->95659 95692->95674 95693 7c1098 95698 7c42de 95693->95698 95697 7c10a7 95699 7ca961 22 API calls 95698->95699 95700 7c42f5 GetVersionExW 95699->95700 95701 7c6b57 22 API calls 95700->95701 95702 7c4342 95701->95702 95703 7c93b2 22 API calls 95702->95703 95715 7c4378 95702->95715 95704 7c436c 95703->95704 95719 7c37a0 95704->95719 95705 7c441b GetCurrentProcess IsWow64Process 95707 7c4437 95705->95707 95708 7c444f LoadLibraryA 95707->95708 95709 803824 GetSystemInfo 95707->95709 95710 7c449c GetSystemInfo 95708->95710 95711 7c4460 GetProcAddress 95708->95711 95713 7c4476 95710->95713 95711->95710 95712 7c4470 GetNativeSystemInfo 95711->95712 95712->95713 95716 7c447a FreeLibrary 95713->95716 95717 7c109d 95713->95717 95714 8037df 95715->95705 95715->95714 95716->95717 95718 7e00a3 29 API calls __onexit 95717->95718 95718->95697 95720 7c37ae 95719->95720 95721 7c93b2 22 API calls 95720->95721 95722 7c37c2 95721->95722 95722->95715 95723 802ba5 95724 7c2b25 95723->95724 95725 802baf 95723->95725 95751 7c2b83 7 API calls 95724->95751 95769 7c3a5a 95725->95769 95729 802bb8 95731 7c9cb3 22 API calls 95729->95731 95733 802bc6 95731->95733 95732 7c2b2f 95741 7c2b44 95732->95741 95755 7c3837 95732->95755 95734 802bf5 95733->95734 95735 802bce 95733->95735 95738 7c33c6 22 API calls 95734->95738 95776 7c33c6 95735->95776 95749 802bf1 GetForegroundWindow ShellExecuteW 95738->95749 95745 7c2b5f 95741->95745 95765 7c30f2 95741->95765 95742 7c6350 22 API calls 95744 802be7 95742->95744 95747 7c33c6 22 API calls 95744->95747 95748 7c2b66 SetCurrentDirectoryW 95745->95748 95746 802c26 95746->95745 95747->95749 95750 7c2b7a 95748->95750 95749->95746 95785 7c2cd4 7 API calls 95751->95785 95753 7c2b2a 95754 7c2c63 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 95753->95754 95754->95732 95756 7c3862 ___scrt_fastfail 95755->95756 95786 7c4212 95756->95786 95759 7c38e8 95761 803386 Shell_NotifyIconW 95759->95761 95762 7c3906 Shell_NotifyIconW 95759->95762 95790 7c3923 95762->95790 95764 7c391c 95764->95741 95766 7c3154 95765->95766 95767 7c3104 ___scrt_fastfail 95765->95767 95766->95745 95768 7c3123 Shell_NotifyIconW 95767->95768 95768->95766 95819 801f50 95769->95819 95772 7c9cb3 22 API calls 95773 7c3a8d 95772->95773 95821 7c3aa2 95773->95821 95775 7c3a97 95775->95729 95777 7c33dd 95776->95777 95778 8030bb 95776->95778 95831 7c33ee 95777->95831 95780 7dfddb 22 API calls 95778->95780 95782 8030c5 _wcslen 95780->95782 95781 7c33e8 95781->95742 95783 7dfe0b 22 API calls 95782->95783 95784 8030fe __fread_nolock 95783->95784 95785->95753 95787 8035a4 95786->95787 95788 7c38b7 95786->95788 95787->95788 95789 8035ad DestroyIcon 95787->95789 95788->95759 95812 82c874 42 API calls _strftime 95788->95812 95789->95788 95791 7c393f 95790->95791 95810 7c3a13 95790->95810 95813 7c6270 95791->95813 95794 803393 LoadStringW 95797 8033ad 95794->95797 95795 7c395a 95796 7c6b57 22 API calls 95795->95796 95798 7c396f 95796->95798 95806 7c3994 ___scrt_fastfail 95797->95806 95818 7ca8c7 22 API calls __fread_nolock 95797->95818 95799 7c397c 95798->95799 95800 8033c9 95798->95800 95799->95797 95802 7c3986 95799->95802 95803 7c6350 22 API calls 95800->95803 95804 7c6350 22 API calls 95802->95804 95805 8033d7 95803->95805 95804->95806 95805->95806 95808 7c33c6 22 API calls 95805->95808 95807 7c39f9 Shell_NotifyIconW 95806->95807 95807->95810 95809 8033f9 95808->95809 95811 7c33c6 22 API calls 95809->95811 95810->95764 95811->95806 95812->95759 95814 7dfe0b 22 API calls 95813->95814 95815 7c6295 95814->95815 95816 7dfddb 22 API calls 95815->95816 95817 7c394d 95816->95817 95817->95794 95817->95795 95818->95806 95820 7c3a67 GetModuleFileNameW 95819->95820 95820->95772 95822 801f50 __wsopen_s 95821->95822 95823 7c3aaf GetFullPathNameW 95822->95823 95824 7c3ace 95823->95824 95825 7c3ae9 95823->95825 95826 7c6b57 22 API calls 95824->95826 95827 7ca6c3 22 API calls 95825->95827 95828 7c3ada 95826->95828 95827->95828 95829 7c37a0 22 API calls 95828->95829 95830 7c3ae6 95829->95830 95830->95775 95832 7c33fe _wcslen 95831->95832 95833 80311d 95832->95833 95834 7c3411 95832->95834 95836 7dfddb 22 API calls 95833->95836 95835 7ca587 22 API calls 95834->95835 95838 7c341e __fread_nolock 95835->95838 95837 803127 95836->95837 95839 7dfe0b 22 API calls 95837->95839 95838->95781 95840 803157 __fread_nolock 95839->95840 95841 7e03fb 95842 7e0407 ___BuildCatchObject 95841->95842 95870 7dfeb1 95842->95870 95844 7e040e 95845 7e0561 95844->95845 95848 7e0438 95844->95848 95900 7e083f IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 95845->95900 95847 7e0568 95893 7e4e52 95847->95893 95859 7e0477 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 95848->95859 95881 7f247d 95848->95881 95855 7e0457 95857 7e04d8 95889 7e0959 95857->95889 95859->95857 95896 7e4e1a 38 API calls 3 library calls 95859->95896 95861 7e04de 95862 7e04f3 95861->95862 95897 7e0992 GetModuleHandleW 95862->95897 95864 7e04fa 95864->95847 95865 7e04fe 95864->95865 95866 7e0507 95865->95866 95898 7e4df5 28 API calls _abort 95865->95898 95899 7e0040 13 API calls 2 library calls 95866->95899 95869 7e050f 95869->95855 95871 7dfeba 95870->95871 95902 7e0698 IsProcessorFeaturePresent 95871->95902 95873 7dfec6 95903 7e2c94 10 API calls 3 library calls 95873->95903 95875 7dfecb 95876 7dfecf 95875->95876 95904 7f2317 95875->95904 95876->95844 95879 7dfee6 95879->95844 95882 7f2494 95881->95882 95883 7e0a8c _ValidateLocalCookies 5 API calls 95882->95883 95884 7e0451 95883->95884 95884->95855 95885 7f2421 95884->95885 95886 7f2450 95885->95886 95887 7e0a8c _ValidateLocalCookies 5 API calls 95886->95887 95888 7f2479 95887->95888 95888->95859 95920 7e2340 95889->95920 95892 7e097f 95892->95861 95922 7e4bcf 95893->95922 95896->95857 95897->95864 95898->95866 95899->95869 95900->95847 95902->95873 95903->95875 95908 7fd1f6 95904->95908 95907 7e2cbd 8 API calls 3 library calls 95907->95876 95909 7fd20f 95908->95909 95912 7e0a8c 95909->95912 95911 7dfed8 95911->95879 95911->95907 95913 7e0a97 IsProcessorFeaturePresent 95912->95913 95914 7e0a95 95912->95914 95916 7e0c5d 95913->95916 95914->95911 95919 7e0c21 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 95916->95919 95918 7e0d40 95918->95911 95919->95918 95921 7e096c GetStartupInfoW 95920->95921 95921->95892 95923 7e4bdb FindHandlerForForeignException 95922->95923 95924 7e4bf4 95923->95924 95925 7e4be2 95923->95925 95946 7f2f5e EnterCriticalSection 95924->95946 95961 7e4d29 GetModuleHandleW 95925->95961 95928 7e4be7 95928->95924 95962 7e4d6d GetModuleHandleExW 95928->95962 95929 7e4c99 95950 7e4cd9 95929->95950 95933 7e4bfb 95933->95929 95935 7e4c70 95933->95935 95947 7f21a8 95933->95947 95936 7e4c88 95935->95936 95940 7f2421 _abort 5 API calls 95935->95940 95941 7f2421 _abort 5 API calls 95936->95941 95937 7e4cb6 95953 7e4ce8 95937->95953 95938 7e4ce2 95970 801d29 5 API calls _ValidateLocalCookies 95938->95970 95940->95936 95941->95929 95946->95933 95971 7f1ee1 95947->95971 95991 7f2fa6 LeaveCriticalSection 95950->95991 95952 7e4cb2 95952->95937 95952->95938 95992 7f360c 95953->95992 95956 7e4d16 95959 7e4d6d _abort 8 API calls 95956->95959 95957 7e4cf6 GetPEB 95957->95956 95958 7e4d06 GetCurrentProcess TerminateProcess 95957->95958 95958->95956 95960 7e4d1e ExitProcess 95959->95960 95961->95928 95963 7e4dba 95962->95963 95964 7e4d97 GetProcAddress 95962->95964 95966 7e4dc9 95963->95966 95967 7e4dc0 FreeLibrary 95963->95967 95965 7e4dac 95964->95965 95965->95963 95968 7e0a8c _ValidateLocalCookies 5 API calls 95966->95968 95967->95966 95969 7e4bf3 95968->95969 95969->95924 95974 7f1e90 95971->95974 95973 7f1f05 95973->95935 95975 7f1e9c ___BuildCatchObject 95974->95975 95982 7f2f5e EnterCriticalSection 95975->95982 95977 7f1eaa 95983 7f1f31 95977->95983 95981 7f1ec8 __wsopen_s 95981->95973 95982->95977 95987 7f1f59 95983->95987 95988 7f1f51 95983->95988 95984 7e0a8c _ValidateLocalCookies 5 API calls 95985 7f1eb7 95984->95985 95989 7f1ed5 LeaveCriticalSection _abort 95985->95989 95987->95988 95990 7f29c8 20 API calls _free 95987->95990 95988->95984 95989->95981 95990->95988 95991->95952 95993 7f3627 95992->95993 95994 7f3631 95992->95994 95996 7e0a8c _ValidateLocalCookies 5 API calls 95993->95996 95999 7f2fd7 5 API calls 2 library calls 95994->95999 95997 7e4cf2 95996->95997 95997->95956 95997->95957 95998 7f3648 95998->95993 95999->95998 96000 7c105b 96005 7c344d 96000->96005 96002 7c106a 96036 7e00a3 29 API calls __onexit 96002->96036 96004 7c1074 96006 7c345d __wsopen_s 96005->96006 96007 7ca961 22 API calls 96006->96007 96008 7c3513 96007->96008 96009 7c3a5a 24 API calls 96008->96009 96010 7c351c 96009->96010 96037 7c3357 96010->96037 96013 7c33c6 22 API calls 96014 7c3535 96013->96014 96043 7c515f 96014->96043 96017 7ca961 22 API calls 96018 7c354d 96017->96018 96019 7ca6c3 22 API calls 96018->96019 96020 7c3556 RegOpenKeyExW 96019->96020 96021 803176 RegQueryValueExW 96020->96021 96025 7c3578 96020->96025 96022 803193 96021->96022 96023 80320c RegCloseKey 96021->96023 96024 7dfe0b 22 API calls 96022->96024 96023->96025 96035 80321e _wcslen 96023->96035 96026 8031ac 96024->96026 96025->96002 96049 7c5722 96026->96049 96029 7c4c6d 22 API calls 96029->96035 96030 8031d4 96031 7c6b57 22 API calls 96030->96031 96032 8031ee ISource 96031->96032 96032->96023 96033 7c9cb3 22 API calls 96033->96035 96034 7c515f 22 API calls 96034->96035 96035->96025 96035->96029 96035->96033 96035->96034 96036->96004 96038 801f50 __wsopen_s 96037->96038 96039 7c3364 GetFullPathNameW 96038->96039 96040 7c3386 96039->96040 96041 7c6b57 22 API calls 96040->96041 96042 7c33a4 96041->96042 96042->96013 96044 7c516e 96043->96044 96048 7c518f __fread_nolock 96043->96048 96046 7dfe0b 22 API calls 96044->96046 96045 7dfddb 22 API calls 96047 7c3544 96045->96047 96046->96048 96047->96017 96048->96045 96050 7dfddb 22 API calls 96049->96050 96051 7c5734 RegQueryValueExW 96050->96051 96051->96030 96051->96032 96052 7f2df8 GetLastError 96053 7f2e17 96052->96053 96054 7f2e11 96052->96054 96058 7f2e6e SetLastError 96053->96058 96071 7f4c7d 96053->96071 96078 7f320e 11 API calls 2 library calls 96054->96078 96061 7f2e77 96058->96061 96059 7f2e31 96079 7f29c8 20 API calls _free 96059->96079 96062 7f2e46 96062->96059 96064 7f2e4d 96062->96064 96081 7f2be6 20 API calls FindHandlerForForeignException 96064->96081 96065 7f2e37 96067 7f2e65 SetLastError 96065->96067 96067->96061 96068 7f2e58 96082 7f29c8 20 API calls _free 96068->96082 96070 7f2e5e 96070->96058 96070->96067 96076 7f4c8a FindHandlerForForeignException 96071->96076 96072 7f4cb5 RtlAllocateHeap 96074 7f2e29 96072->96074 96072->96076 96073 7f4cca 96084 7ef2d9 20 API calls _abort 96073->96084 96074->96059 96080 7f3264 11 API calls 2 library calls 96074->96080 96076->96072 96076->96073 96083 7e4ead 7 API calls 2 library calls 96076->96083 96078->96053 96079->96065 96080->96062 96081->96068 96082->96070 96083->96076 96084->96074 96085 7c3156 96088 7c3170 96085->96088 96089 7c3187 96088->96089 96090 7c318c 96089->96090 96091 7c31eb 96089->96091 96129 7c31e9 96089->96129 96095 7c3199 96090->96095 96096 7c3265 PostQuitMessage 96090->96096 96093 802dfb 96091->96093 96094 7c31f1 96091->96094 96092 7c31d0 DefWindowProcW 96120 7c316a 96092->96120 96143 7c18e2 10 API calls 96093->96143 96097 7c321d SetTimer RegisterWindowMessageW 96094->96097 96098 7c31f8 96094->96098 96100 7c31a4 96095->96100 96101 802e7c 96095->96101 96096->96120 96105 7c3246 CreatePopupMenu 96097->96105 96097->96120 96102 802d9c 96098->96102 96103 7c3201 KillTimer 96098->96103 96106 7c31ae 96100->96106 96107 802e68 96100->96107 96146 82bf30 34 API calls ___scrt_fastfail 96101->96146 96109 802da1 96102->96109 96110 802dd7 MoveWindow 96102->96110 96111 7c30f2 Shell_NotifyIconW 96103->96111 96104 802e1c 96144 7de499 42 API calls 96104->96144 96105->96120 96114 7c31b9 96106->96114 96115 802e4d 96106->96115 96133 82c161 96107->96133 96117 802dc6 SetFocus 96109->96117 96118 802da7 96109->96118 96110->96120 96119 7c3214 96111->96119 96121 7c31c4 96114->96121 96122 7c3253 96114->96122 96115->96092 96145 820ad7 22 API calls 96115->96145 96116 802e8e 96116->96092 96116->96120 96117->96120 96118->96121 96123 802db0 96118->96123 96140 7c3c50 DeleteObject DestroyWindow 96119->96140 96121->96092 96130 7c30f2 Shell_NotifyIconW 96121->96130 96141 7c326f 44 API calls ___scrt_fastfail 96122->96141 96142 7c18e2 10 API calls 96123->96142 96127 7c3263 96127->96120 96129->96092 96131 802e41 96130->96131 96132 7c3837 49 API calls 96131->96132 96132->96129 96134 82c276 96133->96134 96135 82c179 ___scrt_fastfail 96133->96135 96134->96120 96136 7c3923 24 API calls 96135->96136 96138 82c1a0 96136->96138 96137 82c25f KillTimer SetTimer 96137->96134 96138->96137 96139 82c251 Shell_NotifyIconW 96138->96139 96139->96137 96140->96120 96141->96127 96142->96120 96143->96104 96144->96121 96145->96129 96146->96116 96147 7c2e37 96148 7ca961 22 API calls 96147->96148 96149 7c2e4d 96148->96149 96226 7c4ae3 96149->96226 96151 7c2e6b 96152 7c3a5a 24 API calls 96151->96152 96153 7c2e7f 96152->96153 96154 7c9cb3 22 API calls 96153->96154 96155 7c2e8c 96154->96155 96240 7c4ecb 96155->96240 96158 802cb0 96279 832cf9 96158->96279 96159 7c2ead 96262 7ca8c7 22 API calls __fread_nolock 96159->96262 96161 802cc3 96165 802ccf 96161->96165 96305 7c4f39 96161->96305 96164 7c2ec3 96263 7c6f88 22 API calls 96164->96263 96167 7c4f39 68 API calls 96165->96167 96169 802ce5 96167->96169 96168 7c2ecf 96170 7c9cb3 22 API calls 96168->96170 96311 7c3084 22 API calls 96169->96311 96171 7c2edc 96170->96171 96264 7ca81b 41 API calls 96171->96264 96174 7c2eec 96176 7c9cb3 22 API calls 96174->96176 96175 802d02 96312 7c3084 22 API calls 96175->96312 96177 7c2f12 96176->96177 96265 7ca81b 41 API calls 96177->96265 96180 802d1e 96181 7c3a5a 24 API calls 96180->96181 96182 802d44 96181->96182 96313 7c3084 22 API calls 96182->96313 96183 7c2f21 96186 7ca961 22 API calls 96183->96186 96185 802d50 96314 7ca8c7 22 API calls __fread_nolock 96185->96314 96188 7c2f3f 96186->96188 96266 7c3084 22 API calls 96188->96266 96189 802d5e 96315 7c3084 22 API calls 96189->96315 96192 7c2f4b 96267 7e4a28 40 API calls 3 library calls 96192->96267 96193 802d6d 96316 7ca8c7 22 API calls __fread_nolock 96193->96316 96195 7c2f59 96195->96169 96196 7c2f63 96195->96196 96268 7e4a28 40 API calls 3 library calls 96196->96268 96199 7c2f6e 96199->96175 96201 7c2f78 96199->96201 96200 802d83 96317 7c3084 22 API calls 96200->96317 96269 7e4a28 40 API calls 3 library calls 96201->96269 96204 802d90 96205 7c2f83 96205->96180 96206 7c2f8d 96205->96206 96270 7e4a28 40 API calls 3 library calls 96206->96270 96208 7c2f98 96209 7c2fdc 96208->96209 96271 7c3084 22 API calls 96208->96271 96209->96193 96210 7c2fe8 96209->96210 96210->96204 96212 7c63eb 22 API calls 96210->96212 96214 7c2ff8 96212->96214 96213 7c2fbf 96272 7ca8c7 22 API calls __fread_nolock 96213->96272 96274 7c6a50 22 API calls 96214->96274 96217 7c2fcd 96273 7c3084 22 API calls 96217->96273 96219 7c3006 96275 7c70b0 23 API calls 96219->96275 96223 7c3021 96224 7c3065 96223->96224 96276 7c6f88 22 API calls 96223->96276 96277 7c70b0 23 API calls 96223->96277 96278 7c3084 22 API calls 96223->96278 96227 7c4af0 __wsopen_s 96226->96227 96228 7c6b57 22 API calls 96227->96228 96229 7c4b22 96227->96229 96228->96229 96230 7c4c6d 22 API calls 96229->96230 96238 7c4b58 96229->96238 96230->96229 96231 7c9cb3 22 API calls 96233 7c4c52 96231->96233 96232 7c9cb3 22 API calls 96232->96238 96234 7c515f 22 API calls 96233->96234 96237 7c4c5e 96234->96237 96235 7c4c6d 22 API calls 96235->96238 96236 7c515f 22 API calls 96236->96238 96237->96151 96238->96232 96238->96235 96238->96236 96239 7c4c29 96238->96239 96239->96231 96239->96237 96318 7c4e90 LoadLibraryA 96240->96318 96245 7c4ef6 LoadLibraryExW 96326 7c4e59 LoadLibraryA 96245->96326 96246 803ccf 96247 7c4f39 68 API calls 96246->96247 96249 803cd6 96247->96249 96251 7c4e59 3 API calls 96249->96251 96255 803cde 96251->96255 96253 7c4f20 96254 7c4f2c 96253->96254 96253->96255 96256 7c4f39 68 API calls 96254->96256 96348 7c50f5 40 API calls __fread_nolock 96255->96348 96258 7c2ea5 96256->96258 96258->96158 96258->96159 96259 803cf5 96349 8328fe 27 API calls 96259->96349 96261 803d05 96262->96164 96263->96168 96264->96174 96265->96183 96266->96192 96267->96195 96268->96199 96269->96205 96270->96208 96271->96213 96272->96217 96273->96209 96274->96219 96275->96223 96276->96223 96277->96223 96278->96223 96280 832d15 96279->96280 96414 7c511f 64 API calls 96280->96414 96282 832d29 96415 832e66 75 API calls 96282->96415 96284 832d3b 96303 832d3f 96284->96303 96416 7c50f5 40 API calls __fread_nolock 96284->96416 96286 832d56 96417 7c50f5 40 API calls __fread_nolock 96286->96417 96288 832d66 96418 7c50f5 40 API calls __fread_nolock 96288->96418 96290 832d81 96419 7c50f5 40 API calls __fread_nolock 96290->96419 96292 832d9c 96420 7c511f 64 API calls 96292->96420 96294 832db3 96295 7eea0c ___std_exception_copy 21 API calls 96294->96295 96296 832dba 96295->96296 96297 7eea0c ___std_exception_copy 21 API calls 96296->96297 96298 832dc4 96297->96298 96421 7c50f5 40 API calls __fread_nolock 96298->96421 96300 832dd8 96422 8328fe 27 API calls 96300->96422 96302 832dee 96302->96303 96423 8322ce 96302->96423 96303->96161 96306 7c4f43 96305->96306 96308 7c4f4a 96305->96308 96307 7ee678 67 API calls 96306->96307 96307->96308 96309 7c4f59 96308->96309 96310 7c4f6a FreeLibrary 96308->96310 96309->96165 96310->96309 96311->96175 96312->96180 96313->96185 96314->96189 96315->96193 96316->96200 96317->96204 96319 7c4ea8 GetProcAddress 96318->96319 96320 7c4ec6 96318->96320 96321 7c4eb8 96319->96321 96323 7ee5eb 96320->96323 96321->96320 96322 7c4ebf FreeLibrary 96321->96322 96322->96320 96350 7ee52a 96323->96350 96325 7c4eea 96325->96245 96325->96246 96327 7c4e8d 96326->96327 96328 7c4e6e GetProcAddress 96326->96328 96331 7c4f80 96327->96331 96329 7c4e7e 96328->96329 96329->96327 96330 7c4e86 FreeLibrary 96329->96330 96330->96327 96332 7dfe0b 22 API calls 96331->96332 96333 7c4f95 96332->96333 96334 7c5722 22 API calls 96333->96334 96335 7c4fa1 __fread_nolock 96334->96335 96336 7c50a5 96335->96336 96337 803d1d 96335->96337 96347 7c4fdc 96335->96347 96403 7c42a2 CreateStreamOnHGlobal 96336->96403 96411 83304d 74 API calls 96337->96411 96340 803d22 96412 7c511f 64 API calls 96340->96412 96343 803d45 96413 7c50f5 40 API calls __fread_nolock 96343->96413 96345 7c506e ISource 96345->96253 96347->96340 96347->96345 96409 7c50f5 40 API calls __fread_nolock 96347->96409 96410 7c511f 64 API calls 96347->96410 96348->96259 96349->96261 96353 7ee536 ___BuildCatchObject 96350->96353 96351 7ee544 96375 7ef2d9 20 API calls _abort 96351->96375 96353->96351 96355 7ee574 96353->96355 96354 7ee549 96376 7f27ec 26 API calls __wsopen_s 96354->96376 96357 7ee579 96355->96357 96358 7ee586 96355->96358 96377 7ef2d9 20 API calls _abort 96357->96377 96367 7f8061 96358->96367 96361 7ee58f 96362 7ee595 96361->96362 96363 7ee5a2 96361->96363 96378 7ef2d9 20 API calls _abort 96362->96378 96379 7ee5d4 LeaveCriticalSection __fread_nolock 96363->96379 96365 7ee554 __wsopen_s 96365->96325 96368 7f806d ___BuildCatchObject 96367->96368 96380 7f2f5e EnterCriticalSection 96368->96380 96370 7f807b 96381 7f80fb 96370->96381 96374 7f80ac __wsopen_s 96374->96361 96375->96354 96376->96365 96377->96365 96378->96365 96379->96365 96380->96370 96388 7f811e 96381->96388 96382 7f8177 96383 7f4c7d FindHandlerForForeignException 20 API calls 96382->96383 96384 7f8180 96383->96384 96399 7f29c8 20 API calls _free 96384->96399 96387 7f8189 96393 7f8088 96387->96393 96400 7f3405 11 API calls 2 library calls 96387->96400 96388->96382 96388->96388 96388->96393 96397 7e918d EnterCriticalSection 96388->96397 96398 7e91a1 LeaveCriticalSection 96388->96398 96390 7f81a8 96401 7e918d EnterCriticalSection 96390->96401 96394 7f80b7 96393->96394 96402 7f2fa6 LeaveCriticalSection 96394->96402 96396 7f80be 96396->96374 96397->96388 96398->96388 96399->96387 96400->96390 96401->96393 96402->96396 96404 7c42bc FindResourceExW 96403->96404 96408 7c42d9 96403->96408 96405 8035ba LoadResource 96404->96405 96404->96408 96406 8035cf SizeofResource 96405->96406 96405->96408 96407 8035e3 LockResource 96406->96407 96406->96408 96407->96408 96408->96347 96409->96347 96410->96347 96411->96340 96412->96343 96413->96345 96414->96282 96415->96284 96416->96286 96417->96288 96418->96290 96419->96292 96420->96294 96421->96300 96422->96302 96424 8322d9 96423->96424 96425 8322e7 96423->96425 96426 7ee5eb 29 API calls 96424->96426 96427 83232c 96425->96427 96428 7ee5eb 29 API calls 96425->96428 96447 8322f0 96425->96447 96426->96425 96452 832557 40 API calls __fread_nolock 96427->96452 96430 832311 96428->96430 96430->96427 96431 83231a 96430->96431 96431->96447 96460 7ee678 96431->96460 96432 832370 96433 832395 96432->96433 96434 832374 96432->96434 96453 832171 96433->96453 96437 832381 96434->96437 96439 7ee678 67 API calls 96434->96439 96442 7ee678 67 API calls 96437->96442 96437->96447 96438 83239d 96440 8323c3 96438->96440 96441 8323a3 96438->96441 96439->96437 96473 8323f3 74 API calls 96440->96473 96443 8323b0 96441->96443 96445 7ee678 67 API calls 96441->96445 96442->96447 96446 7ee678 67 API calls 96443->96446 96443->96447 96445->96443 96446->96447 96447->96303 96448 8323ca 96449 8323de 96448->96449 96450 7ee678 67 API calls 96448->96450 96449->96447 96451 7ee678 67 API calls 96449->96451 96450->96449 96451->96447 96452->96432 96454 7eea0c ___std_exception_copy 21 API calls 96453->96454 96455 83217f 96454->96455 96456 7eea0c ___std_exception_copy 21 API calls 96455->96456 96457 832190 96456->96457 96458 7eea0c ___std_exception_copy 21 API calls 96457->96458 96459 83219c 96458->96459 96459->96438 96461 7ee684 ___BuildCatchObject 96460->96461 96462 7ee6aa 96461->96462 96463 7ee695 96461->96463 96472 7ee6a5 __wsopen_s 96462->96472 96474 7e918d EnterCriticalSection 96462->96474 96491 7ef2d9 20 API calls _abort 96463->96491 96466 7ee69a 96492 7f27ec 26 API calls __wsopen_s 96466->96492 96467 7ee6c6 96475 7ee602 96467->96475 96470 7ee6d1 96493 7ee6ee LeaveCriticalSection __fread_nolock 96470->96493 96472->96447 96473->96448 96474->96467 96476 7ee60f 96475->96476 96477 7ee624 96475->96477 96526 7ef2d9 20 API calls _abort 96476->96526 96484 7ee61f 96477->96484 96494 7edc0b 96477->96494 96480 7ee614 96527 7f27ec 26 API calls __wsopen_s 96480->96527 96484->96470 96487 7ee646 96511 7f862f 96487->96511 96491->96466 96492->96472 96493->96472 96495 7edc23 96494->96495 96499 7edc1f 96494->96499 96496 7ed955 __fread_nolock 26 API calls 96495->96496 96495->96499 96497 7edc43 96496->96497 96529 7f59be 62 API calls 4 library calls 96497->96529 96500 7f4d7a 96499->96500 96501 7ee640 96500->96501 96502 7f4d90 96500->96502 96504 7ed955 96501->96504 96502->96501 96530 7f29c8 20 API calls _free 96502->96530 96505 7ed976 96504->96505 96506 7ed961 96504->96506 96505->96487 96531 7ef2d9 20 API calls _abort 96506->96531 96508 7ed966 96532 7f27ec 26 API calls __wsopen_s 96508->96532 96510 7ed971 96510->96487 96512 7f863e 96511->96512 96513 7f8653 96511->96513 96536 7ef2c6 20 API calls _abort 96512->96536 96514 7f868e 96513->96514 96518 7f867a 96513->96518 96538 7ef2c6 20 API calls _abort 96514->96538 96517 7f8643 96537 7ef2d9 20 API calls _abort 96517->96537 96533 7f8607 96518->96533 96519 7f8693 96539 7ef2d9 20 API calls _abort 96519->96539 96523 7ee64c 96523->96484 96528 7f29c8 20 API calls _free 96523->96528 96524 7f869b 96540 7f27ec 26 API calls __wsopen_s 96524->96540 96526->96480 96527->96484 96528->96484 96529->96499 96530->96501 96531->96508 96532->96510 96541 7f8585 96533->96541 96535 7f862b 96535->96523 96536->96517 96537->96523 96538->96519 96539->96524 96540->96523 96542 7f8591 ___BuildCatchObject 96541->96542 96552 7f5147 EnterCriticalSection 96542->96552 96544 7f859f 96545 7f85c6 96544->96545 96546 7f85d1 96544->96546 96553 7f86ae 96545->96553 96568 7ef2d9 20 API calls _abort 96546->96568 96549 7f85cc 96569 7f85fb LeaveCriticalSection __wsopen_s 96549->96569 96551 7f85ee __wsopen_s 96551->96535 96552->96544 96570 7f53c4 96553->96570 96555 7f86c4 96583 7f5333 21 API calls 3 library calls 96555->96583 96557 7f86be 96557->96555 96559 7f53c4 __wsopen_s 26 API calls 96557->96559 96567 7f86f6 96557->96567 96558 7f53c4 __wsopen_s 26 API calls 96560 7f8702 CloseHandle 96558->96560 96563 7f86ed 96559->96563 96560->96555 96564 7f870e GetLastError 96560->96564 96561 7f871c 96562 7f873e 96561->96562 96584 7ef2a3 20 API calls 2 library calls 96561->96584 96562->96549 96566 7f53c4 __wsopen_s 26 API calls 96563->96566 96564->96555 96566->96567 96567->96555 96567->96558 96568->96549 96569->96551 96571 7f53e6 96570->96571 96572 7f53d1 96570->96572 96576 7f540b 96571->96576 96587 7ef2c6 20 API calls _abort 96571->96587 96585 7ef2c6 20 API calls _abort 96572->96585 96575 7f53d6 96586 7ef2d9 20 API calls _abort 96575->96586 96576->96557 96577 7f5416 96588 7ef2d9 20 API calls _abort 96577->96588 96579 7f53de 96579->96557 96581 7f541e 96589 7f27ec 26 API calls __wsopen_s 96581->96589 96583->96561 96584->96562 96585->96575 96586->96579 96587->96577 96588->96581 96589->96579 96590 7c1033 96595 7c4c91 96590->96595 96594 7c1042 96596 7ca961 22 API calls 96595->96596 96597 7c4cff 96596->96597 96603 7c3af0 96597->96603 96600 7c4d9c 96601 7c1038 96600->96601 96606 7c51f7 22 API calls __fread_nolock 96600->96606 96602 7e00a3 29 API calls __onexit 96601->96602 96602->96594 96607 7c3b1c 96603->96607 96606->96600 96608 7c3b0f 96607->96608 96609 7c3b29 96607->96609 96608->96600 96609->96608 96610 7c3b30 RegOpenKeyExW 96609->96610 96610->96608 96611 7c3b4a RegQueryValueExW 96610->96611 96612 7c3b6b 96611->96612 96613 7c3b80 RegCloseKey 96611->96613 96612->96613 96613->96608 96614 7c1cad SystemParametersInfoW 96615 813f75 96626 7dceb1 96615->96626 96617 813f8b 96618 814006 96617->96618 96635 7de300 23 API calls 96617->96635 96620 7cbf40 348 API calls 96618->96620 96621 814052 96620->96621 96625 814a88 96621->96625 96637 83359c 82 API calls __wsopen_s 96621->96637 96623 813fe6 96623->96621 96636 831abf 22 API calls 96623->96636 96627 7dcebf 96626->96627 96628 7dced2 96626->96628 96638 7caceb 23 API calls ISource 96627->96638 96630 7dcf05 96628->96630 96631 7dced7 96628->96631 96639 7caceb 23 API calls ISource 96630->96639 96632 7dfddb 22 API calls 96631->96632 96634 7dcec9 96632->96634 96634->96617 96635->96623 96636->96618 96637->96625 96638->96634 96639->96634 96640 7c1044 96645 7c10f3 96640->96645 96642 7c104a 96681 7e00a3 29 API calls __onexit 96642->96681 96644 7c1054 96682 7c1398 96645->96682 96649 7c116a 96650 7ca961 22 API calls 96649->96650 96651 7c1174 96650->96651 96652 7ca961 22 API calls 96651->96652 96653 7c117e 96652->96653 96654 7ca961 22 API calls 96653->96654 96655 7c1188 96654->96655 96656 7ca961 22 API calls 96655->96656 96657 7c11c6 96656->96657 96658 7ca961 22 API calls 96657->96658 96659 7c1292 96658->96659 96692 7c171c 96659->96692 96663 7c12c4 96664 7ca961 22 API calls 96663->96664 96665 7c12ce 96664->96665 96666 7d1940 9 API calls 96665->96666 96667 7c12f9 96666->96667 96713 7c1aab 96667->96713 96669 7c1315 96670 7c1325 GetStdHandle 96669->96670 96671 802485 96670->96671 96673 7c137a 96670->96673 96672 80248e 96671->96672 96671->96673 96674 7dfddb 22 API calls 96672->96674 96675 7c1387 OleInitialize 96673->96675 96676 802495 96674->96676 96675->96642 96720 83011d InitializeCriticalSectionAndSpinCount InterlockedExchange GetCurrentProcess GetCurrentProcess DuplicateHandle 96676->96720 96678 80249e 96721 830944 CreateThread 96678->96721 96680 8024aa CloseHandle 96680->96673 96681->96644 96722 7c13f1 96682->96722 96685 7c13f1 22 API calls 96686 7c13d0 96685->96686 96687 7ca961 22 API calls 96686->96687 96688 7c13dc 96687->96688 96689 7c6b57 22 API calls 96688->96689 96690 7c1129 96689->96690 96691 7c1bc3 6 API calls 96690->96691 96691->96649 96693 7ca961 22 API calls 96692->96693 96694 7c172c 96693->96694 96695 7ca961 22 API calls 96694->96695 96696 7c1734 96695->96696 96697 7ca961 22 API calls 96696->96697 96698 7c174f 96697->96698 96699 7dfddb 22 API calls 96698->96699 96700 7c129c 96699->96700 96701 7c1b4a 96700->96701 96702 7c1b58 96701->96702 96703 7ca961 22 API calls 96702->96703 96704 7c1b63 96703->96704 96705 7ca961 22 API calls 96704->96705 96706 7c1b6e 96705->96706 96707 7ca961 22 API calls 96706->96707 96708 7c1b79 96707->96708 96709 7ca961 22 API calls 96708->96709 96710 7c1b84 96709->96710 96711 7dfddb 22 API calls 96710->96711 96712 7c1b96 RegisterWindowMessageW 96711->96712 96712->96663 96714 7c1abb 96713->96714 96715 80272d 96713->96715 96716 7dfddb 22 API calls 96714->96716 96729 833209 23 API calls 96715->96729 96718 7c1ac3 96716->96718 96718->96669 96719 802738 96720->96678 96721->96680 96730 83092a 28 API calls 96721->96730 96723 7ca961 22 API calls 96722->96723 96724 7c13fc 96723->96724 96725 7ca961 22 API calls 96724->96725 96726 7c1404 96725->96726 96727 7ca961 22 API calls 96726->96727 96728 7c13c6 96727->96728 96728->96685 96729->96719 96731 7f8402 96736 7f81be 96731->96736 96734 7f842a 96741 7f81ef try_get_first_available_module 96736->96741 96738 7f83ee 96755 7f27ec 26 API calls __wsopen_s 96738->96755 96740 7f8343 96740->96734 96748 800984 96740->96748 96744 7f8338 96741->96744 96751 7e8e0b 40 API calls 2 library calls 96741->96751 96743 7f838c 96743->96744 96752 7e8e0b 40 API calls 2 library calls 96743->96752 96744->96740 96754 7ef2d9 20 API calls _abort 96744->96754 96746 7f83ab 96746->96744 96753 7e8e0b 40 API calls 2 library calls 96746->96753 96756 800081 96748->96756 96750 80099f 96750->96734 96751->96743 96752->96746 96753->96744 96754->96738 96755->96740 96759 80008d ___BuildCatchObject 96756->96759 96757 80009b 96814 7ef2d9 20 API calls _abort 96757->96814 96759->96757 96761 8000d4 96759->96761 96760 8000a0 96815 7f27ec 26 API calls __wsopen_s 96760->96815 96767 80065b 96761->96767 96766 8000aa __wsopen_s 96766->96750 96817 80042f 96767->96817 96770 8006a6 96835 7f5221 96770->96835 96771 80068d 96849 7ef2c6 20 API calls _abort 96771->96849 96774 8006ab 96776 8006b4 96774->96776 96777 8006cb 96774->96777 96775 800692 96850 7ef2d9 20 API calls _abort 96775->96850 96851 7ef2c6 20 API calls _abort 96776->96851 96848 80039a CreateFileW 96777->96848 96781 8006b9 96852 7ef2d9 20 API calls _abort 96781->96852 96782 8000f8 96816 800121 LeaveCriticalSection __wsopen_s 96782->96816 96784 800781 GetFileType 96785 8007d3 96784->96785 96786 80078c GetLastError 96784->96786 96857 7f516a 21 API calls 3 library calls 96785->96857 96855 7ef2a3 20 API calls 2 library calls 96786->96855 96787 800756 GetLastError 96854 7ef2a3 20 API calls 2 library calls 96787->96854 96789 800704 96789->96784 96789->96787 96853 80039a CreateFileW 96789->96853 96791 80079a CloseHandle 96791->96775 96793 8007c3 96791->96793 96856 7ef2d9 20 API calls _abort 96793->96856 96795 800749 96795->96784 96795->96787 96797 8007f4 96799 800840 96797->96799 96858 8005ab 72 API calls 4 library calls 96797->96858 96798 8007c8 96798->96775 96803 80086d 96799->96803 96859 80014d 72 API calls 4 library calls 96799->96859 96802 800866 96802->96803 96804 80087e 96802->96804 96805 7f86ae __wsopen_s 29 API calls 96803->96805 96804->96782 96806 8008fc CloseHandle 96804->96806 96805->96782 96860 80039a CreateFileW 96806->96860 96808 800927 96809 800931 GetLastError 96808->96809 96810 80095d 96808->96810 96861 7ef2a3 20 API calls 2 library calls 96809->96861 96810->96782 96812 80093d 96862 7f5333 21 API calls 3 library calls 96812->96862 96814->96760 96815->96766 96816->96766 96818 800450 96817->96818 96819 80046a 96817->96819 96818->96819 96870 7ef2d9 20 API calls _abort 96818->96870 96863 8003bf 96819->96863 96822 80045f 96871 7f27ec 26 API calls __wsopen_s 96822->96871 96824 8004a2 96825 8004d1 96824->96825 96872 7ef2d9 20 API calls _abort 96824->96872 96833 800524 96825->96833 96874 7ed70d 26 API calls 2 library calls 96825->96874 96828 80051f 96830 80059e 96828->96830 96828->96833 96829 8004c6 96873 7f27ec 26 API calls __wsopen_s 96829->96873 96875 7f27fc 11 API calls _abort 96830->96875 96833->96770 96833->96771 96834 8005aa 96836 7f522d ___BuildCatchObject 96835->96836 96878 7f2f5e EnterCriticalSection 96836->96878 96838 7f527b 96879 7f532a 96838->96879 96839 7f5234 96839->96838 96840 7f5259 96839->96840 96845 7f52c7 EnterCriticalSection 96839->96845 96882 7f5000 21 API calls 3 library calls 96840->96882 96843 7f52a4 __wsopen_s 96843->96774 96844 7f525e 96844->96838 96883 7f5147 EnterCriticalSection 96844->96883 96845->96838 96846 7f52d4 LeaveCriticalSection 96845->96846 96846->96839 96848->96789 96849->96775 96850->96782 96851->96781 96852->96775 96853->96795 96854->96775 96855->96791 96856->96798 96857->96797 96858->96799 96859->96802 96860->96808 96861->96812 96862->96810 96865 8003d7 96863->96865 96864 8003f2 96864->96824 96865->96864 96876 7ef2d9 20 API calls _abort 96865->96876 96867 800416 96877 7f27ec 26 API calls __wsopen_s 96867->96877 96869 800421 96869->96824 96870->96822 96871->96819 96872->96829 96873->96825 96874->96828 96875->96834 96876->96867 96877->96869 96878->96839 96884 7f2fa6 LeaveCriticalSection 96879->96884 96881 7f5331 96881->96843 96882->96844 96883->96838 96884->96881 96885 7c2de3 96886 7c2df0 __wsopen_s 96885->96886 96887 7c2e09 96886->96887 96889 802c2b ___scrt_fastfail 96886->96889 96888 7c3aa2 23 API calls 96887->96888 96891 7c2e12 96888->96891 96890 802c47 GetOpenFileNameW 96889->96890 96892 802c96 96890->96892 96901 7c2da5 96891->96901 96894 7c6b57 22 API calls 96892->96894 96896 802cab 96894->96896 96896->96896 96898 7c2e27 96919 7c44a8 96898->96919 96902 801f50 __wsopen_s 96901->96902 96903 7c2db2 GetLongPathNameW 96902->96903 96904 7c6b57 22 API calls 96903->96904 96905 7c2dda 96904->96905 96906 7c3598 96905->96906 96907 7ca961 22 API calls 96906->96907 96908 7c35aa 96907->96908 96909 7c3aa2 23 API calls 96908->96909 96910 7c35b5 96909->96910 96911 8032eb 96910->96911 96912 7c35c0 96910->96912 96917 80330d 96911->96917 96954 7dce60 41 API calls 96911->96954 96914 7c515f 22 API calls 96912->96914 96915 7c35cc 96914->96915 96948 7c35f3 96915->96948 96918 7c35df 96918->96898 96920 7c4ecb 94 API calls 96919->96920 96921 7c44cd 96920->96921 96922 803833 96921->96922 96923 7c4ecb 94 API calls 96921->96923 96924 832cf9 80 API calls 96922->96924 96925 7c44e1 96923->96925 96926 803848 96924->96926 96925->96922 96927 7c44e9 96925->96927 96928 803869 96926->96928 96929 80384c 96926->96929 96931 803854 96927->96931 96932 7c44f5 96927->96932 96930 7dfe0b 22 API calls 96928->96930 96933 7c4f39 68 API calls 96929->96933 96947 8038ae 96930->96947 96956 82da5a 82 API calls 96931->96956 96955 7c940c 136 API calls 2 library calls 96932->96955 96933->96931 96936 803862 96936->96928 96937 7c2e31 96938 7c4f39 68 API calls 96941 803a5f 96938->96941 96941->96938 96962 82989b 82 API calls __wsopen_s 96941->96962 96944 7c9cb3 22 API calls 96944->96947 96947->96941 96947->96944 96957 82967e 22 API calls __fread_nolock 96947->96957 96958 8295ad 42 API calls _wcslen 96947->96958 96959 830b5a 22 API calls 96947->96959 96960 7ca4a1 22 API calls __fread_nolock 96947->96960 96961 7c3ff7 22 API calls 96947->96961 96949 7c3605 96948->96949 96953 7c3624 __fread_nolock 96948->96953 96951 7dfe0b 22 API calls 96949->96951 96950 7dfddb 22 API calls 96952 7c363b 96950->96952 96951->96953 96952->96918 96953->96950 96954->96911 96955->96937 96956->96936 96957->96947 96958->96947 96959->96947 96960->96947 96961->96947 96962->96941

                                                            Executed Functions

                                                            Function 007C42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235libraryloaderCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 395 7c42de-7c434d call 7ca961 GetVersionExW call 7c6b57 400 803617-80362a 395->400 401 7c4353 395->401 403 80362b-80362f 400->403 402 7c4355-7c4357 401->402 404 7c435d-7c43bc call 7c93b2 call 7c37a0 402->404 405 803656 402->405 406 803631 403->406 407 803632-80363e 403->407 423 7c43c2-7c43c4 404->423 424 8037df-8037e6 404->424 410 80365d-803660 405->410 406->407 407->403 409 803640-803642 407->409 409->402 412 803648-80364f 409->412 413 803666-8036a8 410->413 414 7c441b-7c4435 GetCurrentProcess IsWow64Process 410->414 412->400 416 803651 412->416 413->414 417 8036ae-8036b1 413->417 419 7c4494-7c449a 414->419 420 7c4437 414->420 416->405 421 8036b3-8036bd 417->421 422 8036db-8036e5 417->422 425 7c443d-7c4449 419->425 420->425 426 8036ca-8036d6 421->426 427 8036bf-8036c5 421->427 429 8036e7-8036f3 422->429 430 8036f8-803702 422->430 423->410 428 7c43ca-7c43dd 423->428 431 803806-803809 424->431 432 8037e8 424->432 433 7c444f-7c445e LoadLibraryA 425->433 434 803824-803828 GetSystemInfo 425->434 426->414 427->414 437 803726-80372f 428->437 438 7c43e3-7c43e5 428->438 429->414 440 803704-803710 430->440 441 803715-803721 430->441 442 8037f4-8037fc 431->442 443 80380b-80381a 431->443 439 8037ee 432->439 435 7c449c-7c44a6 GetSystemInfo 433->435 436 7c4460-7c446e GetProcAddress 433->436 445 7c4476-7c4478 435->445 436->435 444 7c4470-7c4474 GetNativeSystemInfo 436->444 448 803731-803737 437->448 449 80373c-803748 437->449 446 7c43eb-7c43ee 438->446 447 80374d-803762 438->447 439->442 440->414 441->414 442->431 443->439 450 80381c-803822 443->450 444->445 453 7c447a-7c447b FreeLibrary 445->453 454 7c4481-7c4493 445->454 455 803791-803794 446->455 456 7c43f4-7c440f 446->456 451 803764-80376a 447->451 452 80376f-80377b 447->452 448->414 449->414 450->442 451->414 452->414 453->454 455->414 457 80379a-8037c1 455->457 458 803780-80378c 456->458 459 7c4415 456->459 460 8037c3-8037c9 457->460 461 8037ce-8037da 457->461 458->414 459->414 460->414 461->414
                                                            APIs
                                                            • GetVersionExW.KERNEL32(?), ref: 007C430D
                                                              • Part of subcall function 007C6B57: _wcslen.LIBCMT ref: 007C6B6A
                                                            • GetCurrentProcess.KERNEL32(?,0085CB64,00000000,?,?), ref: 007C4422
                                                            • IsWow64Process.KERNEL32(00000000,?,?), ref: 007C4429
                                                            • LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 007C4454
                                                            • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 007C4466
                                                            • GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 007C4474
                                                            • FreeLibrary.KERNEL32(00000000,?,?), ref: 007C447B
                                                            • GetSystemInfo.KERNEL32(?,?,?), ref: 007C44A0
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
                                                            • String ID: GetNativeSystemInfo$kernel32.dll$|O
                                                            • API String ID: 3290436268-3101561225
                                                            • Opcode ID: 89ae806339cffab5701428dfcf288ab79e442882f9d85709ca8a26fcb99afddc
                                                            • Instruction ID: 877f89cdbcc267a00211539e8e5e73aa2dd8269f22b28fbab3604a7d915e7fef
                                                            • Opcode Fuzzy Hash: 89ae806339cffab5701428dfcf288ab79e442882f9d85709ca8a26fcb99afddc
                                                            • Instruction Fuzzy Hash: F2A1856590E3C2DFCF16E7797C496A67FB8BB66300B1C44AFD44193B61D62C4608EB21
                                                            Function 007C42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 799 7c42a2-7c42ba CreateStreamOnHGlobal 800 7c42bc-7c42d3 FindResourceExW 799->800 801 7c42da-7c42dd 799->801 802 7c42d9 800->802 803 8035ba-8035c9 LoadResource 800->803 802->801 803->802 804 8035cf-8035dd SizeofResource 803->804 804->802 805 8035e3-8035ee LockResource 804->805 805->802 806 8035f4-803612 805->806 806->802
                                                            APIs
                                                            • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,007C50AA,?,?,00000000,00000000), ref: 007C42B2
                                                            • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,007C50AA,?,?,00000000,00000000), ref: 007C42C9
                                                            • LoadResource.KERNEL32(?,00000000,?,?,007C50AA,?,?,00000000,00000000,?,?,?,?,?,?,007C4F20), ref: 008035BE
                                                            • SizeofResource.KERNEL32(?,00000000,?,?,007C50AA,?,?,00000000,00000000,?,?,?,?,?,?,007C4F20), ref: 008035D3
                                                            • LockResource.KERNEL32(007C50AA,?,?,007C50AA,?,?,00000000,00000000,?,?,?,?,?,?,007C4F20,?), ref: 008035E6
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                            • String ID: SCRIPT
                                                            • API String ID: 3051347437-3967369404
                                                            • Opcode ID: 1ee6d77447cd219d20e929bbe9dff02f2452c3e80102016f9d68713d308c1e92
                                                            • Instruction ID: bc047b3bcfcb8bc9d01cf56bbc71226552b3774464744a5f2c00cbf489c35105
                                                            • Opcode Fuzzy Hash: 1ee6d77447cd219d20e929bbe9dff02f2452c3e80102016f9d68713d308c1e92
                                                            • Instruction Fuzzy Hash: 6B117971200700BFEB218BA5DC49F277BBAFBC5B52F20816DB816D62A0DB75D800DA20
                                                            Function 00802BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 007C2B6B
                                                              • Part of subcall function 007C3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00891418,?,007C2E7F,?,?,?,00000000), ref: 007C3A78
                                                              • Part of subcall function 007C9CB3: _wcslen.LIBCMT ref: 007C9CBD
                                                            • GetForegroundWindow.USER32(runas,?,?,?,?,?,00882224), ref: 00802C10
                                                            • ShellExecuteW.SHELL32(00000000,?,?,00882224), ref: 00802C17
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
                                                            • String ID: runas
                                                            • API String ID: 448630720-4000483414
                                                            • Opcode ID: c18724271a59cf9547ce7dc59074966b0df94316dfaee1e48094729a84d8437b
                                                            • Instruction ID: cbadce0eefe39af43e481c5cdded0b2d91fe8c15ac48121c378e466dc42b696e
                                                            • Opcode Fuzzy Hash: c18724271a59cf9547ce7dc59074966b0df94316dfaee1e48094729a84d8437b
                                                            • Instruction Fuzzy Hash: A911D231208341DACB14FF60D85DFAEBBA5FB94310F48442DF192420A3DF2C894A8712
                                                            Function 0084A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • CreateToolhelp32Snapshot.KERNEL32 ref: 0084A6AC
                                                            • Process32FirstW.KERNEL32(00000000,?), ref: 0084A6BA
                                                              • Part of subcall function 007C9CB3: _wcslen.LIBCMT ref: 007C9CBD
                                                            • Process32NextW.KERNEL32(00000000,?), ref: 0084A79C
                                                            • CloseHandle.KERNELBASE(00000000), ref: 0084A7AB
                                                              • Part of subcall function 007DCE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00803303,?), ref: 007DCE8A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
                                                            • String ID:
                                                            • API String ID: 1991900642-0
                                                            • Opcode ID: 8eb2853b763a986d5d73f56424f3167a0ee01796e20ef1a888c2b1aa932b49b4
                                                            • Instruction ID: 523f56c5f873a8b90e4cba52363b5b4912c4fe2d6dc45e9f15c2af0e2b729e7d
                                                            • Opcode Fuzzy Hash: 8eb2853b763a986d5d73f56424f3167a0ee01796e20ef1a888c2b1aa932b49b4
                                                            • Instruction Fuzzy Hash: 03511971508700AFD714EF24D88AE6BBBE8FF89754F40492DF58597251EB34E904CB92
                                                            Function 0082DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlenW.KERNEL32(?,00805222), ref: 0082DBCE
                                                            • GetFileAttributesW.KERNELBASE(?), ref: 0082DBDD
                                                            • FindFirstFileW.KERNEL32(?,?), ref: 0082DBEE
                                                            • FindClose.KERNEL32(00000000), ref: 0082DBFA
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: FileFind$AttributesCloseFirstlstrlen
                                                            • String ID:
                                                            • API String ID: 2695905019-0
                                                            • Opcode ID: ca123e6a1e36eccb304da8b35d25193fe099bc7dea26776daafd0a8366402a3c
                                                            • Instruction ID: ff9a2ccd413a4dff525b7b8cbdc600ba942d61089b49f7d392c5eb97ffda219b
                                                            • Opcode Fuzzy Hash: ca123e6a1e36eccb304da8b35d25193fe099bc7dea26776daafd0a8366402a3c
                                                            • Instruction Fuzzy Hash: ABF0A030810B245B82206B78AC0D8AA3BACFF01336B104702F836D22E0EBB45994CA96
                                                            Function 007E4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentProcess.KERNEL32(007F28E9,?,007E4CBE,007F28E9,008888B8,0000000C,007E4E15,007F28E9,00000002,00000000,?,007F28E9), ref: 007E4D09
                                                            • TerminateProcess.KERNEL32(00000000,?,007E4CBE,007F28E9,008888B8,0000000C,007E4E15,007F28E9,00000002,00000000,?,007F28E9), ref: 007E4D10
                                                            • ExitProcess.KERNEL32 ref: 007E4D22
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Process$CurrentExitTerminate
                                                            • String ID:
                                                            • API String ID: 1703294689-0
                                                            • Opcode ID: a96f1d5e7553ab0fc3254b67230d91c62c2f0c21eb247eb8758fc0829c45234b
                                                            • Instruction ID: 4d675a6f6074e444ac3f4da08f511a38663f9cd9817dd074c722d9faf71263d5
                                                            • Opcode Fuzzy Hash: a96f1d5e7553ab0fc3254b67230d91c62c2f0c21eb247eb8758fc0829c45234b
                                                            • Instruction Fuzzy Hash: 0CE09231101688AFCB11AF65DD09A983B69FB85782B104054FA058A222CB39D942CA80
                                                            Function 0084AFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 0 84aff9-84b056 call 7e2340 3 84b094-84b098 0->3 4 84b058-84b06b call 7cb567 0->4 5 84b0dd-84b0e0 3->5 6 84b09a-84b0bb call 7cb567 * 2 3->6 15 84b06d-84b092 call 7cb567 * 2 4->15 16 84b0c8 4->16 8 84b0f5-84b119 call 7c7510 call 7c7620 5->8 9 84b0e2-84b0e5 5->9 30 84b0bf-84b0c4 6->30 32 84b11f-84b178 call 7c7510 call 7c7620 call 7c7510 call 7c7620 call 7c7510 call 7c7620 8->32 33 84b1d8-84b1e0 8->33 12 84b0e8-84b0ed call 7cb567 9->12 12->8 15->30 20 84b0cb-84b0cf 16->20 26 84b0d1-84b0d7 20->26 27 84b0d9-84b0db 20->27 26->12 27->5 27->8 30->5 34 84b0c6 30->34 80 84b1a6-84b1d6 GetSystemDirectoryW call 7dfe0b GetSystemDirectoryW 32->80 81 84b17a-84b195 call 7c7510 call 7c7620 32->81 35 84b1e2-84b1fd call 7c7510 call 7c7620 33->35 36 84b20a-84b238 GetCurrentDirectoryW call 7dfe0b GetCurrentDirectoryW 33->36 34->20 35->36 50 84b1ff-84b208 call 7e4963 35->50 45 84b23c 36->45 48 84b240-84b244 45->48 51 84b275-84b285 call 8300d9 48->51 52 84b246-84b270 call 7c9c6e * 3 48->52 50->36 50->51 64 84b287-84b289 51->64 65 84b28b-84b2e1 call 8307c0 call 8306e6 call 8305a7 51->65 52->51 68 84b2ee-84b2f2 64->68 65->68 96 84b2e3 65->96 70 84b2f8-84b321 call 8211c8 68->70 71 84b39a-84b3be CreateProcessW 68->71 85 84b323-84b328 call 821201 70->85 86 84b32a call 8214ce 70->86 78 84b3c1-84b3d4 call 7dfe14 * 2 71->78 101 84b3d6-84b3e8 78->101 102 84b42f-84b43d CloseHandle 78->102 80->45 81->80 107 84b197-84b1a0 call 7e4963 81->107 100 84b32f-84b33c call 7e4963 85->100 86->100 96->68 115 84b347-84b357 call 7e4963 100->115 116 84b33e-84b345 100->116 105 84b3ed-84b3fc 101->105 106 84b3ea 101->106 109 84b49c 102->109 110 84b43f-84b444 102->110 111 84b401-84b42a GetLastError call 7c630c call 7ccfa0 105->111 112 84b3fe 105->112 106->105 107->48 107->80 113 84b4a0-84b4a4 109->113 117 84b446-84b44c CloseHandle 110->117 118 84b451-84b456 110->118 130 84b4e5-84b4f6 call 830175 111->130 112->111 122 84b4a6-84b4b0 113->122 123 84b4b2-84b4bc 113->123 133 84b362-84b372 call 7e4963 115->133 134 84b359-84b360 115->134 116->115 116->116 117->118 119 84b463-84b468 118->119 120 84b458-84b45e CloseHandle 118->120 127 84b475-84b49a call 8309d9 call 84b536 119->127 128 84b46a-84b470 CloseHandle 119->128 120->119 122->130 131 84b4c4-84b4e3 call 7ccfa0 CloseHandle 123->131 132 84b4be 123->132 127->113 128->127 131->130 132->131 146 84b374-84b37b 133->146 147 84b37d-84b398 call 7dfe14 * 3 133->147 134->133 134->134 146->146 146->147 147->78
                                                            APIs
                                                            • _wcslen.LIBCMT ref: 0084B198
                                                            • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0084B1B0
                                                            • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0084B1D4
                                                            • _wcslen.LIBCMT ref: 0084B200
                                                            • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0084B214
                                                            • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0084B236
                                                            • _wcslen.LIBCMT ref: 0084B332
                                                              • Part of subcall function 008305A7: GetStdHandle.KERNEL32(000000F6), ref: 008305C6
                                                            • _wcslen.LIBCMT ref: 0084B34B
                                                            • _wcslen.LIBCMT ref: 0084B366
                                                            • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0084B3B6
                                                            • GetLastError.KERNEL32(00000000), ref: 0084B407
                                                            • CloseHandle.KERNEL32(?), ref: 0084B439
                                                            • CloseHandle.KERNEL32(00000000), ref: 0084B44A
                                                            • CloseHandle.KERNEL32(00000000), ref: 0084B45C
                                                            • CloseHandle.KERNEL32(00000000), ref: 0084B46E
                                                            • CloseHandle.KERNEL32(?), ref: 0084B4E3
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
                                                            • String ID:
                                                            • API String ID: 2178637699-0
                                                            • Opcode ID: 4de3766c5a83a9f63aad77fc599142efd92d6ff5e7e9e4be19adb9e3ee988df5
                                                            • Instruction ID: 67d26ea0b7cf247574ad894151ec6a8a7cdb6b4d58bb11d169c773b28d5663d7
                                                            • Opcode Fuzzy Hash: 4de3766c5a83a9f63aad77fc599142efd92d6ff5e7e9e4be19adb9e3ee988df5
                                                            • Instruction Fuzzy Hash: C6F16531608244DFC724EF24C895B2ABBE5FF84314F14855DF8999B2A2CB35EC40CB92
                                                            Function 007CD730 Relevance: 21.6, APIs: 14, Instructions: 623sleeptimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: InputSleepStateTimetime
                                                            • String ID:
                                                            • API String ID: 4149333218-0
                                                            • Opcode ID: c0624850ab2fecee294febc57fd403ffeb8a3389bc36da2e16811bc31435350e
                                                            • Instruction ID: 8ec6db029b2263934147f965f486b12ccf2834d0bc8b02479fe64185be12bfa5
                                                            • Opcode Fuzzy Hash: c0624850ab2fecee294febc57fd403ffeb8a3389bc36da2e16811bc31435350e
                                                            • Instruction Fuzzy Hash: 5542AD70608341EFDB35DF24C888FAAB7A5FF85304F14852EE55687291D778AC94CB92
                                                            Function 007C2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • GetSysColorBrush.USER32(0000000F), ref: 007C2D07
                                                            • RegisterClassExW.USER32(00000030), ref: 007C2D31
                                                            • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 007C2D42
                                                            • InitCommonControlsEx.COMCTL32(?), ref: 007C2D5F
                                                            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 007C2D6F
                                                            • LoadIconW.USER32(000000A9), ref: 007C2D85
                                                            • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 007C2D94
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                            • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                            • API String ID: 2914291525-1005189915
                                                            • Opcode ID: c56f464fd07a216dc0c55e20c3a9fc8ed6d7bece3386665310a908e3c5f91bcf
                                                            • Instruction ID: 37bf9d576a46a9cb043270db42efa9b5cc69a5cdd284c1c3d9e221916fc79750
                                                            • Opcode Fuzzy Hash: c56f464fd07a216dc0c55e20c3a9fc8ed6d7bece3386665310a908e3c5f91bcf
                                                            • Instruction Fuzzy Hash: 9F21B2B5905319AFDF00EFA4EC49B9DBFB4FB08B01F14811AFA11A62A0D7B95544CF91
                                                            Function 0080065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 463 80065b-80068b call 80042f 466 8006a6-8006b2 call 7f5221 463->466 467 80068d-800698 call 7ef2c6 463->467 472 8006b4-8006c9 call 7ef2c6 call 7ef2d9 466->472 473 8006cb-800714 call 80039a 466->473 474 80069a-8006a1 call 7ef2d9 467->474 472->474 482 800781-80078a GetFileType 473->482 483 800716-80071f 473->483 484 80097d-800983 474->484 485 8007d3-8007d6 482->485 486 80078c-8007bd GetLastError call 7ef2a3 CloseHandle 482->486 488 800721-800725 483->488 489 800756-80077c GetLastError call 7ef2a3 483->489 491 8007d8-8007dd 485->491 492 8007df-8007e5 485->492 486->474 500 8007c3-8007ce call 7ef2d9 486->500 488->489 493 800727-800754 call 80039a 488->493 489->474 497 8007e9-800837 call 7f516a 491->497 492->497 498 8007e7 492->498 493->482 493->489 506 800847-80086b call 80014d 497->506 507 800839-800845 call 8005ab 497->507 498->497 500->474 513 80086d 506->513 514 80087e-8008c1 506->514 507->506 512 80086f-800879 call 7f86ae 507->512 512->484 513->512 516 8008e2-8008f0 514->516 517 8008c3-8008c7 514->517 520 8008f6-8008fa 516->520 521 80097b 516->521 517->516 519 8008c9-8008dd 517->519 519->516 520->521 522 8008fc-80092f CloseHandle call 80039a 520->522 521->484 525 800931-80095d GetLastError call 7ef2a3 call 7f5333 522->525 526 800963-800977 522->526 525->526 526->521
                                                            APIs
                                                              • Part of subcall function 0080039A: CreateFileW.KERNELBASE(00000000,00000000,?,00800704,?,?,00000000,?,00800704,00000000,0000000C), ref: 008003B7
                                                            • GetLastError.KERNEL32 ref: 0080076F
                                                            • __dosmaperr.LIBCMT ref: 00800776
                                                            • GetFileType.KERNELBASE(00000000), ref: 00800782
                                                            • GetLastError.KERNEL32 ref: 0080078C
                                                            • __dosmaperr.LIBCMT ref: 00800795
                                                            • CloseHandle.KERNEL32(00000000), ref: 008007B5
                                                            • CloseHandle.KERNEL32(?), ref: 008008FF
                                                            • GetLastError.KERNEL32 ref: 00800931
                                                            • __dosmaperr.LIBCMT ref: 00800938
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                            • String ID: H
                                                            • API String ID: 4237864984-2852464175
                                                            • Opcode ID: f12c2bdba94906bd693ed0cd2ce33d9df6858d41d45c9b36e884e0cc3316bf0a
                                                            • Instruction ID: 76461b565d984ef6a90e71f7766223acc16a769d36a058756c863045d39662f6
                                                            • Opcode Fuzzy Hash: f12c2bdba94906bd693ed0cd2ce33d9df6858d41d45c9b36e884e0cc3316bf0a
                                                            • Instruction Fuzzy Hash: 24A13632A002488FDF19AF68DC55BAE3BA0FB06324F14415AF815DB3D2DB359912CF92
                                                            Function 007C344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                              • Part of subcall function 007C3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00891418,?,007C2E7F,?,?,?,00000000), ref: 007C3A78
                                                              • Part of subcall function 007C3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 007C3379
                                                            • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 007C356A
                                                            • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0080318D
                                                            • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 008031CE
                                                            • RegCloseKey.ADVAPI32(?), ref: 00803210
                                                            • _wcslen.LIBCMT ref: 00803277
                                                            • _wcslen.LIBCMT ref: 00803286
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
                                                            • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                            • API String ID: 98802146-2727554177
                                                            • Opcode ID: 18382514c3f36fbbf20284cf1545bcf59f3c1889383291b771aaed75a683e25c
                                                            • Instruction ID: f34e1c1a9b4552f75af602e5985a78e26473695cb287f801d2ed79d84cd9e032
                                                            • Opcode Fuzzy Hash: 18382514c3f36fbbf20284cf1545bcf59f3c1889383291b771aaed75a683e25c
                                                            • Instruction Fuzzy Hash: F1716C71505301EEC314EF65EC869ABBBE8FF89340B44452EF545D32B1EB389A48DB62
                                                            Function 007C2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63windowregistryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • GetSysColorBrush.USER32(0000000F), ref: 007C2B8E
                                                            • LoadCursorW.USER32(00000000,00007F00), ref: 007C2B9D
                                                            • LoadIconW.USER32(00000063), ref: 007C2BB3
                                                            • LoadIconW.USER32(000000A4), ref: 007C2BC5
                                                            • LoadIconW.USER32(000000A2), ref: 007C2BD7
                                                            • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 007C2BEF
                                                            • RegisterClassExW.USER32(?), ref: 007C2C40
                                                              • Part of subcall function 007C2CD4: GetSysColorBrush.USER32(0000000F), ref: 007C2D07
                                                              • Part of subcall function 007C2CD4: RegisterClassExW.USER32(00000030), ref: 007C2D31
                                                              • Part of subcall function 007C2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 007C2D42
                                                              • Part of subcall function 007C2CD4: InitCommonControlsEx.COMCTL32(?), ref: 007C2D5F
                                                              • Part of subcall function 007C2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 007C2D6F
                                                              • Part of subcall function 007C2CD4: LoadIconW.USER32(000000A9), ref: 007C2D85
                                                              • Part of subcall function 007C2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 007C2D94
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                            • String ID: #$0$AutoIt v3
                                                            • API String ID: 423443420-4155596026
                                                            • Opcode ID: ebb1f9b92a4203b603fed041209b49684bc7dcb26331c05461d338a06bde891a
                                                            • Instruction ID: 5643461955c447aa3e7c3e07ed61d6bcf6bb62529ec538eb7057c4358dda30b2
                                                            • Opcode Fuzzy Hash: ebb1f9b92a4203b603fed041209b49684bc7dcb26331c05461d338a06bde891a
                                                            • Instruction Fuzzy Hash: 7B211A70E04319AFDF10AFA9EC59B997FB4FB48B50F08411BE504A67A0D7B90540EF90
                                                            Function 007C3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145windowtimeregistryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 604 7c3170-7c3185 605 7c31e5-7c31e7 604->605 606 7c3187-7c318a 604->606 605->606 607 7c31e9 605->607 608 7c318c-7c3193 606->608 609 7c31eb 606->609 610 7c31d0-7c31d8 DefWindowProcW 607->610 613 7c3199-7c319e 608->613 614 7c3265-7c326d PostQuitMessage 608->614 611 802dfb-802e23 call 7c18e2 call 7de499 609->611 612 7c31f1-7c31f6 609->612 615 7c31de-7c31e4 610->615 646 802e28-802e2f 611->646 617 7c321d-7c3244 SetTimer RegisterWindowMessageW 612->617 618 7c31f8-7c31fb 612->618 620 7c31a4-7c31a8 613->620 621 802e7c-802e90 call 82bf30 613->621 616 7c3219-7c321b 614->616 616->615 617->616 625 7c3246-7c3251 CreatePopupMenu 617->625 622 802d9c-802d9f 618->622 623 7c3201-7c320f KillTimer call 7c30f2 618->623 626 7c31ae-7c31b3 620->626 627 802e68-802e72 call 82c161 620->627 621->616 637 802e96 621->637 629 802da1-802da5 622->629 630 802dd7-802df6 MoveWindow 622->630 641 7c3214 call 7c3c50 623->641 625->616 634 7c31b9-7c31be 626->634 635 802e4d-802e54 626->635 642 802e77 627->642 638 802dc6-802dd2 SetFocus 629->638 639 802da7-802daa 629->639 630->616 644 7c31c4-7c31ca 634->644 645 7c3253-7c3263 call 7c326f 634->645 635->610 640 802e5a-802e63 call 820ad7 635->640 637->610 638->616 639->644 647 802db0-802dc1 call 7c18e2 639->647 640->610 641->616 642->616 644->610 644->646 645->616 646->610 652 802e35-802e48 call 7c30f2 call 7c3837 646->652 647->616 652->610
                                                            APIs
                                                            • DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,007C316A,?,?), ref: 007C31D8
                                                            • KillTimer.USER32(?,00000001,?,?,?,?,?,007C316A,?,?), ref: 007C3204
                                                            • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 007C3227
                                                            • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,007C316A,?,?), ref: 007C3232
                                                            • CreatePopupMenu.USER32 ref: 007C3246
                                                            • PostQuitMessage.USER32(00000000), ref: 007C3267
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                            • String ID: TaskbarCreated
                                                            • API String ID: 129472671-2362178303
                                                            • Opcode ID: 78b99c5b27ee25086aef0511f105719cf9caf982f1eb8feb0968e5eae8c096ff
                                                            • Instruction ID: 31d86aab01b88ff0ffcd981ba878570e65abad4e90c1351b976ae614db042165
                                                            • Opcode Fuzzy Hash: 78b99c5b27ee25086aef0511f105719cf9caf982f1eb8feb0968e5eae8c096ff
                                                            • Instruction Fuzzy Hash: 5541D735248209AFDF152B789D4DFB93B69F705340F0C812EF902C66E1C76D9E40ABA1
                                                            Function 007C1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 660 7c1410-7c1449 661 7c144f-7c1465 mciSendStringW 660->661 662 8024b8-8024b9 DestroyWindow 660->662 663 7c146b-7c1473 661->663 664 7c16c6-7c16d3 661->664 665 8024c4-8024d1 662->665 663->665 666 7c1479-7c1488 call 7c182e 663->666 667 7c16f8-7c16ff 664->667 668 7c16d5-7c16f0 UnregisterHotKey 664->668 670 802500-802507 665->670 671 8024d3-8024d6 665->671 681 7c148e-7c1496 666->681 682 80250e-80251a 666->682 667->663 669 7c1705 667->669 668->667 673 7c16f2-7c16f3 call 7c10d0 668->673 669->664 670->665 674 802509 670->674 675 8024e2-8024e5 FindClose 671->675 676 8024d8-8024e0 call 7c6246 671->676 673->667 674->682 680 8024eb-8024f8 675->680 676->680 680->670 686 8024fa-8024fb call 8332b1 680->686 687 7c149c-7c14c1 call 7ccfa0 681->687 688 802532-80253f 681->688 683 802524-80252b 682->683 684 80251c-80251e FreeLibrary 682->684 683->682 689 80252d 683->689 684->683 686->670 697 7c14f8-7c1503 CoUninitialize 687->697 698 7c14c3 687->698 690 802541-80255e VirtualFree 688->690 691 802566-80256d 688->691 689->688 690->691 695 802560-802561 call 833317 690->695 691->688 696 80256f 691->696 695->691 701 802574-802578 696->701 697->701 702 7c1509-7c150e 697->702 700 7c14c6-7c14f6 call 7c1a05 call 7c19ae 698->700 700->697 701->702 703 80257e-802584 701->703 705 7c1514-7c151e 702->705 706 802589-802596 call 8332eb 702->706 703->702 709 7c1524-7c15a5 call 7c988f call 7c1944 call 7c17d5 call 7dfe14 call 7c177c call 7c988f call 7ccfa0 call 7c17fe call 7dfe14 705->709 710 7c1707-7c1714 call 7df80e 705->710 718 802598 706->718 722 80259d-8025bf call 7dfdcd 709->722 750 7c15ab-7c15cf call 7dfe14 709->750 710->709 720 7c171a 710->720 718->722 720->710 729 8025c1 722->729 732 8025c6-8025e8 call 7dfdcd 729->732 737 8025ea 732->737 740 8025ef-802611 call 7dfdcd 737->740 746 802613 740->746 749 802618-802625 call 8264d4 746->749 756 802627 749->756 750->732 755 7c15d5-7c15f9 call 7dfe14 750->755 755->740 760 7c15ff-7c1619 call 7dfe14 755->760 759 80262c-802639 call 7dac64 756->759 765 80263b 759->765 760->749 766 7c161f-7c1643 call 7c17d5 call 7dfe14 760->766 767 802640-80264d call 833245 765->767 766->759 775 7c1649-7c1651 766->775 773 80264f 767->773 776 802654-802661 call 8332cc 773->776 775->767 777 7c1657-7c1675 call 7c988f call 7c190a 775->777 782 802663 776->782 777->776 785 7c167b-7c1689 777->785 786 802668-802675 call 8332cc 782->786 785->786 787 7c168f-7c16c5 call 7c988f * 3 call 7c1876 785->787 792 802677 786->792 792->792
                                                            APIs
                                                            • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 007C1459
                                                            • CoUninitialize.COMBASE ref: 007C14F8
                                                            • UnregisterHotKey.USER32(?), ref: 007C16DD
                                                            • DestroyWindow.USER32(?), ref: 008024B9
                                                            • FreeLibrary.KERNEL32(?), ref: 0080251E
                                                            • VirtualFree.KERNEL32(?,00000000,00008000), ref: 0080254B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                            • String ID: close all
                                                            • API String ID: 469580280-3243417748
                                                            • Opcode ID: 18c788e30bb4a6e9e65fb6ddd8f333147618a72071c9c577dd43a01bebd2d207
                                                            • Instruction ID: 4f998ad388822f8d1dce0816f23c7ba0ddc1379386d95f8d8037e256af11762e
                                                            • Opcode Fuzzy Hash: 18c788e30bb4a6e9e65fb6ddd8f333147618a72071c9c577dd43a01bebd2d207
                                                            • Instruction Fuzzy Hash: C7D16931601212CFCB59EF14C899F29F7A4FF05710F5442ADE94AAB292DB35AD22CF94
                                                            Function 007C2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 809 7c2c63-7c2cd3 CreateWindowExW * 2 ShowWindow * 2
                                                            APIs
                                                            • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 007C2C91
                                                            • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 007C2CB2
                                                            • ShowWindow.USER32(00000000,?,?,?,?,?,?,007C1CAD,?), ref: 007C2CC6
                                                            • ShowWindow.USER32(00000000,?,?,?,?,?,?,007C1CAD,?), ref: 007C2CCF
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Window$CreateShow
                                                            • String ID: AutoIt v3$edit
                                                            • API String ID: 1584632944-3779509399
                                                            • Opcode ID: ac1ae4fb455c1bf6644759a41150ef7ae0ae30780858ed2996971231fef3964f
                                                            • Instruction ID: 122572d6b13ff50bc621053de1057b4ad885caa5a5304f01e7feddc591a9e2ee
                                                            • Opcode Fuzzy Hash: ac1ae4fb455c1bf6644759a41150ef7ae0ae30780858ed2996971231fef3964f
                                                            • Instruction Fuzzy Hash: 9FF0DA755443917EEF312727AC0CE772EBDF7CAF51B04005AF904A26A0C6791854EEB0
                                                            Function 007F2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 924 7f2df8-7f2e0f GetLastError 925 7f2e1d-7f2e24 call 7f4c7d 924->925 926 7f2e11-7f2e1b call 7f320e 924->926 930 7f2e29-7f2e2f 925->930 926->925 931 7f2e6e-7f2e75 SetLastError 926->931 932 7f2e3a-7f2e48 call 7f3264 930->932 933 7f2e31 930->933 935 7f2e77-7f2e7c 931->935 939 7f2e4d-7f2e63 call 7f2be6 call 7f29c8 932->939 940 7f2e4a-7f2e4b 932->940 936 7f2e32-7f2e38 call 7f29c8 933->936 943 7f2e65-7f2e6c SetLastError 936->943 939->931 939->943 940->936 943->935
                                                            APIs
                                                            • GetLastError.KERNEL32(?,?,?,007EF2DE,007F3863,00891444,?,007DFDF5,?,?,007CA976,00000010,00891440,007C13FC,?,007C13C6), ref: 007F2DFD
                                                            • _free.LIBCMT ref: 007F2E32
                                                            • _free.LIBCMT ref: 007F2E59
                                                            • SetLastError.KERNEL32(00000000,007C1129), ref: 007F2E66
                                                            • SetLastError.KERNEL32(00000000,007C1129), ref: 007F2E6F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$_free
                                                            • String ID:
                                                            • API String ID: 3170660625-0
                                                            • Opcode ID: 11b1492a215e0967ae2e3ce84aaf897ee3df38b9572e1d53f0f7b541412e9d8e
                                                            • Instruction ID: 3398ad435ec4d23e38243023221c4ee450bd55c791aa2c230f0f85f8d018e4ed
                                                            • Opcode Fuzzy Hash: 11b1492a215e0967ae2e3ce84aaf897ee3df38b9572e1d53f0f7b541412e9d8e
                                                            • Instruction Fuzzy Hash: 2301F43624570CEBC61267746C8DD7B2A59BBC17B5B340129FB21E23A3EA7C8C034520
                                                            Function 007C3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 983 7c3b1c-7c3b27 984 7c3b99-7c3b9b 983->984 985 7c3b29-7c3b2e 983->985 986 7c3b8c-7c3b8f 984->986 985->984 987 7c3b30-7c3b48 RegOpenKeyExW 985->987 987->984 988 7c3b4a-7c3b69 RegQueryValueExW 987->988 989 7c3b6b-7c3b76 988->989 990 7c3b80-7c3b8b RegCloseKey 988->990 991 7c3b78-7c3b7a 989->991 992 7c3b90-7c3b97 989->992 990->986 993 7c3b7e 991->993 992->993 993->990
                                                            APIs
                                                            • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,007C3B0F,SwapMouseButtons,00000004,?), ref: 007C3B40
                                                            • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,007C3B0F,SwapMouseButtons,00000004,?), ref: 007C3B61
                                                            • RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,007C3B0F,SwapMouseButtons,00000004,?), ref: 007C3B83
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: CloseOpenQueryValue
                                                            • String ID: Control Panel\Mouse
                                                            • API String ID: 3677997916-824357125
                                                            • Opcode ID: 9c8030313db181661d32c067842f3f77f430c98c4195f7efd825a160fab383a0
                                                            • Instruction ID: 18c0af9de58db67b25e2d5d45c0897365addcfb2ec79d1cd9fc069948672e21a
                                                            • Opcode Fuzzy Hash: 9c8030313db181661d32c067842f3f77f430c98c4195f7efd825a160fab383a0
                                                            • Instruction Fuzzy Hash: 0D1127B5610208FFDB208FA5DC84EEFBBB8EF04795B10846EB805D7110E235AE409BA0
                                                            Function 007C3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 008033A2
                                                              • Part of subcall function 007C6B57: _wcslen.LIBCMT ref: 007C6B6A
                                                            • Shell_NotifyIconW.SHELL32(00000001,?), ref: 007C3A04
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: IconLoadNotifyShell_String_wcslen
                                                            • String ID: Line:
                                                            • API String ID: 2289894680-1585850449
                                                            • Opcode ID: 84f5e8b7b21fd016098f406569e852df9d46c5680bff2d3bc8bfbb966c4f3841
                                                            • Instruction ID: 8819eea696ff22caa13f904329a7335340c7115a082d19f31f2670af5a0d4ec2
                                                            • Opcode Fuzzy Hash: 84f5e8b7b21fd016098f406569e852df9d46c5680bff2d3bc8bfbb966c4f3841
                                                            • Instruction Fuzzy Hash: 6A31C271408301AAD721EB20DC49FEBB7ECBB44714F04892EF59992291DB7CAA48C7C2
                                                            Function 007DFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 007E0668
                                                              • Part of subcall function 007E32A4: RaiseException.KERNEL32(?,?,?,007E068A,?,00891444,?,?,?,?,?,?,007E068A,007C1129,00888738,007C1129), ref: 007E3304
                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 007E0685
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Exception@8Throw$ExceptionRaise
                                                            • String ID: Unknown exception
                                                            • API String ID: 3476068407-410509341
                                                            • Opcode ID: cb7dc485e4ac6d2a84ab472da3d80964c3790ab872589f39802b8d14ab389d3e
                                                            • Instruction ID: 8c0d27525c9208a91f4cb87982e1bd4ab32a0219edb697a197c4835dd280a50a
                                                            • Opcode Fuzzy Hash: cb7dc485e4ac6d2a84ab472da3d80964c3790ab872589f39802b8d14ab389d3e
                                                            • Instruction Fuzzy Hash: 58F04C3490128DF3CF00B676D84ED5E777DAE04310BA04431F924D6691EFB8DA65C6C0
                                                            Function 007C10F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 007C1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 007C1BF4
                                                              • Part of subcall function 007C1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 007C1BFC
                                                              • Part of subcall function 007C1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 007C1C07
                                                              • Part of subcall function 007C1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 007C1C12
                                                              • Part of subcall function 007C1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 007C1C1A
                                                              • Part of subcall function 007C1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 007C1C22
                                                              • Part of subcall function 007C1B4A: RegisterWindowMessageW.USER32(00000004,?,007C12C4), ref: 007C1BA2
                                                            • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 007C136A
                                                            • OleInitialize.OLE32 ref: 007C1388
                                                            • CloseHandle.KERNEL32(00000000,00000000), ref: 008024AB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                            • String ID:
                                                            • API String ID: 1986988660-0
                                                            • Opcode ID: 499cd24c498cf5d77826c36c65fd7e1f064f14f8dd6c00caea352d4b5c361015
                                                            • Instruction ID: edd2bf79495671fb66d00451c9b4c2c1d9e87d2ccf29af1dd76bae969a3e2a5c
                                                            • Opcode Fuzzy Hash: 499cd24c498cf5d77826c36c65fd7e1f064f14f8dd6c00caea352d4b5c361015
                                                            • Instruction Fuzzy Hash: 2071B7B49193028ECF85FFB9A94DA583BE1FB8834434E822FE51AD7261EB344409CF44
                                                            Function 0082C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 007C3923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 007C3A04
                                                            • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0082C259
                                                            • KillTimer.USER32(?,00000001,?,?), ref: 0082C261
                                                            • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0082C270
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: IconNotifyShell_Timer$Kill
                                                            • String ID:
                                                            • API String ID: 3500052701-0
                                                            • Opcode ID: d64261078a4e7a28319c9a55ccaaa8fecfe6288aad84b393e87eaac669ee3dec
                                                            • Instruction ID: 90265bcce6bb69ab53b9089bcb97b98ca8863010e20bd2a0faa0dc00f7226b7c
                                                            • Opcode Fuzzy Hash: d64261078a4e7a28319c9a55ccaaa8fecfe6288aad84b393e87eaac669ee3dec
                                                            • Instruction Fuzzy Hash: 0D318170904364AFEB22DF649859BEABBECFB06348F04049EE59A97241C7745AC4CB51
                                                            Function 007F86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • CloseHandle.KERNELBASE(00000000,00000000,?,?,007F85CC,?,00888CC8,0000000C), ref: 007F8704
                                                            • GetLastError.KERNEL32(?,007F85CC,?,00888CC8,0000000C), ref: 007F870E
                                                            • __dosmaperr.LIBCMT ref: 007F8739
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: CloseErrorHandleLast__dosmaperr
                                                            • String ID:
                                                            • API String ID: 2583163307-0
                                                            • Opcode ID: 667951fa9933c60d698ac04c79d75b9f40f78a9bbbb3a8944b0eb03e8913a3c3
                                                            • Instruction ID: 3073a3774a925ade5aefb2766007471988db13c6d119924614a4fd1bfc997411
                                                            • Opcode Fuzzy Hash: 667951fa9933c60d698ac04c79d75b9f40f78a9bbbb3a8944b0eb03e8913a3c3
                                                            • Instruction Fuzzy Hash: EE016B33605A285AC2A07338A84D77E67894F8277DF390119FB14CB3D3DEAC8C818152
                                                            Function 007CDB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • TranslateMessage.USER32(?), ref: 007CDB7B
                                                            • DispatchMessageW.USER32(?), ref: 007CDB89
                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 007CDB9F
                                                            • Sleep.KERNELBASE(0000000A), ref: 007CDBB1
                                                            • TranslateAcceleratorW.USER32(?,?,?), ref: 00811CC9
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Message$Translate$AcceleratorDispatchPeekSleep
                                                            • String ID:
                                                            • API String ID: 3288985973-0
                                                            • Opcode ID: d0a3abb7f2ae800e065eaec97dff88ba03f8affb39ba99cb593b5ddebde3955a
                                                            • Instruction ID: ce39da49538eed6a1e4c0c3260778b80f5721bc8a6948438ed6a4007645baa28
                                                            • Opcode Fuzzy Hash: d0a3abb7f2ae800e065eaec97dff88ba03f8affb39ba99cb593b5ddebde3955a
                                                            • Instruction Fuzzy Hash: 5CF03A306443419BEB309BA08C89FEA73ACFB88311F10452DE61AD34C0EB3898889B25
                                                            Function 007D1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __Init_thread_footer.LIBCMT ref: 007D17F6
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Init_thread_footer
                                                            • String ID: CALL
                                                            • API String ID: 1385522511-4196123274
                                                            • Opcode ID: ef8510b8a7d8c40b0e086849525b2f0a70cb57b0e0eeaa74dfea7c4b1f7e7420
                                                            • Instruction ID: 170eba3241e4f5feeab7120dc3ac26264de3484d04bde3e3363a1f885dac8afc
                                                            • Opcode Fuzzy Hash: ef8510b8a7d8c40b0e086849525b2f0a70cb57b0e0eeaa74dfea7c4b1f7e7420
                                                            • Instruction Fuzzy Hash: 7922AB70608201EFC714DF14C484A6ABBF5FF89314F58896EF4968B362D739E895CB92
                                                            Function 007C2DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetOpenFileNameW.COMDLG32(?), ref: 00802C8C
                                                              • Part of subcall function 007C3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,007C3A97,?,?,007C2E7F,?,?,?,00000000), ref: 007C3AC2
                                                              • Part of subcall function 007C2DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 007C2DC4
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Name$Path$FileFullLongOpen
                                                            • String ID: X
                                                            • API String ID: 779396738-3081909835
                                                            • Opcode ID: 902106a640404c79010464c2a8bb312ccd1105ec009c06759e710b0494889a09
                                                            • Instruction ID: fa452d79c9dba659df2e595aaf3ebfa4c20333e94f5233a1134bfe637bbecf50
                                                            • Opcode Fuzzy Hash: 902106a640404c79010464c2a8bb312ccd1105ec009c06759e710b0494889a09
                                                            • Instruction Fuzzy Hash: 13218171A002989ADB41EF94C849BEE7BB8AF48314F00805DE505EB281DBB85A498FA1
                                                            Function 007C3837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Shell_NotifyIconW.SHELL32(00000000,?), ref: 007C3908
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: IconNotifyShell_
                                                            • String ID:
                                                            • API String ID: 1144537725-0
                                                            • Opcode ID: 7f21de7a6f84db892d43aee2e7d7458d3bdea957303dc97c8a4e132ac5862551
                                                            • Instruction ID: 2911a6f6d5dcfe648347823d47dcbb842dc7815cc925c37a7e28ecda6d1ec9ca
                                                            • Opcode Fuzzy Hash: 7f21de7a6f84db892d43aee2e7d7458d3bdea957303dc97c8a4e132ac5862551
                                                            • Instruction Fuzzy Hash: 1E314C705047019FD721EF24D889B97BBF8FB49708F04096EF59987250E779AA44CB52
                                                            Function 007DF645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • timeGetTime.WINMM ref: 007DF661
                                                              • Part of subcall function 007CD730: GetInputState.USER32 ref: 007CD807
                                                            • Sleep.KERNEL32(00000000), ref: 0081F2DE
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: InputSleepStateTimetime
                                                            • String ID:
                                                            • API String ID: 4149333218-0
                                                            • Opcode ID: 734c4b13198cbf96e9b7ded096ff028a6d410cb36a9a5d29d52ffc0c004a41c6
                                                            • Instruction ID: 180218724ca8111419349a8843516e246e0598eb8315662d20b49594ae0c82bd
                                                            • Opcode Fuzzy Hash: 734c4b13198cbf96e9b7ded096ff028a6d410cb36a9a5d29d52ffc0c004a41c6
                                                            • Instruction Fuzzy Hash: 32F058312407059FD310EB69E44AF6ABBE8FF59761F00002EE85AC7361DB74A8008B90
                                                            Function 007CB710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __Init_thread_footer.LIBCMT ref: 007CBB4E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Init_thread_footer
                                                            • String ID:
                                                            • API String ID: 1385522511-0
                                                            • Opcode ID: 649cdd23e0ed9216090097910d6b1a83edd59862d91e7e4f623bf5bf173e47c3
                                                            • Instruction ID: 268623ebc21e7483f4b3376d7817008d3fcdd4e8d3ef4fd5f2ca0c7bb4c193a6
                                                            • Opcode Fuzzy Hash: 649cdd23e0ed9216090097910d6b1a83edd59862d91e7e4f623bf5bf173e47c3
                                                            • Instruction Fuzzy Hash: 1A325770A00209EFDB24DF54C895FAAB7B9FF44314F18805EE915AB361D7B8AD81CB91
                                                            Function 007C4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 007C4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,007C4EDD,?,00891418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007C4E9C
                                                              • Part of subcall function 007C4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 007C4EAE
                                                              • Part of subcall function 007C4E90: FreeLibrary.KERNEL32(00000000,?,?,007C4EDD,?,00891418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007C4EC0
                                                            • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00891418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007C4EFD
                                                              • Part of subcall function 007C4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00803CDE,?,00891418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007C4E62
                                                              • Part of subcall function 007C4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 007C4E74
                                                              • Part of subcall function 007C4E59: FreeLibrary.KERNEL32(00000000,?,?,00803CDE,?,00891418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007C4E87
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Library$Load$AddressFreeProc
                                                            • String ID:
                                                            • API String ID: 2632591731-0
                                                            • Opcode ID: ded36f688c4f8f721d340c7ea0670173cb23ac468248f9ad9572c1f4d52b869e
                                                            • Instruction ID: 2ef5f14424b6eed17ece98477c23933e679b092b49d5cdd0444040d6d73d00d4
                                                            • Opcode Fuzzy Hash: ded36f688c4f8f721d340c7ea0670173cb23ac468248f9ad9572c1f4d52b869e
                                                            • Instruction Fuzzy Hash: 8D112332600305EADB10EB60DC2AFAD77A5AF40710F10842DF442E61C1EEB9AA449B90
                                                            Function 007F8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: __wsopen_s
                                                            • String ID:
                                                            • API String ID: 3347428461-0
                                                            • Opcode ID: cb488dd69ccc24184284455ac54777f00ae5d3461d38e1c4dfeef1f1dd264e29
                                                            • Instruction ID: 0c977caf22b3412f986230ffa549b95e20432214a39e06f3dc072f595c170273
                                                            • Opcode Fuzzy Hash: cb488dd69ccc24184284455ac54777f00ae5d3461d38e1c4dfeef1f1dd264e29
                                                            • Instruction Fuzzy Hash: 5911187590410EAFCB05DF58E9419AE7BF5FF48314F144059F908AB312DB31DA11CBA5
                                                            Function 007EE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                                                            • Instruction ID: 45546a8bc570fe10392127206bba3d3268b3180ec5b887669ee8dfe662f4a0f5
                                                            • Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                                                            • Instruction Fuzzy Hash: EEF0F932512A54D7C6313B679C09B6A33989F56334F100B15F620932D2DB7CE80285A6
                                                            Function 007F4C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlAllocateHeap.NTDLL(00000008,007C1129,00000000,?,007F2E29,00000001,00000364,?,?,?,007EF2DE,007F3863,00891444,?,007DFDF5,?), ref: 007F4CBE
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: AllocateHeap
                                                            • String ID:
                                                            • API String ID: 1279760036-0
                                                            • Opcode ID: 3ed0fe2f1a8d504cfe9ca27f9275659856b04b82bc9493704d2023dee4e8bcc8
                                                            • Instruction ID: 6df06311c4233ec7343dbae97c2df84300886395dd60f1ef166fb22b967de2e6
                                                            • Opcode Fuzzy Hash: 3ed0fe2f1a8d504cfe9ca27f9275659856b04b82bc9493704d2023dee4e8bcc8
                                                            • Instruction Fuzzy Hash: 58F0B432607268A7DB215F66AC09B7B3798BF417A1B186112BB15A7381DA3CD800D6B0
                                                            Function 007F3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlAllocateHeap.NTDLL(00000000,?,00891444,?,007DFDF5,?,?,007CA976,00000010,00891440,007C13FC,?,007C13C6,?,007C1129), ref: 007F3852
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: AllocateHeap
                                                            • String ID:
                                                            • API String ID: 1279760036-0
                                                            • Opcode ID: 25af23fe168060a7cdc5fa170f32f329af7bbf25080e5fe4683ea8483bc26ef9
                                                            • Instruction ID: a4fd2732631dac0ff22c91ca100ef3f7b04b8b3c6f3ae6e853b2fbbc473c8a9e
                                                            • Opcode Fuzzy Hash: 25af23fe168060a7cdc5fa170f32f329af7bbf25080e5fe4683ea8483bc26ef9
                                                            • Instruction Fuzzy Hash: B2E0E53210526CEAE62126779D08BBA3648AB42BF0F090022BE0592780DB1DDD0191F0
                                                            Function 007C4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FreeLibrary.KERNEL32(?,?,00891418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007C4F6D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: FreeLibrary
                                                            • String ID:
                                                            • API String ID: 3664257935-0
                                                            • Opcode ID: b8691accf1d7ea1b06a1508f3081c44fa4728977a5553eb638d82116deb31764
                                                            • Instruction ID: 5fbd48d89e97c6e2f76f7da1b9427d0e72e52ad64ac658987b502e8432390a92
                                                            • Opcode Fuzzy Hash: b8691accf1d7ea1b06a1508f3081c44fa4728977a5553eb638d82116deb31764
                                                            • Instruction Fuzzy Hash: ACF03971105B52CFDB349F64D4A4E22BBE4BF14329328897EE1EA82621CB399844DF10
                                                            Function 007C30F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Shell_NotifyIconW.SHELL32(00000002,?), ref: 007C314E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: IconNotifyShell_
                                                            • String ID:
                                                            • API String ID: 1144537725-0
                                                            • Opcode ID: 382c2de8c37115acc524bd4da63a7b6d82d97c8a0a86726d2d96e1ba43ba1f46
                                                            • Instruction ID: 448296bf4cda5e492e3ca48c42b4a0ebed6dda9e82b60d2a6aa53651e3116621
                                                            • Opcode Fuzzy Hash: 382c2de8c37115acc524bd4da63a7b6d82d97c8a0a86726d2d96e1ba43ba1f46
                                                            • Instruction Fuzzy Hash: 48F0A7709043089FEB52AB24DC4ABD57BBCB70170CF0401EAA14896282D7784B88CF41
                                                            Function 007C2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 007C2DC4
                                                              • Part of subcall function 007C6B57: _wcslen.LIBCMT ref: 007C6B6A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: LongNamePath_wcslen
                                                            • String ID:
                                                            • API String ID: 541455249-0
                                                            • Opcode ID: 89dc7052873e29eab298e13f37f4ab690df68fc700b3b6f44faf7901f0a8ea50
                                                            • Instruction ID: 4debc470f996a3e11a30a9bd83078f4ffbda616f3686f6456bd38a8e89e70e07
                                                            • Opcode Fuzzy Hash: 89dc7052873e29eab298e13f37f4ab690df68fc700b3b6f44faf7901f0a8ea50
                                                            • Instruction Fuzzy Hash: 07E0CD726002245BCB10D6589C09FDA77DDEFC8790F040075FD09E7248DE64AD808551
                                                            Function 007C2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 007C3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 007C3908
                                                              • Part of subcall function 007CD730: GetInputState.USER32 ref: 007CD807
                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 007C2B6B
                                                              • Part of subcall function 007C30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 007C314E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: IconNotifyShell_$CurrentDirectoryInputState
                                                            • String ID:
                                                            • API String ID: 3667716007-0
                                                            • Opcode ID: 6de7b577e93e6ac5bd2bb98e46027c7138a5dd0087346b0ba9e13a36d6074cf2
                                                            • Instruction ID: 68e163206d2bfc5a02e74e6600c579bcb78b9f39c1e7479f58926ab4ad24cbc1
                                                            • Opcode Fuzzy Hash: 6de7b577e93e6ac5bd2bb98e46027c7138a5dd0087346b0ba9e13a36d6074cf2
                                                            • Instruction Fuzzy Hash: D2E0262230430486CE04BB70985EFBDB38AABD5311F00443EF14383163CE2C898A4351
                                                            Function 0080039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateFileW.KERNELBASE(00000000,00000000,?,00800704,?,?,00000000,?,00800704,00000000,0000000C), ref: 008003B7
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: CreateFile
                                                            • String ID:
                                                            • API String ID: 823142352-0
                                                            • Opcode ID: d2eb18a98d635a953a0ed2615c65e600c1168331c8264732a9e76fbd7bfa57ac
                                                            • Instruction ID: 5d050a0c656f8ed9a8026c00e2989806ecdb4d961cbd6743bfefc38030d6a30f
                                                            • Opcode Fuzzy Hash: d2eb18a98d635a953a0ed2615c65e600c1168331c8264732a9e76fbd7bfa57ac
                                                            • Instruction Fuzzy Hash: D5D06C3204020DBFDF028F84DD06EDA3BAAFB48714F014040BE1856020C736E821AB90
                                                            Function 007C1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 007C1CBC
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: InfoParametersSystem
                                                            • String ID:
                                                            • API String ID: 3098949447-0
                                                            • Opcode ID: 7247f474cee23eaaaf44ee1b64d6a6effc902ddcffec0a35d9e4a20e29bc3c98
                                                            • Instruction ID: ad29ef87f67f7163155c2409e449ff87e6ac1f62e69bf18863f76f80ede139d5
                                                            • Opcode Fuzzy Hash: 7247f474cee23eaaaf44ee1b64d6a6effc902ddcffec0a35d9e4a20e29bc3c98
                                                            • Instruction Fuzzy Hash: DAC0923A280305AFF614ABD0BC4EF107764B348B01F488002F60DA96E3D3B62820EA50

                                                            Non-executed Functions

                                                            Function 00859576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 007D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 007D9BB2
                                                            • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0085961A
                                                            • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0085965B
                                                            • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0085969F
                                                            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 008596C9
                                                            • SendMessageW.USER32 ref: 008596F2
                                                            • GetKeyState.USER32(00000011), ref: 0085978B
                                                            • GetKeyState.USER32(00000009), ref: 00859798
                                                            • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 008597AE
                                                            • GetKeyState.USER32(00000010), ref: 008597B8
                                                            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 008597E9
                                                            • SendMessageW.USER32 ref: 00859810
                                                            • SendMessageW.USER32(?,00001030,?,00857E95), ref: 00859918
                                                            • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0085992E
                                                            • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00859941
                                                            • SetCapture.USER32(?), ref: 0085994A
                                                            • ClientToScreen.USER32(?,?), ref: 008599AF
                                                            • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 008599BC
                                                            • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 008599D6
                                                            • ReleaseCapture.USER32 ref: 008599E1
                                                            • GetCursorPos.USER32(?), ref: 00859A19
                                                            • ScreenToClient.USER32(?,?), ref: 00859A26
                                                            • SendMessageW.USER32(?,00001012,00000000,?), ref: 00859A80
                                                            • SendMessageW.USER32 ref: 00859AAE
                                                            • SendMessageW.USER32(?,00001111,00000000,?), ref: 00859AEB
                                                            • SendMessageW.USER32 ref: 00859B1A
                                                            • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00859B3B
                                                            • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00859B4A
                                                            • GetCursorPos.USER32(?), ref: 00859B68
                                                            • ScreenToClient.USER32(?,?), ref: 00859B75
                                                            • GetParent.USER32(?), ref: 00859B93
                                                            • SendMessageW.USER32(?,00001012,00000000,?), ref: 00859BFA
                                                            • SendMessageW.USER32 ref: 00859C2B
                                                            • ClientToScreen.USER32(?,?), ref: 00859C84
                                                            • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00859CB4
                                                            • SendMessageW.USER32(?,00001111,00000000,?), ref: 00859CDE
                                                            • SendMessageW.USER32 ref: 00859D01
                                                            • ClientToScreen.USER32(?,?), ref: 00859D4E
                                                            • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00859D82
                                                              • Part of subcall function 007D9944: GetWindowLongW.USER32(?,000000EB), ref: 007D9952
                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00859E05
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
                                                            • String ID: @GUI_DRAGID$F
                                                            • API String ID: 3429851547-4164748364
                                                            • Opcode ID: e2fc6c36f30d0f4fd7dddbf76f09c9b018e2cfb7dd94b104ec40b2de4a91bd53
                                                            • Instruction ID: 7495d863705b04013d9cd65f269129a0830b2da7067333c66d2fa462d714347d
                                                            • Opcode Fuzzy Hash: e2fc6c36f30d0f4fd7dddbf76f09c9b018e2cfb7dd94b104ec40b2de4a91bd53
                                                            • Instruction Fuzzy Hash: 9C428A34204301EFDB21CF64C948AAABBE5FF58356F14061EFA99C72A1E731A958DF41
                                                            Function 00854873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 008548F3
                                                            • SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00854908
                                                            • SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00854927
                                                            • SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0085494B
                                                            • SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0085495C
                                                            • SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0085497B
                                                            • SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 008549AE
                                                            • SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 008549D4
                                                            • SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00854A0F
                                                            • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00854A56
                                                            • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00854A7E
                                                            • IsMenu.USER32(?), ref: 00854A97
                                                            • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00854AF2
                                                            • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00854B20
                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00854B94
                                                            • SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00854BE3
                                                            • SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00854C82
                                                            • wsprintfW.USER32 ref: 00854CAE
                                                            • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00854CC9
                                                            • GetWindowTextW.USER32(?,00000000,00000001), ref: 00854CF1
                                                            • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00854D13
                                                            • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00854D33
                                                            • GetWindowTextW.USER32(?,00000000,00000001), ref: 00854D5A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
                                                            • String ID: %d/%02d/%02d
                                                            • API String ID: 4054740463-328681919
                                                            • Opcode ID: dbb6517eff6d5d11ebb3aeb970adf8b04e63e1c2ff76ebb791e2471786199e73
                                                            • Instruction ID: d1f01ec65d889646e4bbe05b457d179a2dfe5ac21c69df3b6d093944e8465031
                                                            • Opcode Fuzzy Hash: dbb6517eff6d5d11ebb3aeb970adf8b04e63e1c2ff76ebb791e2471786199e73
                                                            • Instruction Fuzzy Hash: BB12D271500318AFEB258F28CC49FAE7BF4FF45319F105119F916EA2A1DB789989CB50
                                                            Function 007DF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 007DF998
                                                            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0081F474
                                                            • IsIconic.USER32(00000000), ref: 0081F47D
                                                            • ShowWindow.USER32(00000000,00000009), ref: 0081F48A
                                                            • SetForegroundWindow.USER32(00000000), ref: 0081F494
                                                            • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0081F4AA
                                                            • GetCurrentThreadId.KERNEL32 ref: 0081F4B1
                                                            • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0081F4BD
                                                            • AttachThreadInput.USER32(?,00000000,00000001), ref: 0081F4CE
                                                            • AttachThreadInput.USER32(?,00000000,00000001), ref: 0081F4D6
                                                            • AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0081F4DE
                                                            • SetForegroundWindow.USER32(00000000), ref: 0081F4E1
                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 0081F4F6
                                                            • keybd_event.USER32(00000012,00000000), ref: 0081F501
                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 0081F50B
                                                            • keybd_event.USER32(00000012,00000000), ref: 0081F510
                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 0081F519
                                                            • keybd_event.USER32(00000012,00000000), ref: 0081F51E
                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 0081F528
                                                            • keybd_event.USER32(00000012,00000000), ref: 0081F52D
                                                            • SetForegroundWindow.USER32(00000000), ref: 0081F530
                                                            • AttachThreadInput.USER32(?,000000FF,00000000), ref: 0081F557
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                            • String ID: Shell_TrayWnd
                                                            • API String ID: 4125248594-2988720461
                                                            • Opcode ID: adc3e80ab14f2537985b3e29ef81caf63afa988af821e34e49eef7232a3576e0
                                                            • Instruction ID: 4788ae02cdb41e003dd86e4f6a54a942c696b004a71c4ba8466ccbb75e742ea2
                                                            • Opcode Fuzzy Hash: adc3e80ab14f2537985b3e29ef81caf63afa988af821e34e49eef7232a3576e0
                                                            • Instruction Fuzzy Hash: 74315D71A40318BFEB216BB55C4AFBF7EADFB44B51F10006AFA01E61D1D6B45940AEA0
                                                            Function 00821201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 008216C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0082170D
                                                              • Part of subcall function 008216C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0082173A
                                                              • Part of subcall function 008216C3: GetLastError.KERNEL32 ref: 0082174A
                                                            • LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00821286
                                                            • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 008212A8
                                                            • CloseHandle.KERNEL32(?), ref: 008212B9
                                                            • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 008212D1
                                                            • GetProcessWindowStation.USER32 ref: 008212EA
                                                            • SetProcessWindowStation.USER32(00000000), ref: 008212F4
                                                            • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00821310
                                                              • Part of subcall function 008210BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,008211FC), ref: 008210D4
                                                              • Part of subcall function 008210BF: CloseHandle.KERNEL32(?,?,008211FC), ref: 008210E9
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
                                                            • String ID: $default$winsta0
                                                            • API String ID: 22674027-1027155976
                                                            • Opcode ID: e5daeea9b84594c71151ba3bcd7c9ae281aaf4c2f2ad0eed50677bfe337171c0
                                                            • Instruction ID: 189d737593fb3265f54c5bf4c5e4f8c9a02d118bdda8bc135b7505aaa275f402
                                                            • Opcode Fuzzy Hash: e5daeea9b84594c71151ba3bcd7c9ae281aaf4c2f2ad0eed50677bfe337171c0
                                                            • Instruction Fuzzy Hash: 93818C71900318AFDF109FA4EC89BEE7BBAFF14704F244129F915E61A0C7358A84CB65
                                                            Function 00820B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 008210F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00821114
                                                              • Part of subcall function 008210F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00820B9B,?,?,?), ref: 00821120
                                                              • Part of subcall function 008210F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00820B9B,?,?,?), ref: 0082112F
                                                              • Part of subcall function 008210F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00820B9B,?,?,?), ref: 00821136
                                                              • Part of subcall function 008210F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0082114D
                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00820BCC
                                                            • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00820C00
                                                            • GetLengthSid.ADVAPI32(?), ref: 00820C17
                                                            • GetAce.ADVAPI32(?,00000000,?), ref: 00820C51
                                                            • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00820C6D
                                                            • GetLengthSid.ADVAPI32(?), ref: 00820C84
                                                            • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00820C8C
                                                            • HeapAlloc.KERNEL32(00000000), ref: 00820C93
                                                            • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00820CB4
                                                            • CopySid.ADVAPI32(00000000), ref: 00820CBB
                                                            • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00820CEA
                                                            • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00820D0C
                                                            • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00820D1E
                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00820D45
                                                            • HeapFree.KERNEL32(00000000), ref: 00820D4C
                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00820D55
                                                            • HeapFree.KERNEL32(00000000), ref: 00820D5C
                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00820D65
                                                            • HeapFree.KERNEL32(00000000), ref: 00820D6C
                                                            • GetProcessHeap.KERNEL32(00000000,?), ref: 00820D78
                                                            • HeapFree.KERNEL32(00000000), ref: 00820D7F
                                                              • Part of subcall function 00821193: GetProcessHeap.KERNEL32(00000008,00820BB1,?,00000000,?,00820BB1,?), ref: 008211A1
                                                              • Part of subcall function 00821193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00820BB1,?), ref: 008211A8
                                                              • Part of subcall function 00821193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00820BB1,?), ref: 008211B7
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                            • String ID:
                                                            • API String ID: 4175595110-0
                                                            • Opcode ID: d54d874cb22441d75da3f9d84193c316e3ba45def43ab320dd0fb61cc4c78d87
                                                            • Instruction ID: 641ec00acecd121221b228d8797cec1371a6dd794b0a548683ee64548230cec5
                                                            • Opcode Fuzzy Hash: d54d874cb22441d75da3f9d84193c316e3ba45def43ab320dd0fb61cc4c78d87
                                                            • Instruction Fuzzy Hash: E671597290131AAFEF10DFA4EC48BAEBBB8FF04311F144615E914E6292D775AA45CF60
                                                            Function 0083EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • OpenClipboard.USER32(0085CC08), ref: 0083EB29
                                                            • IsClipboardFormatAvailable.USER32(0000000D), ref: 0083EB37
                                                            • GetClipboardData.USER32(0000000D), ref: 0083EB43
                                                            • CloseClipboard.USER32 ref: 0083EB4F
                                                            • GlobalLock.KERNEL32(00000000), ref: 0083EB87
                                                            • CloseClipboard.USER32 ref: 0083EB91
                                                            • GlobalUnlock.KERNEL32(00000000), ref: 0083EBBC
                                                            • IsClipboardFormatAvailable.USER32(00000001), ref: 0083EBC9
                                                            • GetClipboardData.USER32(00000001), ref: 0083EBD1
                                                            • GlobalLock.KERNEL32(00000000), ref: 0083EBE2
                                                            • GlobalUnlock.KERNEL32(00000000), ref: 0083EC22
                                                            • IsClipboardFormatAvailable.USER32(0000000F), ref: 0083EC38
                                                            • GetClipboardData.USER32(0000000F), ref: 0083EC44
                                                            • GlobalLock.KERNEL32(00000000), ref: 0083EC55
                                                            • DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0083EC77
                                                            • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0083EC94
                                                            • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0083ECD2
                                                            • GlobalUnlock.KERNEL32(00000000), ref: 0083ECF3
                                                            • CountClipboardFormats.USER32 ref: 0083ED14
                                                            • CloseClipboard.USER32 ref: 0083ED59
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
                                                            • String ID:
                                                            • API String ID: 420908878-0
                                                            • Opcode ID: 36abdb4d2a39b6330269198a73a9f2e54dc725056de46f732a980c56ef7416bb
                                                            • Instruction ID: e53a546f8c9999e7fcb6413386186fc18c786240257333908dad08d23a8e1097
                                                            • Opcode Fuzzy Hash: 36abdb4d2a39b6330269198a73a9f2e54dc725056de46f732a980c56ef7416bb
                                                            • Instruction Fuzzy Hash: B6618734204305AFD310EF24D899F6AB7A4FB84715F14455DF856EB2E2CB39E906CBA2
                                                            Function 0083698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindFirstFileW.KERNEL32(?,?), ref: 008369BE
                                                            • FindClose.KERNEL32(00000000), ref: 00836A12
                                                            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00836A4E
                                                            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00836A75
                                                              • Part of subcall function 007C9CB3: _wcslen.LIBCMT ref: 007C9CBD
                                                            • FileTimeToSystemTime.KERNEL32(?,?), ref: 00836AB2
                                                            • FileTimeToSystemTime.KERNEL32(?,?), ref: 00836ADF
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
                                                            • String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
                                                            • API String ID: 3830820486-3289030164
                                                            • Opcode ID: 63611f617388664a2a8f7d1aa471fe835d2ce0f3f2a01d8cb9ebf50e6612b545
                                                            • Instruction ID: 13a79d0c0e8ede26f898829a0e932fa5790bc2b96aec77f9a5c52a65340df2e5
                                                            • Opcode Fuzzy Hash: 63611f617388664a2a8f7d1aa471fe835d2ce0f3f2a01d8cb9ebf50e6612b545
                                                            • Instruction Fuzzy Hash: 86D14072508344AEC314EBA4C889EABB7ECFF88704F04491DF585D7291EB78DA44CB62
                                                            Function 00839642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 00839663
                                                            • GetFileAttributesW.KERNEL32(?), ref: 008396A1
                                                            • SetFileAttributesW.KERNEL32(?,?), ref: 008396BB
                                                            • FindNextFileW.KERNEL32(00000000,?), ref: 008396D3
                                                            • FindClose.KERNEL32(00000000), ref: 008396DE
                                                            • FindFirstFileW.KERNEL32(*.*,?), ref: 008396FA
                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 0083974A
                                                            • SetCurrentDirectoryW.KERNEL32(00886B7C), ref: 00839768
                                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 00839772
                                                            • FindClose.KERNEL32(00000000), ref: 0083977F
                                                            • FindClose.KERNEL32(00000000), ref: 0083978F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                                                            • String ID: *.*
                                                            • API String ID: 1409584000-438819550
                                                            • Opcode ID: 421aa47c148791589dc627f242d3916e2e33d2fd84a34e030788c84d137eb0da
                                                            • Instruction ID: 8c1203cdcf71c2b285037030e75e581a967151d7c819585205e83cd7fd5d188b
                                                            • Opcode Fuzzy Hash: 421aa47c148791589dc627f242d3916e2e33d2fd84a34e030788c84d137eb0da
                                                            • Instruction Fuzzy Hash: 2E31DF3264131AAEDB10AFB4DC49ADE37ACFF89321F104055E955E21A0EBB8DE448E90
                                                            Function 0083979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 008397BE
                                                            • FindNextFileW.KERNEL32(00000000,?), ref: 00839819
                                                            • FindClose.KERNEL32(00000000), ref: 00839824
                                                            • FindFirstFileW.KERNEL32(*.*,?), ref: 00839840
                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00839890
                                                            • SetCurrentDirectoryW.KERNEL32(00886B7C), ref: 008398AE
                                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 008398B8
                                                            • FindClose.KERNEL32(00000000), ref: 008398C5
                                                            • FindClose.KERNEL32(00000000), ref: 008398D5
                                                              • Part of subcall function 0082DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0082DB00
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                                                            • String ID: *.*
                                                            • API String ID: 2640511053-438819550
                                                            • Opcode ID: 6f1178124a721a8f52b334c02247c60d2dafa025c82928853da0e31eff09bea3
                                                            • Instruction ID: 449ec07277ee5a4cdeea5c1978d4eee385714cd02eadaa958147d32036fdcebf
                                                            • Opcode Fuzzy Hash: 6f1178124a721a8f52b334c02247c60d2dafa025c82928853da0e31eff09bea3
                                                            • Instruction Fuzzy Hash: 3231B33150131D6EDB10AFA4DC48ADE77ACFF86325F104165E990E21A0DBB9DD44CFA0
                                                            Function 0084BE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0084C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0084B6AE,?,?), ref: 0084C9B5
                                                              • Part of subcall function 0084C998: _wcslen.LIBCMT ref: 0084C9F1
                                                              • Part of subcall function 0084C998: _wcslen.LIBCMT ref: 0084CA68
                                                              • Part of subcall function 0084C998: _wcslen.LIBCMT ref: 0084CA9E
                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0084BF3E
                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 0084BFA9
                                                            • RegCloseKey.ADVAPI32(00000000), ref: 0084BFCD
                                                            • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0084C02C
                                                            • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0084C0E7
                                                            • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0084C154
                                                            • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0084C1E9
                                                            • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 0084C23A
                                                            • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0084C2E3
                                                            • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0084C382
                                                            • RegCloseKey.ADVAPI32(00000000), ref: 0084C38F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
                                                            • String ID:
                                                            • API String ID: 3102970594-0
                                                            • Opcode ID: 9bb1daa4eb5e4db2a2da0097b6b3d0f16c0e0f0058e3099cdf2b39cbe55e6377
                                                            • Instruction ID: 260a4fde1eb0085a46b46a62e372c514a7acb92afa9703b00995423552b7a087
                                                            • Opcode Fuzzy Hash: 9bb1daa4eb5e4db2a2da0097b6b3d0f16c0e0f0058e3099cdf2b39cbe55e6377
                                                            • Instruction Fuzzy Hash: 3C023B71604204DFC754DF24C895E2ABBE9FF89318F18849DE84ACB2A2DB35EC45CB51
                                                            Function 00838195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLocalTime.KERNEL32(?), ref: 00838257
                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 00838267
                                                            • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00838273
                                                            • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00838310
                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00838324
                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00838356
                                                            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0083838C
                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00838395
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: CurrentDirectoryTime$File$Local$System
                                                            • String ID: *.*
                                                            • API String ID: 1464919966-438819550
                                                            • Opcode ID: 03f29ab38121bcebfaffb890135444379567170c65a41e80f9e8d763868ce2c4
                                                            • Instruction ID: 80521cf6fc8dd3a4c1a98dc36ca99412a0248162cc372135e43c3ebea490ea4e
                                                            • Opcode Fuzzy Hash: 03f29ab38121bcebfaffb890135444379567170c65a41e80f9e8d763868ce2c4
                                                            • Instruction Fuzzy Hash: 336145725043459FCB10EF64D845AAEB3E8FF89314F04892EF989C7251EB39E945CB92
                                                            Function 0082D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 007C3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,007C3A97,?,?,007C2E7F,?,?,?,00000000), ref: 007C3AC2
                                                              • Part of subcall function 0082E199: GetFileAttributesW.KERNEL32(?,0082CF95), ref: 0082E19A
                                                            • FindFirstFileW.KERNEL32(?,?), ref: 0082D122
                                                            • DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0082D1DD
                                                            • MoveFileW.KERNEL32(?,?), ref: 0082D1F0
                                                            • DeleteFileW.KERNEL32(?,?,?,?), ref: 0082D20D
                                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 0082D237
                                                              • Part of subcall function 0082D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0082D21C,?,?), ref: 0082D2B2
                                                            • FindClose.KERNEL32(00000000,?,?,?), ref: 0082D253
                                                            • FindClose.KERNEL32(00000000), ref: 0082D264
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
                                                            • String ID: \*.*
                                                            • API String ID: 1946585618-1173974218
                                                            • Opcode ID: 24186872c4590a091d124eb0753dd35f15ebdf2670069b5f3f7c20ca383c5d27
                                                            • Instruction ID: 9fe4b491271b290dcad34dc5d42572d1cca295e1e6d1081bed61c7cd83211849
                                                            • Opcode Fuzzy Hash: 24186872c4590a091d124eb0753dd35f15ebdf2670069b5f3f7c20ca383c5d27
                                                            • Instruction Fuzzy Hash: E4613B3180121DEACF05EBA0E956EEDBBB5FF15305F208169E401B7191EB35AF49CB61
                                                            Function 0083ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                            • String ID:
                                                            • API String ID: 1737998785-0
                                                            • Opcode ID: 0e7c19d3b466dbeadc6d753668fcd6fbda10d6c330901570fb48b6f1e5d26c76
                                                            • Instruction ID: fb1518ab664c1fdc34a772a98ec5f27192b69b53bafff1a7ba1903821226887f
                                                            • Opcode Fuzzy Hash: 0e7c19d3b466dbeadc6d753668fcd6fbda10d6c330901570fb48b6f1e5d26c76
                                                            • Instruction Fuzzy Hash: D5415A35604611AFE721DF19D888B2ABBE5FF84319F14809DE4198B6A2C779ED42CBD0
                                                            Function 0082E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 008216C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0082170D
                                                              • Part of subcall function 008216C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0082173A
                                                              • Part of subcall function 008216C3: GetLastError.KERNEL32 ref: 0082174A
                                                            • ExitWindowsEx.USER32(?,00000000), ref: 0082E932
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                            • String ID: $ $@$SeShutdownPrivilege
                                                            • API String ID: 2234035333-3163812486
                                                            • Opcode ID: 8dcf975e2b9081bf01cfdfed69f9e263a867fd40f78e9c567a917a2081925c78
                                                            • Instruction ID: 5071fd7efcbfa037d2953aaceb0d7643c6aeea112462caad5b8c042c399538a1
                                                            • Opcode Fuzzy Hash: 8dcf975e2b9081bf01cfdfed69f9e263a867fd40f78e9c567a917a2081925c78
                                                            • Instruction Fuzzy Hash: E8012672610334AFEF1426B8BC8ABBF765CF714745F150423FC12E21D1E6A45CC08698
                                                            Function 00841204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00841276
                                                            • WSAGetLastError.WSOCK32 ref: 00841283
                                                            • bind.WSOCK32(00000000,?,00000010), ref: 008412BA
                                                            • WSAGetLastError.WSOCK32 ref: 008412C5
                                                            • closesocket.WSOCK32(00000000), ref: 008412F4
                                                            • listen.WSOCK32(00000000,00000005), ref: 00841303
                                                            • WSAGetLastError.WSOCK32 ref: 0084130D
                                                            • closesocket.WSOCK32(00000000), ref: 0084133C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$closesocket$bindlistensocket
                                                            • String ID:
                                                            • API String ID: 540024437-0
                                                            • Opcode ID: 9472d9678ec0d39e0cc8d7a695e916621de3202bd08b681fa75d9848e943e7ff
                                                            • Instruction ID: e31c1f9b46b11e0b3bc09208e31a0e3681fe6d348abf86600727df05a71ed020
                                                            • Opcode Fuzzy Hash: 9472d9678ec0d39e0cc8d7a695e916621de3202bd08b681fa75d9848e943e7ff
                                                            • Instruction Fuzzy Hash: 0F416C316002149FDB10DF64C488B2ABBE5FF46319F18819CE856CB392C775EC81CBA1
                                                            Function 007FB952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • _free.LIBCMT ref: 007FB9D4
                                                            • _free.LIBCMT ref: 007FB9F8
                                                            • _free.LIBCMT ref: 007FBB7F
                                                            • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00863700), ref: 007FBB91
                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,0089121C,000000FF,00000000,0000003F,00000000,?,?), ref: 007FBC09
                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00891270,000000FF,?,0000003F,00000000,?), ref: 007FBC36
                                                            • _free.LIBCMT ref: 007FBD4B
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                                            • String ID:
                                                            • API String ID: 314583886-0
                                                            • Opcode ID: 22814db96b57b7ac7d10278d505dec51c32e51069708450d642cb5d09cfa0bb7
                                                            • Instruction ID: 97dd219ba3d637d4252c21f76e7b2626a093dffbc6b6a9b921c71ddaa9a5642a
                                                            • Opcode Fuzzy Hash: 22814db96b57b7ac7d10278d505dec51c32e51069708450d642cb5d09cfa0bb7
                                                            • Instruction Fuzzy Hash: 43C12671A0420DEFCB20EF69DC45ABABBA9EF45310F18419AE690D7352E7389E41CB50
                                                            Function 0082D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 007C3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,007C3A97,?,?,007C2E7F,?,?,?,00000000), ref: 007C3AC2
                                                              • Part of subcall function 0082E199: GetFileAttributesW.KERNEL32(?,0082CF95), ref: 0082E19A
                                                            • FindFirstFileW.KERNEL32(?,?), ref: 0082D420
                                                            • DeleteFileW.KERNEL32(?,?,?,?), ref: 0082D470
                                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 0082D481
                                                            • FindClose.KERNEL32(00000000), ref: 0082D498
                                                            • FindClose.KERNEL32(00000000), ref: 0082D4A1
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                            • String ID: \*.*
                                                            • API String ID: 2649000838-1173974218
                                                            • Opcode ID: f080ed14bcdcb35b92ca70182a4d171dba9eec06ea348799033a864e714e2559
                                                            • Instruction ID: 615641e02b6d5943bc765685a787c11ed9b49c04e975da90cbdd587b567bf55b
                                                            • Opcode Fuzzy Hash: f080ed14bcdcb35b92ca70182a4d171dba9eec06ea348799033a864e714e2559
                                                            • Instruction Fuzzy Hash: E9318D31008355AFC200EF64D89ADAFBBE8FE91305F404A1DF4D593191EB38AA098B67
                                                            Function 007FE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: __floor_pentium4
                                                            • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                            • API String ID: 4168288129-2761157908
                                                            • Opcode ID: c5deeb7c77019a7774bbe88b8a3b5b5c4587b165bb169d06e2f2a11e16b92876
                                                            • Instruction ID: 5969104409e1c4813c0d08e527fed1c62a003be1c4700c6778469268557cdac6
                                                            • Opcode Fuzzy Hash: c5deeb7c77019a7774bbe88b8a3b5b5c4587b165bb169d06e2f2a11e16b92876
                                                            • Instruction Fuzzy Hash: E9C23972E0862C8FDB25DE289D447EAB7B5EF48304F1441EAD54DE7251EB78AE818F40
                                                            Function 0083648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _wcslen.LIBCMT ref: 008364DC
                                                            • CoInitialize.OLE32(00000000), ref: 00836639
                                                            • CoCreateInstance.OLE32(0085FCF8,00000000,00000001,0085FB68,?), ref: 00836650
                                                            • CoUninitialize.OLE32 ref: 008368D4
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                            • String ID: .lnk
                                                            • API String ID: 886957087-24824748
                                                            • Opcode ID: 82dc1d7d0d5d69a94595fe6ed57ca5565697ca02c35e80f0e59637992db5096a
                                                            • Instruction ID: 7884699bc9dbb1309ca1fcbc40d1f855f8448ad8baa7ef460a9ca958ba153c3f
                                                            • Opcode Fuzzy Hash: 82dc1d7d0d5d69a94595fe6ed57ca5565697ca02c35e80f0e59637992db5096a
                                                            • Instruction Fuzzy Hash: 40D13971508201AFC314EF24C885E6BB7E8FF98704F14896DF595CB291EB74E945CBA2
                                                            Function 008422DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetForegroundWindow.USER32(?,?,00000000), ref: 008422E8
                                                              • Part of subcall function 0083E4EC: GetWindowRect.USER32(?,?), ref: 0083E504
                                                            • GetDesktopWindow.USER32 ref: 00842312
                                                            • GetWindowRect.USER32(00000000), ref: 00842319
                                                            • mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00842355
                                                            • GetCursorPos.USER32(?), ref: 00842381
                                                            • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 008423DF
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Window$Rectmouse_event$CursorDesktopForeground
                                                            • String ID:
                                                            • API String ID: 2387181109-0
                                                            • Opcode ID: dd9985e5f5a9c662794e70c46682f5fa83c8b5e0c6fbeb9c4fe3f70b4ae4e12e
                                                            • Instruction ID: 810de2bb071db58134cd9a79b7a1d84c68972a2eb8331a1207d564cb2832a679
                                                            • Opcode Fuzzy Hash: dd9985e5f5a9c662794e70c46682f5fa83c8b5e0c6fbeb9c4fe3f70b4ae4e12e
                                                            • Instruction Fuzzy Hash: 2031DE72508319AFC720DF58D849B5BBBA9FF88314F400919F985D7291DB34EA48CB96
                                                            Function 00839B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 007C9CB3: _wcslen.LIBCMT ref: 007C9CBD
                                                            • FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00839B78
                                                            • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00839C8B
                                                              • Part of subcall function 00833874: GetInputState.USER32 ref: 008338CB
                                                              • Part of subcall function 00833874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00833966
                                                            • Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00839BA8
                                                            • FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00839C75
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
                                                            • String ID: *.*
                                                            • API String ID: 1972594611-438819550
                                                            • Opcode ID: 56b5ef8e84294f5d511796ba9384d546c47c1ad99c760b3d7a06fa023f13132d
                                                            • Instruction ID: 69db7511985cfd3faa8176fa24c7d23496105801718cfbc4fbe21910bf6d2b42
                                                            • Opcode Fuzzy Hash: 56b5ef8e84294f5d511796ba9384d546c47c1ad99c760b3d7a06fa023f13132d
                                                            • Instruction Fuzzy Hash: 1041607190420A9FCF14DF64C889AEEBBB8FF45311F144159E855E2191EB749E85CFA0
                                                            Function 007D997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 007D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 007D9BB2
                                                            • DefDlgProcW.USER32(?,?,?,?,?), ref: 007D9A4E
                                                            • GetSysColor.USER32(0000000F), ref: 007D9B23
                                                            • SetBkColor.GDI32(?,00000000), ref: 007D9B36
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Color$LongProcWindow
                                                            • String ID:
                                                            • API String ID: 3131106179-0
                                                            • Opcode ID: 9a1fc3f79f46ad1b95f674a0a4bbb3676a9e2d975e24e7bf8a9a3190ed163666
                                                            • Instruction ID: 1b73b3625ebed584ce1ae6604f681e1587e7f5820f09ef493e7543b32790ef7d
                                                            • Opcode Fuzzy Hash: 9a1fc3f79f46ad1b95f674a0a4bbb3676a9e2d975e24e7bf8a9a3190ed163666
                                                            • Instruction Fuzzy Hash: 26A1F871208544FEE725AA2C8C5DDBB2ABDFF82340F19421FF602D67D1DA299D41D272
                                                            Function 00841806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0084304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0084307A
                                                              • Part of subcall function 0084304E: _wcslen.LIBCMT ref: 0084309B
                                                            • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0084185D
                                                            • WSAGetLastError.WSOCK32 ref: 00841884
                                                            • bind.WSOCK32(00000000,?,00000010), ref: 008418DB
                                                            • WSAGetLastError.WSOCK32 ref: 008418E6
                                                            • closesocket.WSOCK32(00000000), ref: 00841915
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
                                                            • String ID:
                                                            • API String ID: 1601658205-0
                                                            • Opcode ID: a85dc9b2d2efb2be5bea299e1687def5d80fa6576a38b8651a1e72d8afbe4b87
                                                            • Instruction ID: 61198057010e9236d6574a5c344dcb625fd313f0edb6d14203b91329a2a66c33
                                                            • Opcode Fuzzy Hash: a85dc9b2d2efb2be5bea299e1687def5d80fa6576a38b8651a1e72d8afbe4b87
                                                            • Instruction Fuzzy Hash: 1951A271A00214AFDB10AF24C88AF2A7BE5EB45718F08805CF9069F3D3CB75AD41CBA1
                                                            Function 00851C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                            • String ID:
                                                            • API String ID: 292994002-0
                                                            • Opcode ID: 566262696248e5dbd4b84308ccf8380cb6f03908bd29f573eae3ec66d5e55e12
                                                            • Instruction ID: a2c8ba8d8b7389793ea3d61c618eb7c2403768451809dc1f898e63d3d1324611
                                                            • Opcode Fuzzy Hash: 566262696248e5dbd4b84308ccf8380cb6f03908bd29f573eae3ec66d5e55e12
                                                            • Instruction Fuzzy Hash: 3B2180317402119FDB218F1AC888F6A7BA5FF95316B19805CEC4ACB351DB76ED46CB90
                                                            Function 007C8060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                                                            • API String ID: 0-1546025612
                                                            • Opcode ID: d5db4372e0aee6701f3b6b3dd530d48b965a06d5988562dca25ebcf03d5abf77
                                                            • Instruction ID: 855aa1bd3fe9e0a5295425c7cbfc0bcbb782bcc33d7bb17cdbd45d181824176f
                                                            • Opcode Fuzzy Hash: d5db4372e0aee6701f3b6b3dd530d48b965a06d5988562dca25ebcf03d5abf77
                                                            • Instruction Fuzzy Hash: 23A26D70A0061ACBDFA4CF58C844BAEB7B1FB54310F2481AED815E7285EB749D91CF91
                                                            Function 0082AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0082AAAC
                                                            • SetKeyboardState.USER32(00000080), ref: 0082AAC8
                                                            • PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0082AB36
                                                            • SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0082AB88
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: KeyboardState$InputMessagePostSend
                                                            • String ID:
                                                            • API String ID: 432972143-0
                                                            • Opcode ID: 7961dd6c03edbb8bbcabffe87d8a2aaec5cc53b7caf6bcd33daf9b3c5cfc52c7
                                                            • Instruction ID: a02fd9947cc954108be2aa766d480f81aafd8a272a73d776fd8b9a39641ec691
                                                            • Opcode Fuzzy Hash: 7961dd6c03edbb8bbcabffe87d8a2aaec5cc53b7caf6bcd33daf9b3c5cfc52c7
                                                            • Instruction Fuzzy Hash: C031E574A40368AFEB398A68AC05BFA7BA6FF54330F04421AE581D61D1D37589C5CB62
                                                            Function 0083CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InternetReadFile.WININET(?,?,00000400,?), ref: 0083CE89
                                                            • GetLastError.KERNEL32(?,00000000), ref: 0083CEEA
                                                            • SetEvent.KERNEL32(?,?,00000000), ref: 0083CEFE
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: ErrorEventFileInternetLastRead
                                                            • String ID:
                                                            • API String ID: 234945975-0
                                                            • Opcode ID: b535c7682fb65502e2e959284d3cbc0728677a38c14fad6664eeae7ff0868bbd
                                                            • Instruction ID: 5eba52340d0fc9f931780444160074eef5f12488900a4afcc3e2f90fd306d652
                                                            • Opcode Fuzzy Hash: b535c7682fb65502e2e959284d3cbc0728677a38c14fad6664eeae7ff0868bbd
                                                            • Instruction Fuzzy Hash: 42219DB1500705DFD720DF65C948BA677F8FB80759F10481EE546E2151EB74EE058BA4
                                                            Function 00828298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlenW.KERNEL32(?,?,?,00000000), ref: 008282AA
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: lstrlen
                                                            • String ID: ($|
                                                            • API String ID: 1659193697-1631851259
                                                            • Opcode ID: 78934d9efd7cd6f3231ba17cf76cda1901bd7f089dc3e1b3222baa6f935f2ef5
                                                            • Instruction ID: 5fd54d3f3e2a233959e17e8c95f6f0ab3db150e36e67f9bbeee596cd98948580
                                                            • Opcode Fuzzy Hash: 78934d9efd7cd6f3231ba17cf76cda1901bd7f089dc3e1b3222baa6f935f2ef5
                                                            • Instruction Fuzzy Hash: 8B323474A01615DFCB28CF59D484A6AB7F0FF48710B15C46EE49ADB3A1EB70E981CB44
                                                            Function 00835C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindFirstFileW.KERNEL32(?,?), ref: 00835CC1
                                                            • FindNextFileW.KERNEL32(00000000,?), ref: 00835D17
                                                            • FindClose.KERNEL32(?), ref: 00835D5F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Find$File$CloseFirstNext
                                                            • String ID:
                                                            • API String ID: 3541575487-0
                                                            • Opcode ID: 1a7f06781fa7bad7fb78e92020f8500023fa971856637beb5ff7ed01e048c634
                                                            • Instruction ID: 1105f6ec51c421ccc5d586200b0f04816739a7d7706ddbae902bc132fe05ee9f
                                                            • Opcode Fuzzy Hash: 1a7f06781fa7bad7fb78e92020f8500023fa971856637beb5ff7ed01e048c634
                                                            • Instruction Fuzzy Hash: B7517675604A019FC714DF28C498E9AB7E4FF89328F14856EE95ACB3A1CB34ED05CB91
                                                            Function 007F2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • IsDebuggerPresent.KERNEL32 ref: 007F271A
                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 007F2724
                                                            • UnhandledExceptionFilter.KERNEL32(?), ref: 007F2731
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                            • String ID:
                                                            • API String ID: 3906539128-0
                                                            • Opcode ID: 10ebc894270e1cf23958aa9440172fbd19f18fc6110de857bbe4e9572936bc2f
                                                            • Instruction ID: d3409b1ffeda1eb06b8e2ccdcd170fff83586d350365fc7d66be42ba85b96cd4
                                                            • Opcode Fuzzy Hash: 10ebc894270e1cf23958aa9440172fbd19f18fc6110de857bbe4e9572936bc2f
                                                            • Instruction Fuzzy Hash: EC31C27490131CEBCB21DF69DC88798BBB8BF08310F5041EAE90CA6261E7749F818F55
                                                            Function 008351CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetErrorMode.KERNEL32(00000001), ref: 008351DA
                                                            • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00835238
                                                            • SetErrorMode.KERNEL32(00000000), ref: 008352A1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: ErrorMode$DiskFreeSpace
                                                            • String ID:
                                                            • API String ID: 1682464887-0
                                                            • Opcode ID: c350885e730d845385a917e1e28c1a91fe6195b6eb7335b25f5deb7f7d038e58
                                                            • Instruction ID: b4a7c69fe31ad45d214a0b248457badc58ee157461de6ac5e7cabe4c04b15324
                                                            • Opcode Fuzzy Hash: c350885e730d845385a917e1e28c1a91fe6195b6eb7335b25f5deb7f7d038e58
                                                            • Instruction Fuzzy Hash: B6313075A00618DFDB00DF54D888FAEBBB5FF49314F088099E8059B352DB35E856CB91
                                                            Function 008216C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 007DFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 007E0668
                                                              • Part of subcall function 007DFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 007E0685
                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0082170D
                                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0082173A
                                                            • GetLastError.KERNEL32 ref: 0082174A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
                                                            • String ID:
                                                            • API String ID: 577356006-0
                                                            • Opcode ID: 9bb548874180adaa1dc7724e5725d245c5eb575fcc1b447d327d1b389a4a104a
                                                            • Instruction ID: c5c4bebdd359da7738e28f175c0f787eef01f1c78b5dbc3fa96756cf843a8d3f
                                                            • Opcode Fuzzy Hash: 9bb548874180adaa1dc7724e5725d245c5eb575fcc1b447d327d1b389a4a104a
                                                            • Instruction Fuzzy Hash: 1E11C4B1500308AFD7189F54EC8AD6BB7F9FB44714B20852EE05693241EB74BC418A20
                                                            Function 0082D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0082D608
                                                            • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0082D645
                                                            • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0082D650
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: CloseControlCreateDeviceFileHandle
                                                            • String ID:
                                                            • API String ID: 33631002-0
                                                            • Opcode ID: 908b57d00a773d566cfa060b9d8cc19afa5c85d2f184e77ffdfafcfd60531cb1
                                                            • Instruction ID: 8ca2fb64506ee0136a5deb8e8dc1e0e369a1d18b870986b2ad6dbcb79faf95ea
                                                            • Opcode Fuzzy Hash: 908b57d00a773d566cfa060b9d8cc19afa5c85d2f184e77ffdfafcfd60531cb1
                                                            • Instruction Fuzzy Hash: B2115A75A01328BFDB108B94AC44BAFBFBCEB45B50F108111F914E7290C2744A018BE1
                                                            Function 00821663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0082168C
                                                            • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 008216A1
                                                            • FreeSid.ADVAPI32(?), ref: 008216B1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: AllocateCheckFreeInitializeMembershipToken
                                                            • String ID:
                                                            • API String ID: 3429775523-0
                                                            • Opcode ID: 88633034a830d78e39222853eed5c69aae2afe0f298de041f93ca422e5f8d130
                                                            • Instruction ID: 9d117cfbce64223219f6fad3f8e8cda687736454418c79dfb69858b7830316e9
                                                            • Opcode Fuzzy Hash: 88633034a830d78e39222853eed5c69aae2afe0f298de041f93ca422e5f8d130
                                                            • Instruction Fuzzy Hash: 30F0F471950309FFDF00DFE49C89AAEBBBCFB08606F504565E501E2181E774AA448A50
                                                            Function 007FC2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: /
                                                            • API String ID: 0-2043925204
                                                            • Opcode ID: 3421ba6684a3fe4febd347a3dd756ee8f566c1f6f2419d67a8bd0fdce8b1b199
                                                            • Instruction ID: 370dd48423118ef907aa6bb45a3cfbda90c07b2896799114157edbe7bbda3162
                                                            • Opcode Fuzzy Hash: 3421ba6684a3fe4febd347a3dd756ee8f566c1f6f2419d67a8bd0fdce8b1b199
                                                            • Instruction Fuzzy Hash: 0F41267290021DAFCB209FB9DD49EBB77B8FB84354F1042A9FA15D7280E6759D81CB50
                                                            Function 0081D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetUserNameW.ADVAPI32(?,?), ref: 0081D28C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: NameUser
                                                            • String ID: X64
                                                            • API String ID: 2645101109-893830106
                                                            • Opcode ID: 3f6fc09f3eb1d1cdebf608075141b4334536ab542e9a732197ccb1418ee70475
                                                            • Instruction ID: 56d72ad8b44ce74ed4dcec98351b227a4968666cccc3ed16a6f493636c2dca3d
                                                            • Opcode Fuzzy Hash: 3f6fc09f3eb1d1cdebf608075141b4334536ab542e9a732197ccb1418ee70475
                                                            • Instruction Fuzzy Hash: 7ED0C9B480121DEECF90CB90DC88DD9B3BCFB14305F100152F106E2140D77895488F10
                                                            Function 007ECAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                                                            • Instruction ID: dbe4d6b337ddd621e0805d54e63a0751eb1e42788515ae04d0a86829f8a7c18f
                                                            • Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                                                            • Instruction Fuzzy Hash: C0024D76E012599FDF15CFA9C8806ADFBF1FF48314F258169E919EB380D735A9028B90
                                                            Function 008368EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindFirstFileW.KERNEL32(?,?), ref: 00836918
                                                            • FindClose.KERNEL32(00000000), ref: 00836961
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Find$CloseFileFirst
                                                            • String ID:
                                                            • API String ID: 2295610775-0
                                                            • Opcode ID: 5f50fcd9df2ceff515cb41240a528f378118e50811e49e0290395f5f2695e825
                                                            • Instruction ID: ad3a254000084adc0876b2f50f9d1c212c33c4a503dc35e345705abc8a4fa975
                                                            • Opcode Fuzzy Hash: 5f50fcd9df2ceff515cb41240a528f378118e50811e49e0290395f5f2695e825
                                                            • Instruction Fuzzy Hash: 7D117C31604200AFC710DF29D488B16BBE5FF85329F14C69DE8698B6A2DB34EC05CB91
                                                            Function 008337B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00844891,?,?,00000035,?), ref: 008337E4
                                                            • FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00844891,?,?,00000035,?), ref: 008337F4
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: ErrorFormatLastMessage
                                                            • String ID:
                                                            • API String ID: 3479602957-0
                                                            • Opcode ID: a51af313349052161755deb9e673d7d2f57ec76187e8424c5cbd3ec1fedd7e5e
                                                            • Instruction ID: 546a499f8df207b88de0e17828b69375eca521a82fe90ac08822eb561bd65a1f
                                                            • Opcode Fuzzy Hash: a51af313349052161755deb9e673d7d2f57ec76187e8424c5cbd3ec1fedd7e5e
                                                            • Instruction Fuzzy Hash: 30F0E5B06043296AEB6017768C4DFEB3BAEFFC4761F000179F609D2291D9609904CBF0
                                                            Function 0082B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0082B25D
                                                            • keybd_event.USER32(?,75A4C0D0,?,00000000), ref: 0082B270
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: InputSendkeybd_event
                                                            • String ID:
                                                            • API String ID: 3536248340-0
                                                            • Opcode ID: 7203c404b4134019538a385ef0c67f8396eb36deb092c1b1c0b5e07b5e63e5ab
                                                            • Instruction ID: 70e296ba3ac1022db4c4ea49949c0891c8b6b2d659e79fa57c9789c6e2d2e816
                                                            • Opcode Fuzzy Hash: 7203c404b4134019538a385ef0c67f8396eb36deb092c1b1c0b5e07b5e63e5ab
                                                            • Instruction Fuzzy Hash: E2F01D7180434DAFDB059FA4D805BAE7FB4FF0830AF008009F955A6192D3798651DF94
                                                            Function 008210BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,008211FC), ref: 008210D4
                                                            • CloseHandle.KERNEL32(?,?,008211FC), ref: 008210E9
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: AdjustCloseHandlePrivilegesToken
                                                            • String ID:
                                                            • API String ID: 81990902-0
                                                            • Opcode ID: 7884d5c001f60de481a2466628cb1804c146737f0ed4a753a2a580c82916c145
                                                            • Instruction ID: 8e83b5361f1b60d1c76ef1a3f9c9782daf363eb95e84eaf1fa1c36f7ff5ffe18
                                                            • Opcode Fuzzy Hash: 7884d5c001f60de481a2466628cb1804c146737f0ed4a753a2a580c82916c145
                                                            • Instruction Fuzzy Hash: DCE04F32004B10EEEB252B51FC09E7377A9FB04311B20882EF4A6805B1DB666CD0DB50
                                                            Function 007CCAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            • Variable is not of type 'Object'., xrefs: 00810C40
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: Variable is not of type 'Object'.
                                                            • API String ID: 0-1840281001
                                                            • Opcode ID: e62947d7339c4515a8cfa061a87b8b8d2853c3e799dfea469afb72311a4ea4e2
                                                            • Instruction ID: b8f8c33736bc61efb6316647eb3851e7af3d790174372cd01af59c327f49bff3
                                                            • Opcode Fuzzy Hash: e62947d7339c4515a8cfa061a87b8b8d2853c3e799dfea469afb72311a4ea4e2
                                                            • Instruction Fuzzy Hash: 3F323671900218EBCF15DF94C885FEDB7B9FF05304F24405DE80AAB292D779AA86DB61
                                                            Function 007F676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,007F6766,?,?,00000008,?,?,007FFEFE,00000000), ref: 007F6998
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: ExceptionRaise
                                                            • String ID:
                                                            • API String ID: 3997070919-0
                                                            • Opcode ID: 96976965fcd31b6f519bf0a073c56310222f5672dcc040bdae502360a404bc10
                                                            • Instruction ID: 6569668c9d9d397e55e9b3cc102d63331883ab5f6ea39449290bbb9682802bfd
                                                            • Opcode Fuzzy Hash: 96976965fcd31b6f519bf0a073c56310222f5672dcc040bdae502360a404bc10
                                                            • Instruction Fuzzy Hash: E1B128716106099FD719CF28C48AB657BA0FF45364F25C65CEA9ACF3A2C339E991CB40
                                                            Function 007DB119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID: 0-3916222277
                                                            • Opcode ID: ee7103c07059894ae5d0c61919d29b6fe19a2247ad80c6c9f67cd2291da6c6a2
                                                            • Instruction ID: 3466f9e085206b3a6971243648f2a1d2a272acfa3cf7fd3807c81a80fc74ca8c
                                                            • Opcode Fuzzy Hash: ee7103c07059894ae5d0c61919d29b6fe19a2247ad80c6c9f67cd2291da6c6a2
                                                            • Instruction Fuzzy Hash: C7124C71900229DFCB24CF58C881AEEB7B5FF48710F15819AE849EB355EB349E81DB90
                                                            Function 0083EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • BlockInput.USER32(00000001), ref: 0083EABD
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: BlockInput
                                                            • String ID:
                                                            • API String ID: 3456056419-0
                                                            • Opcode ID: dfed2d944e567649ee5aeacb47d8230a7a143eb3fdd6bf239e72312f5d71267f
                                                            • Instruction ID: d987e6ad258b909dae03e3b3ee334f162fad595c613ccb9e32d7c56a3581d5a1
                                                            • Opcode Fuzzy Hash: dfed2d944e567649ee5aeacb47d8230a7a143eb3fdd6bf239e72312f5d71267f
                                                            • Instruction Fuzzy Hash: 32E01A322002159FC710EF59D809E9AB7E9FFA8760F00841EFC49C7391DA74A8418B90
                                                            Function 007E09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,007E03EE), ref: 007E09DA
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: ExceptionFilterUnhandled
                                                            • String ID:
                                                            • API String ID: 3192549508-0
                                                            • Opcode ID: 58b9af771e2ca188bea57c2b146403731b525caf99fee8bfdf429199e74383ef
                                                            • Instruction ID: 4b289d58ed6846241651945082a97c771a076513493dd050ca59505ecc453a3e
                                                            • Opcode Fuzzy Hash: 58b9af771e2ca188bea57c2b146403731b525caf99fee8bfdf429199e74383ef
                                                            • Instruction Fuzzy Hash:
                                                            Function 007E781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 0
                                                            • API String ID: 0-4108050209
                                                            • Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                                                            • Instruction ID: d20d3b89a437ce60f300e36af216d74fff09c1750bbd99148567e1c9af7f25d7
                                                            • Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                                                            • Instruction Fuzzy Hash: E751777160F7C59BDB3C856B889E7BE23899F2E340F180519D886CB283CA1DEE41D352
                                                            Function 007F6DD9 Relevance: .6, Instructions: 637COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 610e053a570f798a8a2ffa9050d003e615fa56b4fba81d478a5092db2b9fae90
                                                            • Instruction ID: 8d1415c0e17fe7c24809d06659b54e72ee9fd42b64e0377910cb7435289fed6d
                                                            • Opcode Fuzzy Hash: 610e053a570f798a8a2ffa9050d003e615fa56b4fba81d478a5092db2b9fae90
                                                            • Instruction Fuzzy Hash: E2326622D29F454DD7279634CC22335A249BFB73C5F16D737F81AB5AAAEB69C4838100
                                                            Function 007DCC39 Relevance: .6, Instructions: 635COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5c3e9f35c5e6b671ddba8c16e4d4504c8120f1e6c5e87e7c9a17949c20caee8d
                                                            • Instruction ID: 558f59ca05792296efc4bde2406d830102d2dd11313ea56df4543f0a42932f63
                                                            • Opcode Fuzzy Hash: 5c3e9f35c5e6b671ddba8c16e4d4504c8120f1e6c5e87e7c9a17949c20caee8d
                                                            • Instruction Fuzzy Hash: 8C321271A8411A8BCF29CE28C4906FD7BB9FF45314F28856BD98ACB291D234DDC1DB51
                                                            Function 007C7920 Relevance: .6, Instructions: 563COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c5bffd064807bc3e58e53c2b2da31f639bc78edc79a98a1d7d9d89c6dc3181c6
                                                            • Instruction ID: 1cb511f9e291a912e35b85d0020bd061200ceb4f2ab9015e5bf701a1d8e7af71
                                                            • Opcode Fuzzy Hash: c5bffd064807bc3e58e53c2b2da31f639bc78edc79a98a1d7d9d89c6dc3181c6
                                                            • Instruction Fuzzy Hash: D6227CB0A04609DBDF14CFA8D885AAEB7B5FF44300F14452DE816E7291EB3AAD54CF64
                                                            Function 007C91C0 Relevance: .5, Instructions: 475COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: aad7d4bcd5c25261a201ba74bbdd9db8dd985f33b4b6d8574cea1880be6b55c3
                                                            • Instruction ID: 923189a5879ce87944714379cdb0fb087de765304a21c893fcaf168451a9f816
                                                            • Opcode Fuzzy Hash: aad7d4bcd5c25261a201ba74bbdd9db8dd985f33b4b6d8574cea1880be6b55c3
                                                            • Instruction Fuzzy Hash: CD02C3B1A00209EBDB44DF64DC85BAEB7B1FF44304F108569E946DB3D1EB35AA60CB91
                                                            Function 007F9EEE Relevance: .3, Instructions: 294COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: bbe6fbcfbef46007ebaa3fb30b993db144405b8a9fc8632746d0e6053d164998
                                                            • Instruction ID: 85e987a8955f19f822c345ccd4c4b437a7c47ad236f59a93dfe7d8a8d1ec955e
                                                            • Opcode Fuzzy Hash: bbe6fbcfbef46007ebaa3fb30b993db144405b8a9fc8632746d0e6053d164998
                                                            • Instruction Fuzzy Hash: 4BB1E220D2AF414DD22396399931336B65CBFBB6D5F52E71BFC1674F62EB2285834140
                                                            Function 007E1C77 Relevance: .3, Instructions: 254COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                            • Instruction ID: 11a7d0590290f14b716a3450ea77b2777c41190593857819553e80f56ea0afd8
                                                            • Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                            • Instruction Fuzzy Hash: C491997260A0E34ADB29863F853603DFFE15A563A235A079DE4F2CB1C5FE38D954D620
                                                            Function 007E1F32 Relevance: .2, Instructions: 244COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
                                                            • Instruction ID: 9bdd6c8a08744f3080ce4fe0eb03e4d4393406eb878bce77718c574bbe081421
                                                            • Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
                                                            • Instruction Fuzzy Hash: B191767220A0E34DDB6D423B847503EFFE55A963A131A079DD4F2CB1C6EE38DA55E620
                                                            Function 007E19B0 Relevance: .2, Instructions: 240COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                            • Instruction ID: bfbd99ed2bf3ca4a59d6312b8bbe197e2a4933f05481fa678a265031adf7912c
                                                            • Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                            • Instruction Fuzzy Hash: FB91657220A0E34ADB2D427B857603DFFE15A963A135A47AED4F3CA1C1FD38D554D620
                                                            Function 007E7A4A Relevance: .2, Instructions: 237COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 52ddf15903a37f5009b7e07001d006686b85c40c43cbca49ab7037a8aa9e2a19
                                                            • Instruction ID: cbca08b55e3726d1b66965a8f28016edaecd5df014110778c3408711f9d90cd4
                                                            • Opcode Fuzzy Hash: 52ddf15903a37f5009b7e07001d006686b85c40c43cbca49ab7037a8aa9e2a19
                                                            • Instruction Fuzzy Hash: 42618DB160A7C996DA3C992F8C95BBF3398DF4D700F20492DE842CB291D61D9E42C366
                                                            Function 007E7CA7 Relevance: .2, Instructions: 237COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 61c20ed4cbb62b745bed122d529e757d2ea092871c71529f1f75c13b279ea01e
                                                            • Instruction ID: cd4aa90e27dfe2710018755f352da717dcac4fd342adc2214a301464c976b726
                                                            • Opcode Fuzzy Hash: 61c20ed4cbb62b745bed122d529e757d2ea092871c71529f1f75c13b279ea01e
                                                            • Instruction Fuzzy Hash: 42618C7130A7C9A6DE3CCA2B4C95BBF2389DF4E704F100959E942DF281DA1EAD42C356
                                                            Function 007E1706 Relevance: .2, Instructions: 232COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                            • Instruction ID: 46f0a54b4f3c58ac6cb6e4740ce65050a7bbe078d11bf0596ebea0b19d85c8df
                                                            • Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                            • Instruction Fuzzy Hash: F881867260A0E34ADB2D423B857643EFFE15A963B135A079DD4F2CB1C2EE38D554D620
                                                            Function 00832046 Relevance: .1, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 50c1a38ae5d457dc15b97de159f7575df8f929a98325d2ab8a8a4596eda4d9fb
                                                            • Instruction ID: ec68498554b605cf039629a24612ed0b9eb664e3e3914c88a43fb8e0b05bb0f5
                                                            • Opcode Fuzzy Hash: 50c1a38ae5d457dc15b97de159f7575df8f929a98325d2ab8a8a4596eda4d9fb
                                                            • Instruction Fuzzy Hash: 0B21AB326215118BD72CDE79C82267E73E5F764310F19852EE4A7C77D0DE359904CB80
                                                            Function 00842ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DeleteObject.GDI32(00000000), ref: 00842B30
                                                            • DeleteObject.GDI32(00000000), ref: 00842B43
                                                            • DestroyWindow.USER32 ref: 00842B52
                                                            • GetDesktopWindow.USER32 ref: 00842B6D
                                                            • GetWindowRect.USER32(00000000), ref: 00842B74
                                                            • SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00842CA3
                                                            • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00842CB1
                                                            • CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00842CF8
                                                            • GetClientRect.USER32(00000000,?), ref: 00842D04
                                                            • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00842D40
                                                            • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00842D62
                                                            • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00842D75
                                                            • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00842D80
                                                            • GlobalLock.KERNEL32(00000000), ref: 00842D89
                                                            • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00842D98
                                                            • GlobalUnlock.KERNEL32(00000000), ref: 00842DA1
                                                            • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00842DA8
                                                            • GlobalFree.KERNEL32(00000000), ref: 00842DB3
                                                            • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00842DC5
                                                            • OleLoadPicture.OLEAUT32(?,00000000,00000000,0085FC38,00000000), ref: 00842DDB
                                                            • GlobalFree.KERNEL32(00000000), ref: 00842DEB
                                                            • CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00842E11
                                                            • SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00842E30
                                                            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00842E52
                                                            • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0084303F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                            • String ID: $AutoIt v3$DISPLAY$static
                                                            • API String ID: 2211948467-2373415609
                                                            • Opcode ID: 8d9c176df576b11fb12cc5be776d6dd48d6324532d14457f18fb19c54485d619
                                                            • Instruction ID: bac7b0a61116de4fa1221f45754291edfb99ed31310837df42f0f63bb99e4c95
                                                            • Opcode Fuzzy Hash: 8d9c176df576b11fb12cc5be776d6dd48d6324532d14457f18fb19c54485d619
                                                            • Instruction Fuzzy Hash: BD023771900209EFDB14DFA4DC89EAE7BB9FB48711F048159F915AB2A1DB78AD01CF60
                                                            Function 008570D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetTextColor.GDI32(?,00000000), ref: 0085712F
                                                            • GetSysColorBrush.USER32(0000000F), ref: 00857160
                                                            • GetSysColor.USER32(0000000F), ref: 0085716C
                                                            • SetBkColor.GDI32(?,000000FF), ref: 00857186
                                                            • SelectObject.GDI32(?,?), ref: 00857195
                                                            • InflateRect.USER32(?,000000FF,000000FF), ref: 008571C0
                                                            • GetSysColor.USER32(00000010), ref: 008571C8
                                                            • CreateSolidBrush.GDI32(00000000), ref: 008571CF
                                                            • FrameRect.USER32(?,?,00000000), ref: 008571DE
                                                            • DeleteObject.GDI32(00000000), ref: 008571E5
                                                            • InflateRect.USER32(?,000000FE,000000FE), ref: 00857230
                                                            • FillRect.USER32(?,?,?), ref: 00857262
                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00857284
                                                              • Part of subcall function 008573E8: GetSysColor.USER32(00000012), ref: 00857421
                                                              • Part of subcall function 008573E8: SetTextColor.GDI32(?,?), ref: 00857425
                                                              • Part of subcall function 008573E8: GetSysColorBrush.USER32(0000000F), ref: 0085743B
                                                              • Part of subcall function 008573E8: GetSysColor.USER32(0000000F), ref: 00857446
                                                              • Part of subcall function 008573E8: GetSysColor.USER32(00000011), ref: 00857463
                                                              • Part of subcall function 008573E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00857471
                                                              • Part of subcall function 008573E8: SelectObject.GDI32(?,00000000), ref: 00857482
                                                              • Part of subcall function 008573E8: SetBkColor.GDI32(?,00000000), ref: 0085748B
                                                              • Part of subcall function 008573E8: SelectObject.GDI32(?,?), ref: 00857498
                                                              • Part of subcall function 008573E8: InflateRect.USER32(?,000000FF,000000FF), ref: 008574B7
                                                              • Part of subcall function 008573E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 008574CE
                                                              • Part of subcall function 008573E8: GetWindowLongW.USER32(00000000,000000F0), ref: 008574DB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                                                            • String ID:
                                                            • API String ID: 4124339563-0
                                                            • Opcode ID: 65698c73e17ba868bf1e2bb364c8309a436cf40608539684658f7d57aec3073d
                                                            • Instruction ID: 613af097dd048f79602dde4377ab3607ecc6dfae2ddd3f88496ef5504128bd9c
                                                            • Opcode Fuzzy Hash: 65698c73e17ba868bf1e2bb364c8309a436cf40608539684658f7d57aec3073d
                                                            • Instruction Fuzzy Hash: D2A19072008701AFDB019F64DC48A5BBBA9FB49322F104A19F9A2D61E1E779E948CF51
                                                            Function 007D8D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DestroyWindow.USER32(?,?), ref: 007D8E14
                                                            • SendMessageW.USER32(?,00001308,?,00000000), ref: 00816AC5
                                                            • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00816AFE
                                                            • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00816F43
                                                              • Part of subcall function 007D8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,007D8BE8,?,00000000,?,?,?,?,007D8BBA,00000000,?), ref: 007D8FC5
                                                            • SendMessageW.USER32(?,00001053), ref: 00816F7F
                                                            • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00816F96
                                                            • ImageList_Destroy.COMCTL32(00000000,?), ref: 00816FAC
                                                            • ImageList_Destroy.COMCTL32(00000000,?), ref: 00816FB7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
                                                            • String ID: 0
                                                            • API String ID: 2760611726-4108050209
                                                            • Opcode ID: c3b5572a834f7ebb10586694c2ab6671e69d7004183675473ba3599cc32d288f
                                                            • Instruction ID: 7714bac147c9fe0fdeeab4b91ff80050bbffb42616accee3f0715a61dce54d6b
                                                            • Opcode Fuzzy Hash: c3b5572a834f7ebb10586694c2ab6671e69d7004183675473ba3599cc32d288f
                                                            • Instruction Fuzzy Hash: 3F129C30204201DFDB65DF24D888BA5BBF9FF44311F58456AE485CB261DB35E8A2DF92
                                                            Function 00842711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DestroyWindow.USER32(00000000), ref: 0084273E
                                                            • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0084286A
                                                            • SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 008428A9
                                                            • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 008428B9
                                                            • CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00842900
                                                            • GetClientRect.USER32(00000000,?), ref: 0084290C
                                                            • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00842955
                                                            • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00842964
                                                            • GetStockObject.GDI32(00000011), ref: 00842974
                                                            • SelectObject.GDI32(00000000,00000000), ref: 00842978
                                                            • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00842988
                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00842991
                                                            • DeleteDC.GDI32(00000000), ref: 0084299A
                                                            • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 008429C6
                                                            • SendMessageW.USER32(00000030,00000000,00000001), ref: 008429DD
                                                            • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00842A1D
                                                            • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00842A31
                                                            • SendMessageW.USER32(00000404,00000001,00000000), ref: 00842A42
                                                            • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00842A77
                                                            • GetStockObject.GDI32(00000011), ref: 00842A82
                                                            • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00842A8D
                                                            • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00842A97
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                            • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                            • API String ID: 2910397461-517079104
                                                            • Opcode ID: e1f576ec30ccbcc831cb241bac210fa42b2e2981c165b36a55fc6f984f0b99e0
                                                            • Instruction ID: 6ac38a78566d360cebea23bc96c49bb84e08a12921675d66f08985a8a889a2a9
                                                            • Opcode Fuzzy Hash: e1f576ec30ccbcc831cb241bac210fa42b2e2981c165b36a55fc6f984f0b99e0
                                                            • Instruction Fuzzy Hash: 47B13A71A40219AFEB14DF68DC8AFAE7BB9FB08715F004159F915E7290DB78AD40CB90
                                                            Function 00834ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetErrorMode.KERNEL32(00000001), ref: 00834AED
                                                            • GetDriveTypeW.KERNEL32(?,0085CB68,?,\\.\,0085CC08), ref: 00834BCA
                                                            • SetErrorMode.KERNEL32(00000000,0085CB68,?,\\.\,0085CC08), ref: 00834D36
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: ErrorMode$DriveType
                                                            • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                            • API String ID: 2907320926-4222207086
                                                            • Opcode ID: 0c4e2900f506a46f576bb863c48a62ac30786e7256529912e7b718f52fe51936
                                                            • Instruction ID: 855fe11cbfef22b4d75f868a83d3eee09bb7f09193d7fbd345608dd7cf203110
                                                            • Opcode Fuzzy Hash: 0c4e2900f506a46f576bb863c48a62ac30786e7256529912e7b718f52fe51936
                                                            • Instruction Fuzzy Hash: C4619330605209DBCB14EF64CA85D69B7A1FB84304F24A419F816EB752EB3AFD52DBC1
                                                            Function 008573E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetSysColor.USER32(00000012), ref: 00857421
                                                            • SetTextColor.GDI32(?,?), ref: 00857425
                                                            • GetSysColorBrush.USER32(0000000F), ref: 0085743B
                                                            • GetSysColor.USER32(0000000F), ref: 00857446
                                                            • CreateSolidBrush.GDI32(?), ref: 0085744B
                                                            • GetSysColor.USER32(00000011), ref: 00857463
                                                            • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00857471
                                                            • SelectObject.GDI32(?,00000000), ref: 00857482
                                                            • SetBkColor.GDI32(?,00000000), ref: 0085748B
                                                            • SelectObject.GDI32(?,?), ref: 00857498
                                                            • InflateRect.USER32(?,000000FF,000000FF), ref: 008574B7
                                                            • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 008574CE
                                                            • GetWindowLongW.USER32(00000000,000000F0), ref: 008574DB
                                                            • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0085752A
                                                            • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00857554
                                                            • InflateRect.USER32(?,000000FD,000000FD), ref: 00857572
                                                            • DrawFocusRect.USER32(?,?), ref: 0085757D
                                                            • GetSysColor.USER32(00000011), ref: 0085758E
                                                            • SetTextColor.GDI32(?,00000000), ref: 00857596
                                                            • DrawTextW.USER32(?,008570F5,000000FF,?,00000000), ref: 008575A8
                                                            • SelectObject.GDI32(?,?), ref: 008575BF
                                                            • DeleteObject.GDI32(?), ref: 008575CA
                                                            • SelectObject.GDI32(?,?), ref: 008575D0
                                                            • DeleteObject.GDI32(?), ref: 008575D5
                                                            • SetTextColor.GDI32(?,?), ref: 008575DB
                                                            • SetBkColor.GDI32(?,?), ref: 008575E5
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                            • String ID:
                                                            • API String ID: 1996641542-0
                                                            • Opcode ID: 96a8f3cb96b79b733e65c90e18e52a27f523d71e1486c62a9f1d58f2d8085a8c
                                                            • Instruction ID: 95e4528ffd98773882fec507af1f19da99e66a7dae2ea0ee99f28d6cc61fcd2f
                                                            • Opcode Fuzzy Hash: 96a8f3cb96b79b733e65c90e18e52a27f523d71e1486c62a9f1d58f2d8085a8c
                                                            • Instruction Fuzzy Hash: 2B615C72900718AFDF019FA4DC49EAEBFB9FB08362F118115F915AB2A1E7749940CF90
                                                            Function 00850FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCursorPos.USER32(?), ref: 00851128
                                                            • GetDesktopWindow.USER32 ref: 0085113D
                                                            • GetWindowRect.USER32(00000000), ref: 00851144
                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00851199
                                                            • DestroyWindow.USER32(?), ref: 008511B9
                                                            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 008511ED
                                                            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0085120B
                                                            • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0085121D
                                                            • SendMessageW.USER32(00000000,00000421,?,?), ref: 00851232
                                                            • SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00851245
                                                            • IsWindowVisible.USER32(00000000), ref: 008512A1
                                                            • SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 008512BC
                                                            • SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 008512D0
                                                            • GetWindowRect.USER32(00000000,?), ref: 008512E8
                                                            • MonitorFromPoint.USER32(?,?,00000002), ref: 0085130E
                                                            • GetMonitorInfoW.USER32(00000000,?), ref: 00851328
                                                            • CopyRect.USER32(?,?), ref: 0085133F
                                                            • SendMessageW.USER32(00000000,00000412,00000000), ref: 008513AA
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                            • String ID: ($0$tooltips_class32
                                                            • API String ID: 698492251-4156429822
                                                            • Opcode ID: c31e7adf7dbf44aa55bc4ff14a1f303fede16c5cc7bac940fd59adc217c5801f
                                                            • Instruction ID: 9d0e937be3b844490c2fe1ee3641613475bdcd92d2dae75dcc5c0b340e1c6413
                                                            • Opcode Fuzzy Hash: c31e7adf7dbf44aa55bc4ff14a1f303fede16c5cc7bac940fd59adc217c5801f
                                                            • Instruction Fuzzy Hash: F9B16971604341AFDB04DF64C889B6ABBE4FF88355F00891CF999DB2A1D775E848CB91
                                                            Function 00850241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CharUpperBuffW.USER32(?,?), ref: 008502E5
                                                            • _wcslen.LIBCMT ref: 0085031F
                                                            • _wcslen.LIBCMT ref: 00850389
                                                            • _wcslen.LIBCMT ref: 008503F1
                                                            • _wcslen.LIBCMT ref: 00850475
                                                            • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 008504C5
                                                            • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00850504
                                                              • Part of subcall function 007DF9F2: _wcslen.LIBCMT ref: 007DF9FD
                                                              • Part of subcall function 0082223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00822258
                                                              • Part of subcall function 0082223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0082228A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: _wcslen$MessageSend$BuffCharUpper
                                                            • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                            • API String ID: 1103490817-719923060
                                                            • Opcode ID: 4cbf2bfa232cc36519693051ea6965cdb1624c3507a1def24578bfd55e67900e
                                                            • Instruction ID: bf0aac0a4af1b11eb98ab7a33f3d1ed5a5a9d19a398e9243037498ebd695f185
                                                            • Opcode Fuzzy Hash: 4cbf2bfa232cc36519693051ea6965cdb1624c3507a1def24578bfd55e67900e
                                                            • Instruction Fuzzy Hash: A6E18C312083059FC714EF24C55196AB3E6FF98319B14496DF896EB3A2DB34ED49CB82
                                                            Function 007D8891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 007D8968
                                                            • GetSystemMetrics.USER32(00000007), ref: 007D8970
                                                            • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 007D899B
                                                            • GetSystemMetrics.USER32(00000008), ref: 007D89A3
                                                            • GetSystemMetrics.USER32(00000004), ref: 007D89C8
                                                            • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 007D89E5
                                                            • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 007D89F5
                                                            • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 007D8A28
                                                            • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 007D8A3C
                                                            • GetClientRect.USER32(00000000,000000FF), ref: 007D8A5A
                                                            • GetStockObject.GDI32(00000011), ref: 007D8A76
                                                            • SendMessageW.USER32(00000000,00000030,00000000), ref: 007D8A81
                                                              • Part of subcall function 007D912D: GetCursorPos.USER32(?), ref: 007D9141
                                                              • Part of subcall function 007D912D: ScreenToClient.USER32(00000000,?), ref: 007D915E
                                                              • Part of subcall function 007D912D: GetAsyncKeyState.USER32(00000001), ref: 007D9183
                                                              • Part of subcall function 007D912D: GetAsyncKeyState.USER32(00000002), ref: 007D919D
                                                            • SetTimer.USER32(00000000,00000000,00000028,007D90FC), ref: 007D8AA8
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                            • String ID: AutoIt v3 GUI
                                                            • API String ID: 1458621304-248962490
                                                            • Opcode ID: 242b7a713c3fd7bc7ed578763a6ba37bfdec7ed713254db2e7e5e1a452b2a71d
                                                            • Instruction ID: efa9598c6257c2bc600d8fcf70ab0f4ef601b5a934fce723bd6618383dd9bf6d
                                                            • Opcode Fuzzy Hash: 242b7a713c3fd7bc7ed578763a6ba37bfdec7ed713254db2e7e5e1a452b2a71d
                                                            • Instruction Fuzzy Hash: 52B17E75A0020A9FDF14DFA8CC49BAE7BB5FB48315F14422AFA55E7290DB38A840CF51
                                                            Function 00820D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 008210F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00821114
                                                              • Part of subcall function 008210F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00820B9B,?,?,?), ref: 00821120
                                                              • Part of subcall function 008210F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00820B9B,?,?,?), ref: 0082112F
                                                              • Part of subcall function 008210F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00820B9B,?,?,?), ref: 00821136
                                                              • Part of subcall function 008210F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0082114D
                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00820DF5
                                                            • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00820E29
                                                            • GetLengthSid.ADVAPI32(?), ref: 00820E40
                                                            • GetAce.ADVAPI32(?,00000000,?), ref: 00820E7A
                                                            • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00820E96
                                                            • GetLengthSid.ADVAPI32(?), ref: 00820EAD
                                                            • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00820EB5
                                                            • HeapAlloc.KERNEL32(00000000), ref: 00820EBC
                                                            • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00820EDD
                                                            • CopySid.ADVAPI32(00000000), ref: 00820EE4
                                                            • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00820F13
                                                            • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00820F35
                                                            • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00820F47
                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00820F6E
                                                            • HeapFree.KERNEL32(00000000), ref: 00820F75
                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00820F7E
                                                            • HeapFree.KERNEL32(00000000), ref: 00820F85
                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00820F8E
                                                            • HeapFree.KERNEL32(00000000), ref: 00820F95
                                                            • GetProcessHeap.KERNEL32(00000000,?), ref: 00820FA1
                                                            • HeapFree.KERNEL32(00000000), ref: 00820FA8
                                                              • Part of subcall function 00821193: GetProcessHeap.KERNEL32(00000008,00820BB1,?,00000000,?,00820BB1,?), ref: 008211A1
                                                              • Part of subcall function 00821193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00820BB1,?), ref: 008211A8
                                                              • Part of subcall function 00821193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00820BB1,?), ref: 008211B7
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                            • String ID:
                                                            • API String ID: 4175595110-0
                                                            • Opcode ID: b82d427d22c0f5630cd0f011efd4089353a714539e81240059e0a1e1a129a1dc
                                                            • Instruction ID: e8fd5a8f357dda4ca454edf5055c1e289083482d309abcadce38e1268c6ff566
                                                            • Opcode Fuzzy Hash: b82d427d22c0f5630cd0f011efd4089353a714539e81240059e0a1e1a129a1dc
                                                            • Instruction Fuzzy Hash: 4E71587290031AAFDF209FA4ED48BAEBBB8FF04311F144115F959E6192DB359A49CF60
                                                            Function 0084C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0084C4BD
                                                            • RegCreateKeyExW.ADVAPI32(?,?,00000000,0085CC08,00000000,?,00000000,?,?), ref: 0084C544
                                                            • RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0084C5A4
                                                            • _wcslen.LIBCMT ref: 0084C5F4
                                                            • _wcslen.LIBCMT ref: 0084C66F
                                                            • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0084C6B2
                                                            • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0084C7C1
                                                            • RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0084C84D
                                                            • RegCloseKey.ADVAPI32(?), ref: 0084C881
                                                            • RegCloseKey.ADVAPI32(00000000), ref: 0084C88E
                                                            • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0084C960
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Value$Close$_wcslen$ConnectCreateRegistry
                                                            • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                            • API String ID: 9721498-966354055
                                                            • Opcode ID: cc688b9a11b1d95122c0786798efc7a8871c882ee2e53a04bcba9b720554287c
                                                            • Instruction ID: be2dd260acb22fb38b473eb4da6896b001c3d3eb43183bb3858c07a2195cdbe6
                                                            • Opcode Fuzzy Hash: cc688b9a11b1d95122c0786798efc7a8871c882ee2e53a04bcba9b720554287c
                                                            • Instruction Fuzzy Hash: 1D123335604204DFDB54DF14C885E2AB7E9FF88714F14889CF88A9B2A2DB35ED41CB85
                                                            Function 0085091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CharUpperBuffW.USER32(?,?), ref: 008509C6
                                                            • _wcslen.LIBCMT ref: 00850A01
                                                            • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00850A54
                                                            • _wcslen.LIBCMT ref: 00850A8A
                                                            • _wcslen.LIBCMT ref: 00850B06
                                                            • _wcslen.LIBCMT ref: 00850B81
                                                              • Part of subcall function 007DF9F2: _wcslen.LIBCMT ref: 007DF9FD
                                                              • Part of subcall function 00822BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00822BFA
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: _wcslen$MessageSend$BuffCharUpper
                                                            • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                            • API String ID: 1103490817-4258414348
                                                            • Opcode ID: c51dc83d486010271f7f126d6b0567284bd58b4e2e66e7241a66aa9cf673576d
                                                            • Instruction ID: 069bf50da15b63899b403c40f4cfe979c524736a96c0bd3eeb07e5e1809b08bc
                                                            • Opcode Fuzzy Hash: c51dc83d486010271f7f126d6b0567284bd58b4e2e66e7241a66aa9cf673576d
                                                            • Instruction Fuzzy Hash: B4E157356083119FC714EF24C49092AB7E2FF98319B14895DF896AB362DB35ED49CF82
                                                            Function 0084C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: _wcslen$BuffCharUpper
                                                            • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                            • API String ID: 1256254125-909552448
                                                            • Opcode ID: 67eee131789614d5098ba0191f8899b16f4eae76c563fc53787b7cf22e82a1f7
                                                            • Instruction ID: 2466a167981afbf23a6eeb048a47ef226ff5866224fda638ed2ab8feb5e560e5
                                                            • Opcode Fuzzy Hash: 67eee131789614d5098ba0191f8899b16f4eae76c563fc53787b7cf22e82a1f7
                                                            • Instruction Fuzzy Hash: 5D71167260212E8BCB60EE7CCD515BE33A9FF60764B250528FC66E7284EA35DD44C7A0
                                                            Function 0085833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _wcslen.LIBCMT ref: 0085835A
                                                            • _wcslen.LIBCMT ref: 0085836E
                                                            • _wcslen.LIBCMT ref: 00858391
                                                            • _wcslen.LIBCMT ref: 008583B4
                                                            • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 008583F2
                                                            • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00855BF2), ref: 0085844E
                                                            • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00858487
                                                            • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 008584CA
                                                            • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00858501
                                                            • FreeLibrary.KERNEL32(?), ref: 0085850D
                                                            • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0085851D
                                                            • DestroyIcon.USER32(?,?,?,?,?,00855BF2), ref: 0085852C
                                                            • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00858549
                                                            • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00858555
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
                                                            • String ID: .dll$.exe$.icl
                                                            • API String ID: 799131459-1154884017
                                                            • Opcode ID: 86b6ce909afbbb3c0a9d1292aadd631f5654f4cad30e1cb47e919773224aff60
                                                            • Instruction ID: 1dc692e3f9c63079141f89cab4e051a1bed2853b7ff8af6e103b3bc514486003
                                                            • Opcode Fuzzy Hash: 86b6ce909afbbb3c0a9d1292aadd631f5654f4cad30e1cb47e919773224aff60
                                                            • Instruction Fuzzy Hash: C461AE71500319FEEB149F64CC85BBE77A8FB08B22F10454AFD15E61D1EB78A994CBA0
                                                            Function 007C7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                            • API String ID: 0-1645009161
                                                            • Opcode ID: 7bdfede83d20acbf098e8690bbae25cc3d3892bc5d4b80c074b7849f04364566
                                                            • Instruction ID: 329f013c8e33aff447018a4b260cf5543fe9fe30895c5b665ae13ff246ea91d8
                                                            • Opcode Fuzzy Hash: 7bdfede83d20acbf098e8690bbae25cc3d3892bc5d4b80c074b7849f04364566
                                                            • Instruction Fuzzy Hash: 2781D471644609FBDB64AF60CD46FAF37A8FF14300F04402DF915AA296EB78DA15CBA1
                                                            Function 00833E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CharLowerBuffW.USER32(?,?), ref: 00833EF8
                                                            • _wcslen.LIBCMT ref: 00833F03
                                                            • _wcslen.LIBCMT ref: 00833F5A
                                                            • _wcslen.LIBCMT ref: 00833F98
                                                            • GetDriveTypeW.KERNEL32(?), ref: 00833FD6
                                                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0083401E
                                                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00834059
                                                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00834087
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: SendString_wcslen$BuffCharDriveLowerType
                                                            • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                            • API String ID: 1839972693-4113822522
                                                            • Opcode ID: 1028b1f84218b9c85da7da50c984ede39f1e1a4dcad20dd87cbd74880d94fdc6
                                                            • Instruction ID: 875e718ae1d2cafa2070e3ed7d0b5cf9641e48406217fec82c5abd4c97b76426
                                                            • Opcode Fuzzy Hash: 1028b1f84218b9c85da7da50c984ede39f1e1a4dcad20dd87cbd74880d94fdc6
                                                            • Instruction Fuzzy Hash: 1C71DE326046019FC310EF24C89096AB7F4FF98758F50492DF9A6D7251EB35ED49CB91
                                                            Function 00825A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadIconW.USER32(00000063), ref: 00825A2E
                                                            • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00825A40
                                                            • SetWindowTextW.USER32(?,?), ref: 00825A57
                                                            • GetDlgItem.USER32(?,000003EA), ref: 00825A6C
                                                            • SetWindowTextW.USER32(00000000,?), ref: 00825A72
                                                            • GetDlgItem.USER32(?,000003E9), ref: 00825A82
                                                            • SetWindowTextW.USER32(00000000,?), ref: 00825A88
                                                            • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00825AA9
                                                            • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00825AC3
                                                            • GetWindowRect.USER32(?,?), ref: 00825ACC
                                                            • _wcslen.LIBCMT ref: 00825B33
                                                            • SetWindowTextW.USER32(?,?), ref: 00825B6F
                                                            • GetDesktopWindow.USER32 ref: 00825B75
                                                            • GetWindowRect.USER32(00000000), ref: 00825B7C
                                                            • MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00825BD3
                                                            • GetClientRect.USER32(?,?), ref: 00825BE0
                                                            • PostMessageW.USER32(?,00000005,00000000,?), ref: 00825C05
                                                            • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00825C2F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
                                                            • String ID:
                                                            • API String ID: 895679908-0
                                                            • Opcode ID: 0a276f5aa06b136a5988a4c09130079ca6db8a0b7968c0e205bba207cf1288d1
                                                            • Instruction ID: da2a4ff784b034964ab7b0e343dfb26438f3a42255afddad2daab6eb8c45038b
                                                            • Opcode Fuzzy Hash: 0a276f5aa06b136a5988a4c09130079ca6db8a0b7968c0e205bba207cf1288d1
                                                            • Instruction Fuzzy Hash: BB718C31900B19AFDB20DFA8DE89AAEBBF5FF48715F104918E542E25A0D774E984CF50
                                                            Function 0083FE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadCursorW.USER32(00000000,00007F89), ref: 0083FE27
                                                            • LoadCursorW.USER32(00000000,00007F8A), ref: 0083FE32
                                                            • LoadCursorW.USER32(00000000,00007F00), ref: 0083FE3D
                                                            • LoadCursorW.USER32(00000000,00007F03), ref: 0083FE48
                                                            • LoadCursorW.USER32(00000000,00007F8B), ref: 0083FE53
                                                            • LoadCursorW.USER32(00000000,00007F01), ref: 0083FE5E
                                                            • LoadCursorW.USER32(00000000,00007F81), ref: 0083FE69
                                                            • LoadCursorW.USER32(00000000,00007F88), ref: 0083FE74
                                                            • LoadCursorW.USER32(00000000,00007F80), ref: 0083FE7F
                                                            • LoadCursorW.USER32(00000000,00007F86), ref: 0083FE8A
                                                            • LoadCursorW.USER32(00000000,00007F83), ref: 0083FE95
                                                            • LoadCursorW.USER32(00000000,00007F85), ref: 0083FEA0
                                                            • LoadCursorW.USER32(00000000,00007F82), ref: 0083FEAB
                                                            • LoadCursorW.USER32(00000000,00007F84), ref: 0083FEB6
                                                            • LoadCursorW.USER32(00000000,00007F04), ref: 0083FEC1
                                                            • LoadCursorW.USER32(00000000,00007F02), ref: 0083FECC
                                                            • GetCursorInfo.USER32(?), ref: 0083FEDC
                                                            • GetLastError.KERNEL32 ref: 0083FF1E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Cursor$Load$ErrorInfoLast
                                                            • String ID:
                                                            • API String ID: 3215588206-0
                                                            • Opcode ID: 8c493774697b64a1d58e55d56911f856a6e56d21e925c7315ffdea95bb446252
                                                            • Instruction ID: dc1bcc2f93b7717b49cded5ffe1d956d44b911e7a89fbb330d073670b4fc9164
                                                            • Opcode Fuzzy Hash: 8c493774697b64a1d58e55d56911f856a6e56d21e925c7315ffdea95bb446252
                                                            • Instruction Fuzzy Hash: 284151B0D04319AADB109FBA8C89C5EBFE8FF44754B50452AE51DE7281DB78E901CE91
                                                            Function 007E00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 007E00C6
                                                              • Part of subcall function 007E00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0089070C,00000FA0,0C6686F4,?,?,?,?,008023B3,000000FF), ref: 007E011C
                                                              • Part of subcall function 007E00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,008023B3,000000FF), ref: 007E0127
                                                              • Part of subcall function 007E00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,008023B3,000000FF), ref: 007E0138
                                                              • Part of subcall function 007E00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 007E014E
                                                              • Part of subcall function 007E00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 007E015C
                                                              • Part of subcall function 007E00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 007E016A
                                                              • Part of subcall function 007E00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 007E0195
                                                              • Part of subcall function 007E00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 007E01A0
                                                            • ___scrt_fastfail.LIBCMT ref: 007E00E7
                                                              • Part of subcall function 007E00A3: __onexit.LIBCMT ref: 007E00A9
                                                            Strings
                                                            • SleepConditionVariableCS, xrefs: 007E0154
                                                            • api-ms-win-core-synch-l1-2-0.dll, xrefs: 007E0122
                                                            • WakeAllConditionVariable, xrefs: 007E0162
                                                            • kernel32.dll, xrefs: 007E0133
                                                            • InitializeConditionVariable, xrefs: 007E0148
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
                                                            • String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                                            • API String ID: 66158676-1714406822
                                                            • Opcode ID: 2e302204897b988ef97af9656817004b8e3b123d28ad178768dee9b9dcbe99dd
                                                            • Instruction ID: 5704595f4cea1ef2d04ecadd4c61e76f99e4a50c2358933773f4e1ee9e9e5739
                                                            • Opcode Fuzzy Hash: 2e302204897b988ef97af9656817004b8e3b123d28ad178768dee9b9dcbe99dd
                                                            • Instruction Fuzzy Hash: 4F21A732646754AFD7116BA5AC09B6E37B4FB09B62F14012AF911E6391DBBC98408ED0
                                                            Function 008230F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: _wcslen
                                                            • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                            • API String ID: 176396367-1603158881
                                                            • Opcode ID: 02ef06e8c079e2b8f2932daddd329d916d51f623c2b0075f1e7d9ea5d6c040ff
                                                            • Instruction ID: d37f5b5df863e973662a72d95a5611262eb30f3f5741d805b2730c2a7fd05f8a
                                                            • Opcode Fuzzy Hash: 02ef06e8c079e2b8f2932daddd329d916d51f623c2b0075f1e7d9ea5d6c040ff
                                                            • Instruction Fuzzy Hash: 94E1E232A00626EBCB14EFA8D465AEDBBB4FF14714F54811AE556F3240DB38AFC58790
                                                            Function 008344C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CharLowerBuffW.USER32(00000000,00000000,0085CC08), ref: 00834527
                                                            • _wcslen.LIBCMT ref: 0083453B
                                                            • _wcslen.LIBCMT ref: 00834599
                                                            • _wcslen.LIBCMT ref: 008345F4
                                                            • _wcslen.LIBCMT ref: 0083463F
                                                            • _wcslen.LIBCMT ref: 008346A7
                                                              • Part of subcall function 007DF9F2: _wcslen.LIBCMT ref: 007DF9FD
                                                            • GetDriveTypeW.KERNEL32(?,00886BF0,00000061), ref: 00834743
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: _wcslen$BuffCharDriveLowerType
                                                            • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                            • API String ID: 2055661098-1000479233
                                                            • Opcode ID: 3484166220c0fa6df35975e944ed1725e60799aef3c072f8575c0494c138b9d2
                                                            • Instruction ID: cf47882f041c04211554472462418021f935d3f08fa77f7029befdf8c78dc129
                                                            • Opcode Fuzzy Hash: 3484166220c0fa6df35975e944ed1725e60799aef3c072f8575c0494c138b9d2
                                                            • Instruction Fuzzy Hash: 85B110316083029FC710EF28C895A6AB7E5FFE5764F50591DF496C7292E734E844CBA2
                                                            Function 00843FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32(kernel32.dll,?,0085CC08), ref: 008440BB
                                                            • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 008440CD
                                                            • GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,0085CC08), ref: 008440F2
                                                            • FreeLibrary.KERNEL32(00000000,?,0085CC08), ref: 0084413E
                                                            • StringFromGUID2.OLE32(?,?,00000028,?,0085CC08), ref: 008441A8
                                                            • SysFreeString.OLEAUT32(00000009), ref: 00844262
                                                            • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 008442C8
                                                            • SysFreeString.OLEAUT32(?), ref: 008442F2
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
                                                            • String ID: GetModuleHandleExW$kernel32.dll
                                                            • API String ID: 354098117-199464113
                                                            • Opcode ID: 258d9595e952e3093642f38a531571aa9c0f741e9ffefc906643524184dc0fa8
                                                            • Instruction ID: db7258c4d6771efc7d6102c641a31ab69a83b602dfae67b552f895647763e389
                                                            • Opcode Fuzzy Hash: 258d9595e952e3093642f38a531571aa9c0f741e9ffefc906643524184dc0fa8
                                                            • Instruction Fuzzy Hash: A6121775A00219EFDB14CF94C888EAEBBB5FF45319F248098E905EB251D735ED46CBA0
                                                            Function 007C326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetMenuItemCount.USER32(00891990), ref: 00802F8D
                                                            • GetMenuItemCount.USER32(00891990), ref: 0080303D
                                                            • GetCursorPos.USER32(?), ref: 00803081
                                                            • SetForegroundWindow.USER32(00000000), ref: 0080308A
                                                            • TrackPopupMenuEx.USER32(00891990,00000000,?,00000000,00000000,00000000), ref: 0080309D
                                                            • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 008030A9
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
                                                            • String ID: 0
                                                            • API String ID: 36266755-4108050209
                                                            • Opcode ID: 6f0fecc99857b84118fde05cacdd0f43702024d55f275859092f46ba7de17129
                                                            • Instruction ID: 858fe4a1ab6d46897904f843d0255b8a38af4c403606ae0e591ec51fc73b42de
                                                            • Opcode Fuzzy Hash: 6f0fecc99857b84118fde05cacdd0f43702024d55f275859092f46ba7de17129
                                                            • Instruction Fuzzy Hash: A1713870640316BEEB218F68DC4DF9ABF68FF04364F20421AF915A61E0C7B5AD10CB50
                                                            Function 00856CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DestroyWindow.USER32(00000000,?), ref: 00856DEB
                                                              • Part of subcall function 007C6B57: _wcslen.LIBCMT ref: 007C6B6A
                                                            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00856E5F
                                                            • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00856E81
                                                            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00856E94
                                                            • DestroyWindow.USER32(?), ref: 00856EB5
                                                            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,007C0000,00000000), ref: 00856EE4
                                                            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00856EFD
                                                            • GetDesktopWindow.USER32 ref: 00856F16
                                                            • GetWindowRect.USER32(00000000), ref: 00856F1D
                                                            • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00856F35
                                                            • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00856F4D
                                                              • Part of subcall function 007D9944: GetWindowLongW.USER32(?,000000EB), ref: 007D9952
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
                                                            • String ID: 0$tooltips_class32
                                                            • API String ID: 2429346358-3619404913
                                                            • Opcode ID: 633f95788dab64a658ff63a0fd8a6e3982aeaee4b81c52d4c47e79f9f2330755
                                                            • Instruction ID: 234091d1ffdf65cfcecc9ad01ea8c6df89d5ab738ba6ea19db615baa92533b52
                                                            • Opcode Fuzzy Hash: 633f95788dab64a658ff63a0fd8a6e3982aeaee4b81c52d4c47e79f9f2330755
                                                            • Instruction Fuzzy Hash: 2F717870504345AFDB21DF18D848FAABBE9FB98306F94051EF989C7260DB74A91ACF11
                                                            Function 0085911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 007D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 007D9BB2
                                                            • DragQueryPoint.SHELL32(?,?), ref: 00859147
                                                              • Part of subcall function 00857674: ClientToScreen.USER32(?,?), ref: 0085769A
                                                              • Part of subcall function 00857674: GetWindowRect.USER32(?,?), ref: 00857710
                                                              • Part of subcall function 00857674: PtInRect.USER32(?,?,00858B89), ref: 00857720
                                                            • SendMessageW.USER32(?,000000B0,?,?), ref: 008591B0
                                                            • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 008591BB
                                                            • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 008591DE
                                                            • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00859225
                                                            • SendMessageW.USER32(?,000000B0,?,?), ref: 0085923E
                                                            • SendMessageW.USER32(?,000000B1,?,?), ref: 00859255
                                                            • SendMessageW.USER32(?,000000B1,?,?), ref: 00859277
                                                            • DragFinish.SHELL32(?), ref: 0085927E
                                                            • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00859371
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
                                                            • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                            • API String ID: 221274066-3440237614
                                                            • Opcode ID: afabefc31699d937d1b77eb523e8dcf6c9747ad1183791a4da3c80a2f70b1478
                                                            • Instruction ID: b9df979530ebeaa32944a4d3e3553421cc417edf425a0381945d297f1595e5ea
                                                            • Opcode Fuzzy Hash: afabefc31699d937d1b77eb523e8dcf6c9747ad1183791a4da3c80a2f70b1478
                                                            • Instruction Fuzzy Hash: 9F616C71108301AFC701EF64DC89EAFBBE9FF89751F40091EF695922A1DB349A49CB52
                                                            Function 0083C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0083C4B0
                                                            • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0083C4C3
                                                            • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0083C4D7
                                                            • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0083C4F0
                                                            • InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0083C533
                                                            • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0083C549
                                                            • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0083C554
                                                            • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0083C584
                                                            • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0083C5DC
                                                            • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0083C5F0
                                                            • InternetCloseHandle.WININET(00000000), ref: 0083C5FB
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
                                                            • String ID:
                                                            • API String ID: 3800310941-3916222277
                                                            • Opcode ID: b2e8e2b4826ad9d462f0fa6bce5c9480974e6fe27e27f174932ef5e4847f9763
                                                            • Instruction ID: a86021cee42dfcff71bd508984dad9678aa1c3bbfd5620b8809d3aa25f86cb83
                                                            • Opcode Fuzzy Hash: b2e8e2b4826ad9d462f0fa6bce5c9480974e6fe27e27f174932ef5e4847f9763
                                                            • Instruction Fuzzy Hash: C15138B1500708BFDB219F64C988AAB7BBCFB88755F00451AF946E6610DB74E944DFA0
                                                            Function 0085856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00858592
                                                            • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 008585A2
                                                            • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 008585AD
                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 008585BA
                                                            • GlobalLock.KERNEL32(00000000), ref: 008585C8
                                                            • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 008585D7
                                                            • GlobalUnlock.KERNEL32(00000000), ref: 008585E0
                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 008585E7
                                                            • CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 008585F8
                                                            • OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,0085FC38,?), ref: 00858611
                                                            • GlobalFree.KERNEL32(00000000), ref: 00858621
                                                            • GetObjectW.GDI32(?,00000018,?), ref: 00858641
                                                            • CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00858671
                                                            • DeleteObject.GDI32(?), ref: 00858699
                                                            • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 008586AF
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                            • String ID:
                                                            • API String ID: 3840717409-0
                                                            • Opcode ID: 28986443417416e9eb61899d6ad1fdd9aefc32d5aa9d0abe95a8d9f9b7d4f5fd
                                                            • Instruction ID: 6372ee05ddc3f96681af8d8353cef5d8a9b0e7c0d4b095abf6c02dfeed293cff
                                                            • Opcode Fuzzy Hash: 28986443417416e9eb61899d6ad1fdd9aefc32d5aa9d0abe95a8d9f9b7d4f5fd
                                                            • Instruction Fuzzy Hash: 36410775600308EFDB119FA5CC48EAABBB8FF99B16F104059F90AE7260DB349945CF60
                                                            Function 008314BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VariantInit.OLEAUT32(00000000), ref: 00831502
                                                            • VariantCopy.OLEAUT32(?,?), ref: 0083150B
                                                            • VariantClear.OLEAUT32(?), ref: 00831517
                                                            • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 008315FB
                                                            • VarR8FromDec.OLEAUT32(?,?), ref: 00831657
                                                            • VariantInit.OLEAUT32(?), ref: 00831708
                                                            • SysFreeString.OLEAUT32(?), ref: 0083178C
                                                            • VariantClear.OLEAUT32(?), ref: 008317D8
                                                            • VariantClear.OLEAUT32(?), ref: 008317E7
                                                            • VariantInit.OLEAUT32(00000000), ref: 00831823
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
                                                            • String ID: %4d%02d%02d%02d%02d%02d$Default
                                                            • API String ID: 1234038744-3931177956
                                                            • Opcode ID: dbb1e585b509660ed7b1c9615fef8a48bd49b92c2cfb0598e7ec164c8dc612cb
                                                            • Instruction ID: 5683be3c03ffecb98681da6544804c34960198e479f667bb01ece32e6949bd75
                                                            • Opcode Fuzzy Hash: dbb1e585b509660ed7b1c9615fef8a48bd49b92c2cfb0598e7ec164c8dc612cb
                                                            • Instruction Fuzzy Hash: 2CD1B171A00219EBDF109F65D88DB79B7B5FF84B04F14845AE806EB280DB38EC45DBA1
                                                            Function 0084B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 007C9CB3: _wcslen.LIBCMT ref: 007C9CBD
                                                              • Part of subcall function 0084C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0084B6AE,?,?), ref: 0084C9B5
                                                              • Part of subcall function 0084C998: _wcslen.LIBCMT ref: 0084C9F1
                                                              • Part of subcall function 0084C998: _wcslen.LIBCMT ref: 0084CA68
                                                              • Part of subcall function 0084C998: _wcslen.LIBCMT ref: 0084CA9E
                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0084B6F4
                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0084B772
                                                            • RegDeleteValueW.ADVAPI32(?,?), ref: 0084B80A
                                                            • RegCloseKey.ADVAPI32(?), ref: 0084B87E
                                                            • RegCloseKey.ADVAPI32(?), ref: 0084B89C
                                                            • LoadLibraryA.KERNEL32(advapi32.dll), ref: 0084B8F2
                                                            • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0084B904
                                                            • RegDeleteKeyW.ADVAPI32(?,?), ref: 0084B922
                                                            • FreeLibrary.KERNEL32(00000000), ref: 0084B983
                                                            • RegCloseKey.ADVAPI32(00000000), ref: 0084B994
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
                                                            • String ID: RegDeleteKeyExW$advapi32.dll
                                                            • API String ID: 146587525-4033151799
                                                            • Opcode ID: 6453ef7f7004ee4d0f858dbe0daa2827cf62d5ae30ed2c58a33d68b00d18b83a
                                                            • Instruction ID: 0d022db7736114b4ca8787039d2c3ef67ee60df971509f30600908e32e9679ca
                                                            • Opcode Fuzzy Hash: 6453ef7f7004ee4d0f858dbe0daa2827cf62d5ae30ed2c58a33d68b00d18b83a
                                                            • Instruction Fuzzy Hash: 11C17B31208245EFD714DF24C499F2ABBE5FF84318F18855CE59A8B2A2CB35ED46CB91
                                                            Function 0084255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetDC.USER32(00000000), ref: 008425D8
                                                            • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 008425E8
                                                            • CreateCompatibleDC.GDI32(?), ref: 008425F4
                                                            • SelectObject.GDI32(00000000,?), ref: 00842601
                                                            • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0084266D
                                                            • GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 008426AC
                                                            • GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 008426D0
                                                            • SelectObject.GDI32(?,?), ref: 008426D8
                                                            • DeleteObject.GDI32(?), ref: 008426E1
                                                            • DeleteDC.GDI32(?), ref: 008426E8
                                                            • ReleaseDC.USER32(00000000,?), ref: 008426F3
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                            • String ID: (
                                                            • API String ID: 2598888154-3887548279
                                                            • Opcode ID: d5f81a7fbb92456d3377c1d57100033973b70100c7d758906acdfa5671565557
                                                            • Instruction ID: d819e80876ad1845c5597e58cb96f3e1e0157af874c4bfc45156416322ecbe84
                                                            • Opcode Fuzzy Hash: d5f81a7fbb92456d3377c1d57100033973b70100c7d758906acdfa5671565557
                                                            • Instruction Fuzzy Hash: 1461C275D00619EFCF04CFA8D884AAEBBB5FF48310F20852AE955A7250E774A951CF54
                                                            Function 007FDA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • ___free_lconv_mon.LIBCMT ref: 007FDAA1
                                                              • Part of subcall function 007FD63C: _free.LIBCMT ref: 007FD659
                                                              • Part of subcall function 007FD63C: _free.LIBCMT ref: 007FD66B
                                                              • Part of subcall function 007FD63C: _free.LIBCMT ref: 007FD67D
                                                              • Part of subcall function 007FD63C: _free.LIBCMT ref: 007FD68F
                                                              • Part of subcall function 007FD63C: _free.LIBCMT ref: 007FD6A1
                                                              • Part of subcall function 007FD63C: _free.LIBCMT ref: 007FD6B3
                                                              • Part of subcall function 007FD63C: _free.LIBCMT ref: 007FD6C5
                                                              • Part of subcall function 007FD63C: _free.LIBCMT ref: 007FD6D7
                                                              • Part of subcall function 007FD63C: _free.LIBCMT ref: 007FD6E9
                                                              • Part of subcall function 007FD63C: _free.LIBCMT ref: 007FD6FB
                                                              • Part of subcall function 007FD63C: _free.LIBCMT ref: 007FD70D
                                                              • Part of subcall function 007FD63C: _free.LIBCMT ref: 007FD71F
                                                              • Part of subcall function 007FD63C: _free.LIBCMT ref: 007FD731
                                                            • _free.LIBCMT ref: 007FDA96
                                                              • Part of subcall function 007F29C8: HeapFree.KERNEL32(00000000,00000000,?,007FD7D1,00000000,00000000,00000000,00000000,?,007FD7F8,00000000,00000007,00000000,?,007FDBF5,00000000), ref: 007F29DE
                                                              • Part of subcall function 007F29C8: GetLastError.KERNEL32(00000000,?,007FD7D1,00000000,00000000,00000000,00000000,?,007FD7F8,00000000,00000007,00000000,?,007FDBF5,00000000,00000000), ref: 007F29F0
                                                            • _free.LIBCMT ref: 007FDAB8
                                                            • _free.LIBCMT ref: 007FDACD
                                                            • _free.LIBCMT ref: 007FDAD8
                                                            • _free.LIBCMT ref: 007FDAFA
                                                            • _free.LIBCMT ref: 007FDB0D
                                                            • _free.LIBCMT ref: 007FDB1B
                                                            • _free.LIBCMT ref: 007FDB26
                                                            • _free.LIBCMT ref: 007FDB5E
                                                            • _free.LIBCMT ref: 007FDB65
                                                            • _free.LIBCMT ref: 007FDB82
                                                            • _free.LIBCMT ref: 007FDB9A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                            • String ID:
                                                            • API String ID: 161543041-0
                                                            • Opcode ID: a32cb01b92a63c2380454e4c83bf4aaba876aa326e018c79af99fe61a41ea6d6
                                                            • Instruction ID: 799829d14c0927f6fe4ddb61f0c2f570c4dafb790b3ec564e3d1d76f330ca4fb
                                                            • Opcode Fuzzy Hash: a32cb01b92a63c2380454e4c83bf4aaba876aa326e018c79af99fe61a41ea6d6
                                                            • Instruction Fuzzy Hash: 2A315B71644209DFEB31AA78E849B7A77EAFF00311F114519E648E73A2DA79BC418B24
                                                            Function 0082365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetClassNameW.USER32(?,?,00000100), ref: 0082369C
                                                            • _wcslen.LIBCMT ref: 008236A7
                                                            • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00823797
                                                            • GetClassNameW.USER32(?,?,00000400), ref: 0082380C
                                                            • GetDlgCtrlID.USER32(?), ref: 0082385D
                                                            • GetWindowRect.USER32(?,?), ref: 00823882
                                                            • GetParent.USER32(?), ref: 008238A0
                                                            • ScreenToClient.USER32(00000000), ref: 008238A7
                                                            • GetClassNameW.USER32(?,?,00000100), ref: 00823921
                                                            • GetWindowTextW.USER32(?,?,00000400), ref: 0082395D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
                                                            • String ID: %s%u
                                                            • API String ID: 4010501982-679674701
                                                            • Opcode ID: 69e2b7ba4c80add8fbb917325c4f7d224fa81c228ce40308d310342b16c1e8a5
                                                            • Instruction ID: 9979dd12483b1417e44b77402b45ae15511227801ef39de92be695d03c182df0
                                                            • Opcode Fuzzy Hash: 69e2b7ba4c80add8fbb917325c4f7d224fa81c228ce40308d310342b16c1e8a5
                                                            • Instruction Fuzzy Hash: D791D171204726AFD718DF24D8A5FAAF7E9FF45340F008529F999C2190DB38EA85CB91
                                                            Function 00824954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetClassNameW.USER32(?,?,00000400), ref: 00824994
                                                            • GetWindowTextW.USER32(?,?,00000400), ref: 008249DA
                                                            • _wcslen.LIBCMT ref: 008249EB
                                                            • CharUpperBuffW.USER32(?,00000000), ref: 008249F7
                                                            • _wcsstr.LIBVCRUNTIME ref: 00824A2C
                                                            • GetClassNameW.USER32(00000018,?,00000400), ref: 00824A64
                                                            • GetWindowTextW.USER32(?,?,00000400), ref: 00824A9D
                                                            • GetClassNameW.USER32(00000018,?,00000400), ref: 00824AE6
                                                            • GetClassNameW.USER32(?,?,00000400), ref: 00824B20
                                                            • GetWindowRect.USER32(?,?), ref: 00824B8B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
                                                            • String ID: ThumbnailClass
                                                            • API String ID: 1311036022-1241985126
                                                            • Opcode ID: d517923fc514db12ed1325e499c8db71a616e65658b4dcea2ccce06cbac1415e
                                                            • Instruction ID: 15a45442942fa4ad80686347ec42b88f27cfa446d0fbeeebe2c1198aeb70c367
                                                            • Opcode Fuzzy Hash: d517923fc514db12ed1325e499c8db71a616e65658b4dcea2ccce06cbac1415e
                                                            • Instruction Fuzzy Hash: A391BD7100432A9FDB04DF54E885BAA77E8FF84314F049469FD86DA096EB34ED85CBA1
                                                            Function 00858D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 007D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 007D9BB2
                                                            • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00858D5A
                                                            • GetFocus.USER32 ref: 00858D6A
                                                            • GetDlgCtrlID.USER32(00000000), ref: 00858D75
                                                            • DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00858E1D
                                                            • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00858ECF
                                                            • GetMenuItemCount.USER32(?), ref: 00858EEC
                                                            • GetMenuItemID.USER32(?,00000000), ref: 00858EFC
                                                            • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00858F2E
                                                            • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00858F70
                                                            • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00858FA1
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
                                                            • String ID: 0
                                                            • API String ID: 1026556194-4108050209
                                                            • Opcode ID: 7c9db59c5cca1bee0837007c290a8cd6568a5d3d458304346f05d16b858e1272
                                                            • Instruction ID: 793dbcae710509eafbeead28c842877fb50cd406dd57fd32af0bde830010cdfe
                                                            • Opcode Fuzzy Hash: 7c9db59c5cca1bee0837007c290a8cd6568a5d3d458304346f05d16b858e1272
                                                            • Instruction Fuzzy Hash: 30819C71508301EFDB10DF24C885AABBBEAFB88355F04095AFD85E7291DB30D908CB62
                                                            Function 0082DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetFileVersionInfoSizeW.VERSION(?,?), ref: 0082DC20
                                                            • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0082DC46
                                                            • _wcslen.LIBCMT ref: 0082DC50
                                                            • _wcsstr.LIBVCRUNTIME ref: 0082DCA0
                                                            • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0082DCBC
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
                                                            • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                            • API String ID: 1939486746-1459072770
                                                            • Opcode ID: 7f607c2d9e297c0a775e29b08e4d6c71c4ebd49aac45d84fcbd5a5c58618b379
                                                            • Instruction ID: aab70a7a07a8eb06ce43e9ccc781235c6df8036d02e0cce7cae7bc2de571aa10
                                                            • Opcode Fuzzy Hash: 7f607c2d9e297c0a775e29b08e4d6c71c4ebd49aac45d84fcbd5a5c58618b379
                                                            • Instruction Fuzzy Hash: 22412772940315BBDB10A7759C0BEFF3B6CFF49710F10006AFA01E6282EB7999418BA5
                                                            Function 0084CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0084CC64
                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0084CC8D
                                                            • FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0084CD48
                                                              • Part of subcall function 0084CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0084CCAA
                                                              • Part of subcall function 0084CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0084CCBD
                                                              • Part of subcall function 0084CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0084CCCF
                                                              • Part of subcall function 0084CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0084CD05
                                                              • Part of subcall function 0084CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0084CD28
                                                            • RegDeleteKeyW.ADVAPI32(?,?), ref: 0084CCF3
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
                                                            • String ID: RegDeleteKeyExW$advapi32.dll
                                                            • API String ID: 2734957052-4033151799
                                                            • Opcode ID: 97d0a2d76dd8784f48c33537185f1c91d91a49f8940922e683c2c2709f459dbe
                                                            • Instruction ID: 5a3a70278185d0505df676f476b1c4b9e4a69468dbe61879715e0740be9cd488
                                                            • Opcode Fuzzy Hash: 97d0a2d76dd8784f48c33537185f1c91d91a49f8940922e683c2c2709f459dbe
                                                            • Instruction Fuzzy Hash: D8318A7190222DBFDB609BA4DC88EFFBB7CFF05751F000165A906E2250DA389A45DAA0
                                                            Function 00833D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00833D40
                                                            • _wcslen.LIBCMT ref: 00833D6D
                                                            • CreateDirectoryW.KERNEL32(?,00000000), ref: 00833D9D
                                                            • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00833DBE
                                                            • RemoveDirectoryW.KERNEL32(?), ref: 00833DCE
                                                            • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00833E55
                                                            • CloseHandle.KERNEL32(00000000), ref: 00833E60
                                                            • CloseHandle.KERNEL32(00000000), ref: 00833E6B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
                                                            • String ID: :$\$\??\%s
                                                            • API String ID: 1149970189-3457252023
                                                            • Opcode ID: 7a14c922d5f8e9fb5980c69b3307ecca4bcc6a0045ce582174d3e5b54e16607b
                                                            • Instruction ID: c8dfaab8efb55686cc37fe958db9ecd7f63631b8bb7286ef2fcd062b208b10c9
                                                            • Opcode Fuzzy Hash: 7a14c922d5f8e9fb5980c69b3307ecca4bcc6a0045ce582174d3e5b54e16607b
                                                            • Instruction Fuzzy Hash: A031927190024AABDB219BA0DC49FEF77BCFF88701F1041B6F619D6160EB7897848B64
                                                            Function 0082E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • timeGetTime.WINMM ref: 0082E6B4
                                                              • Part of subcall function 007DE551: timeGetTime.WINMM(?,?,0082E6D4), ref: 007DE555
                                                            • Sleep.KERNEL32(0000000A), ref: 0082E6E1
                                                            • EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0082E705
                                                            • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0082E727
                                                            • SetActiveWindow.USER32 ref: 0082E746
                                                            • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0082E754
                                                            • SendMessageW.USER32(00000010,00000000,00000000), ref: 0082E773
                                                            • Sleep.KERNEL32(000000FA), ref: 0082E77E
                                                            • IsWindow.USER32 ref: 0082E78A
                                                            • EndDialog.USER32(00000000), ref: 0082E79B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                            • String ID: BUTTON
                                                            • API String ID: 1194449130-3405671355
                                                            • Opcode ID: 40603e76ed9141183f64af181ad9181df79d571ffcf7264cc563300a834cc780
                                                            • Instruction ID: 7750904e7cf03c79a9a900e97f083272da8c5932e67320f1dc8372e8009db7c3
                                                            • Opcode Fuzzy Hash: 40603e76ed9141183f64af181ad9181df79d571ffcf7264cc563300a834cc780
                                                            • Instruction Fuzzy Hash: 5F219370304315BFEB11AFA4FC89A253BA9F77474AF140426F516C16A2DB79AC40DF29
                                                            Function 0082E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 007C9CB3: _wcslen.LIBCMT ref: 007C9CBD
                                                            • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0082EA5D
                                                            • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0082EA73
                                                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0082EA84
                                                            • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0082EA96
                                                            • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0082EAA7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: SendString$_wcslen
                                                            • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                            • API String ID: 2420728520-1007645807
                                                            • Opcode ID: 8040dba88ddd6feb1b42121799290e454fd85895c398a2634fadda5f714b9508
                                                            • Instruction ID: 909c664c36aee1055bccee6e58921691cca18a42e9ca7c5be003a4f512dac22a
                                                            • Opcode Fuzzy Hash: 8040dba88ddd6feb1b42121799290e454fd85895c398a2634fadda5f714b9508
                                                            • Instruction Fuzzy Hash: B1114F21A90269B9D720B7A1EC4AEFF6B7CFBD1B40F40042DB811E21D1EA741955C6B0
                                                            Function 00829F91 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetKeyboardState.USER32(?), ref: 0082A012
                                                            • SetKeyboardState.USER32(?), ref: 0082A07D
                                                            • GetAsyncKeyState.USER32(000000A0), ref: 0082A09D
                                                            • GetKeyState.USER32(000000A0), ref: 0082A0B4
                                                            • GetAsyncKeyState.USER32(000000A1), ref: 0082A0E3
                                                            • GetKeyState.USER32(000000A1), ref: 0082A0F4
                                                            • GetAsyncKeyState.USER32(00000011), ref: 0082A120
                                                            • GetKeyState.USER32(00000011), ref: 0082A12E
                                                            • GetAsyncKeyState.USER32(00000012), ref: 0082A157
                                                            • GetKeyState.USER32(00000012), ref: 0082A165
                                                            • GetAsyncKeyState.USER32(0000005B), ref: 0082A18E
                                                            • GetKeyState.USER32(0000005B), ref: 0082A19C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: State$Async$Keyboard
                                                            • String ID:
                                                            • API String ID: 541375521-0
                                                            • Opcode ID: 6e313eb1780e3227169e5972a6abae50c9895c364d2b15760000e441623fb5b4
                                                            • Instruction ID: 818fd8c0a4b4bb334d3e845b33a6f44fa89cf679a63dbe08e28b792c19524bf3
                                                            • Opcode Fuzzy Hash: 6e313eb1780e3227169e5972a6abae50c9895c364d2b15760000e441623fb5b4
                                                            • Instruction Fuzzy Hash: 1C510B205047A86AFB39DBA4A9107EABFF4FF11350F084599D5C2D71C2DA649ACCCB63
                                                            Function 00825CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetDlgItem.USER32(?,00000001), ref: 00825CE2
                                                            • GetWindowRect.USER32(00000000,?), ref: 00825CFB
                                                            • MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00825D59
                                                            • GetDlgItem.USER32(?,00000002), ref: 00825D69
                                                            • GetWindowRect.USER32(00000000,?), ref: 00825D7B
                                                            • MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00825DCF
                                                            • GetDlgItem.USER32(?,000003E9), ref: 00825DDD
                                                            • GetWindowRect.USER32(00000000,?), ref: 00825DEF
                                                            • MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00825E31
                                                            • GetDlgItem.USER32(?,000003EA), ref: 00825E44
                                                            • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00825E5A
                                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 00825E67
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Window$ItemMoveRect$Invalidate
                                                            • String ID:
                                                            • API String ID: 3096461208-0
                                                            • Opcode ID: e60f5b204fa3bc6f7c361c2a2b9c15a1571896c9e5d4a240d00f31af1a96171f
                                                            • Instruction ID: a825481e42e4ee0583d0b35df4a1637e335da7e1a8ed97395723ffe22a448f53
                                                            • Opcode Fuzzy Hash: e60f5b204fa3bc6f7c361c2a2b9c15a1571896c9e5d4a240d00f31af1a96171f
                                                            • Instruction Fuzzy Hash: 5D511C71A40719AFDF18CF68DD89AAEBBB5FB48301F108129F915E6290D774AE40CF50
                                                            Function 007D8BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 007D8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,007D8BE8,?,00000000,?,?,?,?,007D8BBA,00000000,?), ref: 007D8FC5
                                                            • DestroyWindow.USER32(?), ref: 007D8C81
                                                            • KillTimer.USER32(00000000,?,?,?,?,007D8BBA,00000000,?), ref: 007D8D1B
                                                            • DestroyAcceleratorTable.USER32(00000000), ref: 00816973
                                                            • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,007D8BBA,00000000,?), ref: 008169A1
                                                            • ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,007D8BBA,00000000,?), ref: 008169B8
                                                            • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,007D8BBA,00000000), ref: 008169D4
                                                            • DeleteObject.GDI32(00000000), ref: 008169E6
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                            • String ID:
                                                            • API String ID: 641708696-0
                                                            • Opcode ID: 924c510b89e18d7630f5885df56e2fe598f5fa2cd97d91a417e3eca4dfac5c4a
                                                            • Instruction ID: 66c070590683f01a8e02922216fd15755c2179afa99ddbf1d4ee31971ad0d14b
                                                            • Opcode Fuzzy Hash: 924c510b89e18d7630f5885df56e2fe598f5fa2cd97d91a417e3eca4dfac5c4a
                                                            • Instruction Fuzzy Hash: B961BE30116711DFCF61AF18D948B69BBF5FF40312F18455EE0869AAA0CB39A8D0CF62
                                                            Function 007D9838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 007D9944: GetWindowLongW.USER32(?,000000EB), ref: 007D9952
                                                            • GetSysColor.USER32(0000000F), ref: 007D9862
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: ColorLongWindow
                                                            • String ID:
                                                            • API String ID: 259745315-0
                                                            • Opcode ID: 8354f674605d4d9aaa764e2e003c6cf41fb3118096b32c4a92bb75686c21ba59
                                                            • Instruction ID: 89a8da4ea17af5fba55641aa0171cca1bb136aaf8ef594253daf6327f1eeacc0
                                                            • Opcode Fuzzy Hash: 8354f674605d4d9aaa764e2e003c6cf41fb3118096b32c4a92bb75686c21ba59
                                                            • Instruction Fuzzy Hash: 714173311447449FDB205F389C88BB93B75FB46771F14461AFAA2872E1D7399D41EB10
                                                            Function 007F8D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: .~
                                                            • API String ID: 0-505086709
                                                            • Opcode ID: 14a0eeb3614ff5dd77136993b0d492b03b5b7075fc5c244b492a28218ca35f44
                                                            • Instruction ID: 0a6a9fad284a35817a476b5e280936ea8de0462b85be011fc2c4508798c73d06
                                                            • Opcode Fuzzy Hash: 14a0eeb3614ff5dd77136993b0d492b03b5b7075fc5c244b492a28218ca35f44
                                                            • Instruction Fuzzy Hash: 84C1D37590424EEFCB11EFA9D845BBDBBB4BF09310F084059E714A7392CB399941CB61
                                                            Function 008296E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0080F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00829717
                                                            • LoadStringW.USER32(00000000,?,0080F7F8,00000001), ref: 00829720
                                                              • Part of subcall function 007C9CB3: _wcslen.LIBCMT ref: 007C9CBD
                                                            • GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0080F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00829742
                                                            • LoadStringW.USER32(00000000,?,0080F7F8,00000001), ref: 00829745
                                                            • MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00829866
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: HandleLoadModuleString$Message_wcslen
                                                            • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                            • API String ID: 747408836-2268648507
                                                            • Opcode ID: 46368d359991ff8bf58532c44a7f40bd333f8994475d1ace1853d870ed6062a7
                                                            • Instruction ID: a63d61bb1e4dcbf13ddcc244630ff7125b06ecf622f86473747527d33cfa57a2
                                                            • Opcode Fuzzy Hash: 46368d359991ff8bf58532c44a7f40bd333f8994475d1ace1853d870ed6062a7
                                                            • Instruction Fuzzy Hash: 13412072900219AADB14FBE0DD4AEEEB778FF15340F10016DF605B2192EA396F58CB61
                                                            Function 008206DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 007C6B57: _wcslen.LIBCMT ref: 007C6B6A
                                                            • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 008207A2
                                                            • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 008207BE
                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 008207DA
                                                            • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00820804
                                                            • CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0082082C
                                                            • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00820837
                                                            • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0082083C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
                                                            • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                            • API String ID: 323675364-22481851
                                                            • Opcode ID: fefe9afe509ce04db1dfcaa396debbf837e1e0f9c8d201ba045034de2f11b93c
                                                            • Instruction ID: 277844d0c6a75b7824f6206a978221fa0e9c68246054ac012ee4004225347a27
                                                            • Opcode Fuzzy Hash: fefe9afe509ce04db1dfcaa396debbf837e1e0f9c8d201ba045034de2f11b93c
                                                            • Instruction Fuzzy Hash: 9B41E572C10629EBDF11EBA4EC89DEEB778FF04350B144129E915A31A1EB349E44CF90
                                                            Function 00853F98 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0085403B
                                                            • CreateCompatibleDC.GDI32(00000000), ref: 00854042
                                                            • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00854055
                                                            • SelectObject.GDI32(00000000,00000000), ref: 0085405D
                                                            • GetPixel.GDI32(00000000,00000000,00000000), ref: 00854068
                                                            • DeleteDC.GDI32(00000000), ref: 00854072
                                                            • GetWindowLongW.USER32(?,000000EC), ref: 0085407C
                                                            • SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 00854092
                                                            • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 0085409E
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                            • String ID: static
                                                            • API String ID: 2559357485-2160076837
                                                            • Opcode ID: 3c551eed7060e0a23daf9140301801486dc90f64977474f4f23b56f589992fd5
                                                            • Instruction ID: a3edc002c633b20db73ad8b2ccfb41aaf2f830e39936292eece57b219c46d82a
                                                            • Opcode Fuzzy Hash: 3c551eed7060e0a23daf9140301801486dc90f64977474f4f23b56f589992fd5
                                                            • Instruction Fuzzy Hash: 74315832540719AFDF229FA8CC48FDA3BA9FF09366F100215FA19E61A0D779D854DB60
                                                            Function 00843C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VariantInit.OLEAUT32(?), ref: 00843C5C
                                                            • CoInitialize.OLE32(00000000), ref: 00843C8A
                                                            • CoUninitialize.OLE32 ref: 00843C94
                                                            • _wcslen.LIBCMT ref: 00843D2D
                                                            • GetRunningObjectTable.OLE32(00000000,?), ref: 00843DB1
                                                            • SetErrorMode.KERNEL32(00000001,00000029), ref: 00843ED5
                                                            • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00843F0E
                                                            • CoGetObject.OLE32(?,00000000,0085FB98,?), ref: 00843F2D
                                                            • SetErrorMode.KERNEL32(00000000), ref: 00843F40
                                                            • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00843FC4
                                                            • VariantClear.OLEAUT32(?), ref: 00843FD8
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
                                                            • String ID:
                                                            • API String ID: 429561992-0
                                                            • Opcode ID: b9928ea1d35e83802f28362078610ce62c7508060c525350fb870e8d5dd73388
                                                            • Instruction ID: 10ed1c152e1e8150ef98d16cf97f3e01085463f68055e0b426330cd43389dd55
                                                            • Opcode Fuzzy Hash: b9928ea1d35e83802f28362078610ce62c7508060c525350fb870e8d5dd73388
                                                            • Instruction Fuzzy Hash: 94C10271608309AFD700DF68C884A2AB7E9FF89748F10491DF98ADB251DB31EE05CB52
                                                            Function 00837A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CoInitialize.OLE32(00000000), ref: 00837AF3
                                                            • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00837B8F
                                                            • SHGetDesktopFolder.SHELL32(?), ref: 00837BA3
                                                            • CoCreateInstance.OLE32(0085FD08,00000000,00000001,00886E6C,?), ref: 00837BEF
                                                            • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00837C74
                                                            • CoTaskMemFree.OLE32(?,?), ref: 00837CCC
                                                            • SHBrowseForFolderW.SHELL32(?), ref: 00837D57
                                                            • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00837D7A
                                                            • CoTaskMemFree.OLE32(00000000), ref: 00837D81
                                                            • CoTaskMemFree.OLE32(00000000), ref: 00837DD6
                                                            • CoUninitialize.OLE32 ref: 00837DDC
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
                                                            • String ID:
                                                            • API String ID: 2762341140-0
                                                            • Opcode ID: 25fe6949aa270397c271edb8cce9c11714d002bec5a792b5289e93f607fd3641
                                                            • Instruction ID: 45703d74833cb90b1a4e78e3331c85caeaaef3ae057fe053bfb3d7d3b36dc2f1
                                                            • Opcode Fuzzy Hash: 25fe6949aa270397c271edb8cce9c11714d002bec5a792b5289e93f607fd3641
                                                            • Instruction Fuzzy Hash: CFC1F975A04209AFCB14DF64C888DAEBBF9FF48314F1484A9E915DB261D734ED45CB90
                                                            Function 0085541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00855504
                                                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00855515
                                                            • CharNextW.USER32(00000158), ref: 00855544
                                                            • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00855585
                                                            • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0085559B
                                                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 008555AC
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$CharNext
                                                            • String ID:
                                                            • API String ID: 1350042424-0
                                                            • Opcode ID: 47b9eb042593ba04f8ad3881938046bac9bf856324bf3471141dac6cee42f93b
                                                            • Instruction ID: ce0baee2529dc9f555b080a54a6cda9198babec5c233fa2831781b2c68e1b0f9
                                                            • Opcode Fuzzy Hash: 47b9eb042593ba04f8ad3881938046bac9bf856324bf3471141dac6cee42f93b
                                                            • Instruction Fuzzy Hash: 4861BE74904608EFDF109F94DC94AFE7BB9FB09326F104049F925E7290D7388A88DB60
                                                            Function 0081FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0081FAAF
                                                            • SafeArrayAllocData.OLEAUT32(?), ref: 0081FB08
                                                            • VariantInit.OLEAUT32(?), ref: 0081FB1A
                                                            • SafeArrayAccessData.OLEAUT32(?,?), ref: 0081FB3A
                                                            • VariantCopy.OLEAUT32(?,?), ref: 0081FB8D
                                                            • SafeArrayUnaccessData.OLEAUT32(?), ref: 0081FBA1
                                                            • VariantClear.OLEAUT32(?), ref: 0081FBB6
                                                            • SafeArrayDestroyData.OLEAUT32(?), ref: 0081FBC3
                                                            • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0081FBCC
                                                            • VariantClear.OLEAUT32(?), ref: 0081FBDE
                                                            • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0081FBE9
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                            • String ID:
                                                            • API String ID: 2706829360-0
                                                            • Opcode ID: 999acc51bacd6e7522329eeb7053191a2890ca53bdcef62dc5dadbf4833e0d4e
                                                            • Instruction ID: cf4e7148e3654ce18ab9b46974321c116c9a5858023687b3b6937a2853979c83
                                                            • Opcode Fuzzy Hash: 999acc51bacd6e7522329eeb7053191a2890ca53bdcef62dc5dadbf4833e0d4e
                                                            • Instruction Fuzzy Hash: AE413075A00219DFCB00DF68C858DEDBBB9FF48355F008069E955E7262C734A946CFA0
                                                            Function 00829C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetKeyboardState.USER32(?), ref: 00829CA1
                                                            • GetAsyncKeyState.USER32(000000A0), ref: 00829D22
                                                            • GetKeyState.USER32(000000A0), ref: 00829D3D
                                                            • GetAsyncKeyState.USER32(000000A1), ref: 00829D57
                                                            • GetKeyState.USER32(000000A1), ref: 00829D6C
                                                            • GetAsyncKeyState.USER32(00000011), ref: 00829D84
                                                            • GetKeyState.USER32(00000011), ref: 00829D96
                                                            • GetAsyncKeyState.USER32(00000012), ref: 00829DAE
                                                            • GetKeyState.USER32(00000012), ref: 00829DC0
                                                            • GetAsyncKeyState.USER32(0000005B), ref: 00829DD8
                                                            • GetKeyState.USER32(0000005B), ref: 00829DEA
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: State$Async$Keyboard
                                                            • String ID:
                                                            • API String ID: 541375521-0
                                                            • Opcode ID: 4495177f3da183ba72ff16683d249c37b8d727e7d6b8a96bb66909db7a7a9e5c
                                                            • Instruction ID: 58ce416ef76860571ea2aabbdc67a421fa7e25b5264796330d426ef78be52059
                                                            • Opcode Fuzzy Hash: 4495177f3da183ba72ff16683d249c37b8d727e7d6b8a96bb66909db7a7a9e5c
                                                            • Instruction Fuzzy Hash: 4641D6345047D96DFF308664E8043B5BEE0FF11344F04805EDAC6965C2EBE499C8DBA2
                                                            Function 0084055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • WSAStartup.WSOCK32(00000101,?), ref: 008405BC
                                                            • inet_addr.WSOCK32(?), ref: 0084061C
                                                            • gethostbyname.WSOCK32(?), ref: 00840628
                                                            • IcmpCreateFile.IPHLPAPI ref: 00840636
                                                            • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 008406C6
                                                            • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 008406E5
                                                            • IcmpCloseHandle.IPHLPAPI(?), ref: 008407B9
                                                            • WSACleanup.WSOCK32 ref: 008407BF
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                            • String ID: Ping
                                                            • API String ID: 1028309954-2246546115
                                                            • Opcode ID: 97da15e02fba154c9355fc546c13483c5e2b74c3cf328e5334d6ba098bc315e5
                                                            • Instruction ID: 679abf5bfe679ffc303341b132986380dab7af22b02d539f9e44e502d5ff3876
                                                            • Opcode Fuzzy Hash: 97da15e02fba154c9355fc546c13483c5e2b74c3cf328e5334d6ba098bc315e5
                                                            • Instruction Fuzzy Hash: 8E9157356043059FD320DF15C889F1ABBE0FB88318F1585A9E66ADB6A2C735ED41CF92
                                                            Function 00848CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: _wcslen$BuffCharLower
                                                            • String ID: cdecl$none$stdcall$winapi
                                                            • API String ID: 707087890-567219261
                                                            • Opcode ID: ab5ca4eb60bf2e9c477cf90e91529d65e130be5c818d4dfd095efff00a6fe6f1
                                                            • Instruction ID: cac2f49caa7152924ea0bd40af5d7af20fe5438fc059fd7dea5e2ac9f15f188e
                                                            • Opcode Fuzzy Hash: ab5ca4eb60bf2e9c477cf90e91529d65e130be5c818d4dfd095efff00a6fe6f1
                                                            • Instruction Fuzzy Hash: E6519031A0111ADBCF24EFACC9409BEB7A5FF64724B214229E926E72C5EB35DD40C790
                                                            Function 0084372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CoInitialize.OLE32 ref: 00843774
                                                            • CoUninitialize.OLE32 ref: 0084377F
                                                            • CoCreateInstance.OLE32(?,00000000,00000017,0085FB78,?), ref: 008437D9
                                                            • IIDFromString.OLE32(?,?), ref: 0084384C
                                                            • VariantInit.OLEAUT32(?), ref: 008438E4
                                                            • VariantClear.OLEAUT32(?), ref: 00843936
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
                                                            • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                            • API String ID: 636576611-1287834457
                                                            • Opcode ID: aeb995adcbeb73302d1a8a1b71bb5288492ca255acfaac6daf2772b776784cc6
                                                            • Instruction ID: 3abb555afe6fdc8937a07397e016269bd4f1e5401c81806859e4ea36363c6c67
                                                            • Opcode Fuzzy Hash: aeb995adcbeb73302d1a8a1b71bb5288492ca255acfaac6daf2772b776784cc6
                                                            • Instruction Fuzzy Hash: 7F616AB0608315AFD310DF54C889B6ABBE8FF49715F100829F995DB291D774EE48CB92
                                                            Function 00833388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 008333CF
                                                              • Part of subcall function 007C9CB3: _wcslen.LIBCMT ref: 007C9CBD
                                                            • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 008333F0
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: LoadString$_wcslen
                                                            • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                                            • API String ID: 4099089115-3080491070
                                                            • Opcode ID: 8c11d9549bd51f87184d04dc85ccb752c26af71e6ca54eeb460480ca885648c8
                                                            • Instruction ID: abd8cabedb6422c54157ca4a478dbdcfe090c768ebcdebc30cdddb9f1a2ff19e
                                                            • Opcode Fuzzy Hash: 8c11d9549bd51f87184d04dc85ccb752c26af71e6ca54eeb460480ca885648c8
                                                            • Instruction Fuzzy Hash: A951BE3190020AEADF14EBA0DD4AEEEB7B8FF14340F104169F505B2192EB392F58DB61
                                                            Function 0082B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: _wcslen$BuffCharUpper
                                                            • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                            • API String ID: 1256254125-769500911
                                                            • Opcode ID: 63b35fbdc7f8c79a3abf3c88ceb918a9d51fc2079d64b42445433dc9eb5f6824
                                                            • Instruction ID: 4af1de377458b904db5fb1ee7578e6c1d393765d68e8528c99939f7488ec2bb3
                                                            • Opcode Fuzzy Hash: 63b35fbdc7f8c79a3abf3c88ceb918a9d51fc2079d64b42445433dc9eb5f6824
                                                            • Instruction Fuzzy Hash: B741A532A021369BCB206FBD98905BE77A5FB70758B244229E562D7284F735CDC1C790
                                                            Function 00835393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetErrorMode.KERNEL32(00000001), ref: 008353A0
                                                            • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00835416
                                                            • GetLastError.KERNEL32 ref: 00835420
                                                            • SetErrorMode.KERNEL32(00000000,READY), ref: 008354A7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Error$Mode$DiskFreeLastSpace
                                                            • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                            • API String ID: 4194297153-14809454
                                                            • Opcode ID: 5e1b3656d63530f551a156777de2e7aa76b694ba14acd260c30c022279b63cda
                                                            • Instruction ID: 1c6a831d21927122c3cae6bc8082f60cf8a9117d572e8f6e9990cf660a6c1cf8
                                                            • Opcode Fuzzy Hash: 5e1b3656d63530f551a156777de2e7aa76b694ba14acd260c30c022279b63cda
                                                            • Instruction Fuzzy Hash: 523180B5A006089FC714DF68C488FAABBB4FF85309F148069E905DB292E775DD86CBD1
                                                            Function 00853C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateMenu.USER32 ref: 00853C79
                                                            • SetMenu.USER32(?,00000000), ref: 00853C88
                                                            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00853D10
                                                            • IsMenu.USER32(?), ref: 00853D24
                                                            • CreatePopupMenu.USER32 ref: 00853D2E
                                                            • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00853D5B
                                                            • DrawMenuBar.USER32 ref: 00853D63
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Menu$CreateItem$DrawInfoInsertPopup
                                                            • String ID: 0$F
                                                            • API String ID: 161812096-3044882817
                                                            • Opcode ID: 887ae02a88bd71a121b2cff82650506b25d3eefca3231ebff1208438bbfc3c69
                                                            • Instruction ID: 5b634b9ff1332377d7e3c97e6f8531e1a76c1122273166e9f8dd85372b5f997e
                                                            • Opcode Fuzzy Hash: 887ae02a88bd71a121b2cff82650506b25d3eefca3231ebff1208438bbfc3c69
                                                            • Instruction Fuzzy Hash: 82415775A01309EFDB14CFA4D844BAABBB5FF49392F140029ED46A7360D734AA18CF90
                                                            Function 00821EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 007C9CB3: _wcslen.LIBCMT ref: 007C9CBD
                                                              • Part of subcall function 00823CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00823CCA
                                                            • SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00821F64
                                                            • GetDlgCtrlID.USER32 ref: 00821F6F
                                                            • GetParent.USER32 ref: 00821F8B
                                                            • SendMessageW.USER32(00000000,?,00000111,?), ref: 00821F8E
                                                            • GetDlgCtrlID.USER32(?), ref: 00821F97
                                                            • GetParent.USER32(?), ref: 00821FAB
                                                            • SendMessageW.USER32(00000000,?,00000111,?), ref: 00821FAE
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$CtrlParent$ClassName_wcslen
                                                            • String ID: ComboBox$ListBox
                                                            • API String ID: 711023334-1403004172
                                                            • Opcode ID: c00da9a20fbe483b967b40e87321349413e794f207e18e80062d5e33f3539c5b
                                                            • Instruction ID: 566f2b534bc7bfec6d9b8a9c1a8aa497066bb24dcefce2a3dafffbb5539ac9d5
                                                            • Opcode Fuzzy Hash: c00da9a20fbe483b967b40e87321349413e794f207e18e80062d5e33f3539c5b
                                                            • Instruction Fuzzy Hash: 2A21C570A00214BFCF04AFA0DC59EEEBBB5FF25310B100119F961A7291DB385A54DB60
                                                            Function 00821FC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 007C9CB3: _wcslen.LIBCMT ref: 007C9CBD
                                                              • Part of subcall function 00823CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00823CCA
                                                            • SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00822043
                                                            • GetDlgCtrlID.USER32 ref: 0082204E
                                                            • GetParent.USER32 ref: 0082206A
                                                            • SendMessageW.USER32(00000000,?,00000111,?), ref: 0082206D
                                                            • GetDlgCtrlID.USER32(?), ref: 00822076
                                                            • GetParent.USER32(?), ref: 0082208A
                                                            • SendMessageW.USER32(00000000,?,00000111,?), ref: 0082208D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$CtrlParent$ClassName_wcslen
                                                            • String ID: ComboBox$ListBox
                                                            • API String ID: 711023334-1403004172
                                                            • Opcode ID: a1618488a314bd86871d25900e92c610f01c59b3e08b0e9e6b1cc69d038bb77a
                                                            • Instruction ID: 8808a861568103791829e7c0af6e4f5a0b38f42f6c702578ee4f33d5ea929a69
                                                            • Opcode Fuzzy Hash: a1618488a314bd86871d25900e92c610f01c59b3e08b0e9e6b1cc69d038bb77a
                                                            • Instruction Fuzzy Hash: 7A21C271900218BFCF10AFA0DC49EEEBBB8FF15300F000419B951A72A1DB795954DB60
                                                            Function 00853A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00853A9D
                                                            • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00853AA0
                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00853AC7
                                                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00853AEA
                                                            • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00853B62
                                                            • SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00853BAC
                                                            • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00853BC7
                                                            • SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00853BE2
                                                            • SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00853BF6
                                                            • SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00853C13
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$LongWindow
                                                            • String ID:
                                                            • API String ID: 312131281-0
                                                            • Opcode ID: 234ab90af00932a804482343aef1084e8fe9ae74e39771d01afef405a77df36c
                                                            • Instruction ID: 39c229bde0c697f8fb87be3bc3fbbd7d2b035bc408bf926c02d46fcaf21aa115
                                                            • Opcode Fuzzy Hash: 234ab90af00932a804482343aef1084e8fe9ae74e39771d01afef405a77df36c
                                                            • Instruction Fuzzy Hash: 1E617875A00208AFDB11DFA8CC85EEEB7B8FB09750F14409AFA15E72A1C774AE45DB50
                                                            Function 0082B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentThreadId.KERNEL32 ref: 0082B151
                                                            • GetForegroundWindow.USER32(00000000,?,?,?,?,?,0082A1E1,?,00000001), ref: 0082B165
                                                            • GetWindowThreadProcessId.USER32(00000000), ref: 0082B16C
                                                            • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0082A1E1,?,00000001), ref: 0082B17B
                                                            • GetWindowThreadProcessId.USER32(?,00000000), ref: 0082B18D
                                                            • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0082A1E1,?,00000001), ref: 0082B1A6
                                                            • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0082A1E1,?,00000001), ref: 0082B1B8
                                                            • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0082A1E1,?,00000001), ref: 0082B1FD
                                                            • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0082A1E1,?,00000001), ref: 0082B212
                                                            • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0082A1E1,?,00000001), ref: 0082B21D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                            • String ID:
                                                            • API String ID: 2156557900-0
                                                            • Opcode ID: 6f5ca538e1c18e2d5d56aa47f4ff50773ebfaefa1df3285ba931a4293339c1a7
                                                            • Instruction ID: 3fbca6b2dc2f573d0c75c1525bed491b914aa24aad457baf715d49fd1b3ff6f5
                                                            • Opcode Fuzzy Hash: 6f5ca538e1c18e2d5d56aa47f4ff50773ebfaefa1df3285ba931a4293339c1a7
                                                            • Instruction Fuzzy Hash: A63189B5511714EFDB10AF64EC48B6E7BA9FB61312F14400AFA02D6191D7B89A80CF64
                                                            Function 007F2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _free.LIBCMT ref: 007F2C94
                                                              • Part of subcall function 007F29C8: HeapFree.KERNEL32(00000000,00000000,?,007FD7D1,00000000,00000000,00000000,00000000,?,007FD7F8,00000000,00000007,00000000,?,007FDBF5,00000000), ref: 007F29DE
                                                              • Part of subcall function 007F29C8: GetLastError.KERNEL32(00000000,?,007FD7D1,00000000,00000000,00000000,00000000,?,007FD7F8,00000000,00000007,00000000,?,007FDBF5,00000000,00000000), ref: 007F29F0
                                                            • _free.LIBCMT ref: 007F2CA0
                                                            • _free.LIBCMT ref: 007F2CAB
                                                            • _free.LIBCMT ref: 007F2CB6
                                                            • _free.LIBCMT ref: 007F2CC1
                                                            • _free.LIBCMT ref: 007F2CCC
                                                            • _free.LIBCMT ref: 007F2CD7
                                                            • _free.LIBCMT ref: 007F2CE2
                                                            • _free.LIBCMT ref: 007F2CED
                                                            • _free.LIBCMT ref: 007F2CFB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: _free$ErrorFreeHeapLast
                                                            • String ID:
                                                            • API String ID: 776569668-0
                                                            • Opcode ID: 7b75c0e7b2429211e8078bde9c561d54c2d89f3ec88833cdb2bd27df62978d69
                                                            • Instruction ID: 148bf57f52749e1f80555ee72404c39cbf539e99d82ee78528d34da244b03d05
                                                            • Opcode Fuzzy Hash: 7b75c0e7b2429211e8078bde9c561d54c2d89f3ec88833cdb2bd27df62978d69
                                                            • Instruction Fuzzy Hash: 5A11807614010DEFCB02EF94D886CAD3BA5BF05350F5144A5FA48AB332DA75EA519F90
                                                            Function 00837DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00837FAD
                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00837FC1
                                                            • GetFileAttributesW.KERNEL32(?), ref: 00837FEB
                                                            • SetFileAttributesW.KERNEL32(?,00000000), ref: 00838005
                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00838017
                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00838060
                                                            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 008380B0
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: CurrentDirectory$AttributesFile
                                                            • String ID: *.*
                                                            • API String ID: 769691225-438819550
                                                            • Opcode ID: e8ec9025c627e1b97cae3c6a3010e9143f9517a67ec349d198c5e5cc35674310
                                                            • Instruction ID: 18ea1dee8fadd51b538f60904bdd7673d6c1bf29969d97ac1c4da601d3e05785
                                                            • Opcode Fuzzy Hash: e8ec9025c627e1b97cae3c6a3010e9143f9517a67ec349d198c5e5cc35674310
                                                            • Instruction Fuzzy Hash: 75817DB2508345DBCB34EF14C894AAAB3E8FBC8714F14486EF885D7250EB79DD458B92
                                                            Function 007C5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetWindowLongW.USER32(?,000000EB), ref: 007C5C7A
                                                              • Part of subcall function 007C5D0A: GetClientRect.USER32(?,?), ref: 007C5D30
                                                              • Part of subcall function 007C5D0A: GetWindowRect.USER32(?,?), ref: 007C5D71
                                                              • Part of subcall function 007C5D0A: ScreenToClient.USER32(?,?), ref: 007C5D99
                                                            • GetDC.USER32 ref: 008046F5
                                                            • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00804708
                                                            • SelectObject.GDI32(00000000,00000000), ref: 00804716
                                                            • SelectObject.GDI32(00000000,00000000), ref: 0080472B
                                                            • ReleaseDC.USER32(?,00000000), ref: 00804733
                                                            • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 008047C4
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                            • String ID: U
                                                            • API String ID: 4009187628-3372436214
                                                            • Opcode ID: cfd3eb0f1f8b6aa1d693881df3a001e3861b63f9482b759d13e9408ee52497e2
                                                            • Instruction ID: ce6abef5fbf266bc86b5a3458114e8310efb7b12000445c9182520b3e11f88a4
                                                            • Opcode Fuzzy Hash: cfd3eb0f1f8b6aa1d693881df3a001e3861b63f9482b759d13e9408ee52497e2
                                                            • Instruction Fuzzy Hash: DF71F170500209DFCF618F64CD84EBA3BB1FF4A315F185269EE519A2A6D7369881DF60
                                                            Function 0083359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 008335E4
                                                              • Part of subcall function 007C9CB3: _wcslen.LIBCMT ref: 007C9CBD
                                                            • LoadStringW.USER32(00892390,?,00000FFF,?), ref: 0083360A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: LoadString$_wcslen
                                                            • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                            • API String ID: 4099089115-2391861430
                                                            • Opcode ID: ecee116e0739371d9298d38b3b360d59f6b16837960df311462c52e91b943f6f
                                                            • Instruction ID: ad8d2e08a3e4e001e93e7c25c4fb0c91338eff452f960f4ecd1827d2dde71829
                                                            • Opcode Fuzzy Hash: ecee116e0739371d9298d38b3b360d59f6b16837960df311462c52e91b943f6f
                                                            • Instruction Fuzzy Hash: DF516D7190021AFADF14EBA0DC4AEEDBB78FF14340F144129F515B21A1EB381A98DFA1
                                                            Function 00858B02 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 007D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 007D9BB2
                                                              • Part of subcall function 007D912D: GetCursorPos.USER32(?), ref: 007D9141
                                                              • Part of subcall function 007D912D: ScreenToClient.USER32(00000000,?), ref: 007D915E
                                                              • Part of subcall function 007D912D: GetAsyncKeyState.USER32(00000001), ref: 007D9183
                                                              • Part of subcall function 007D912D: GetAsyncKeyState.USER32(00000002), ref: 007D919D
                                                            • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00858B6B
                                                            • ImageList_EndDrag.COMCTL32 ref: 00858B71
                                                            • ReleaseCapture.USER32 ref: 00858B77
                                                            • SetWindowTextW.USER32(?,00000000), ref: 00858C12
                                                            • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00858C25
                                                            • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00858CFF
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                                            • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                                            • API String ID: 1924731296-2107944366
                                                            • Opcode ID: 6f9d727f5779309e79d33119f9dafccbc351c799f42d95e03eeecb2299cba96e
                                                            • Instruction ID: 6c29c2614dd13b6dbda373de9008d52255541dd91e76d59b288dbadacd7a6155
                                                            • Opcode Fuzzy Hash: 6f9d727f5779309e79d33119f9dafccbc351c799f42d95e03eeecb2299cba96e
                                                            • Instruction Fuzzy Hash: 6F517C71104304AFDB00EF24DC5AFAA77E4FB84715F44062EF956A72A1DB749D08CB62
                                                            Function 0083C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0083C272
                                                            • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0083C29A
                                                            • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0083C2CA
                                                            • GetLastError.KERNEL32 ref: 0083C322
                                                            • SetEvent.KERNEL32(?), ref: 0083C336
                                                            • InternetCloseHandle.WININET(00000000), ref: 0083C341
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                            • String ID:
                                                            • API String ID: 3113390036-3916222277
                                                            • Opcode ID: 62069151e0132c7c2778360bfa362ffcb3f4d01cfb748e1ef172c66bccae6949
                                                            • Instruction ID: 6412d31e1343938fdaabcf3b6f47eeed56a73ad4d9907122ef4fa7cea6b2ea44
                                                            • Opcode Fuzzy Hash: 62069151e0132c7c2778360bfa362ffcb3f4d01cfb748e1ef172c66bccae6949
                                                            • Instruction Fuzzy Hash: 52314DB1600708AFDB219F65DC88AAB7BFCFB89745F14851DF446E6200DB34DD059BA1
                                                            Function 0082989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00803AAF,?,?,Bad directive syntax error,0085CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 008298BC
                                                            • LoadStringW.USER32(00000000,?,00803AAF,?), ref: 008298C3
                                                              • Part of subcall function 007C9CB3: _wcslen.LIBCMT ref: 007C9CBD
                                                            • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00829987
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: HandleLoadMessageModuleString_wcslen
                                                            • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                            • API String ID: 858772685-4153970271
                                                            • Opcode ID: 1f1a3fba22dcf1b714b8bdf5cc9490acbec906fc5dbd901f3c6d2856531527e2
                                                            • Instruction ID: ec59cfcd30ed32bce4f2491fa1bd39d6a9e0e23edde665cbc686ab7efa9a5cf8
                                                            • Opcode Fuzzy Hash: 1f1a3fba22dcf1b714b8bdf5cc9490acbec906fc5dbd901f3c6d2856531527e2
                                                            • Instruction Fuzzy Hash: AF21803190031AEBCF11AF90DC0AEEE7779FF18304F04445EF529A61A2EB399668CB11
                                                            Function 0082209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetParent.USER32 ref: 008220AB
                                                            • GetClassNameW.USER32(00000000,?,00000100), ref: 008220C0
                                                            • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0082214D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: ClassMessageNameParentSend
                                                            • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                            • API String ID: 1290815626-3381328864
                                                            • Opcode ID: a9f5a792dc54f11396f29cd57d1abb4f5c0dd6c7534b22e965e57d3e19e56493
                                                            • Instruction ID: 457452c497638deedea74084079feb82a7b57569c9a3c097be2f8d19aad2ccb1
                                                            • Opcode Fuzzy Hash: a9f5a792dc54f11396f29cd57d1abb4f5c0dd6c7534b22e965e57d3e19e56493
                                                            • Instruction Fuzzy Hash: 8211277A684716F9F6012221AC0ACE637DCFF18334B200026F704E40D1FF6978A15618
                                                            Function 007FCE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: _free$EnvironmentVariable___from_strstr_to_strchr
                                                            • String ID:
                                                            • API String ID: 1282221369-0
                                                            • Opcode ID: 7f499602bd6a6e0557cae1bba3f6a1d69fdaddf647049b7ab8035206d1c0cc6a
                                                            • Instruction ID: c5f044e4c979612d5c0d8d6c691afa57c06959d708f898b73044ebe8bcbe0b89
                                                            • Opcode Fuzzy Hash: 7f499602bd6a6e0557cae1bba3f6a1d69fdaddf647049b7ab8035206d1c0cc6a
                                                            • Instruction Fuzzy Hash: 8361287290430DAFDB22AFB49949679BBE5EF05320F04426EFB41A7382D63D9D019B50
                                                            Function 008550D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00855186
                                                            • ShowWindow.USER32(?,00000000), ref: 008551C7
                                                            • ShowWindow.USER32(?,00000005,?,00000000), ref: 008551CD
                                                            • SetFocus.USER32(?,?,00000005,?,00000000), ref: 008551D1
                                                              • Part of subcall function 00856FBA: DeleteObject.GDI32(00000000), ref: 00856FE6
                                                            • GetWindowLongW.USER32(?,000000F0), ref: 0085520D
                                                            • SetWindowLongW.USER32(?,000000F0,00000000), ref: 0085521A
                                                            • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0085524D
                                                            • SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00855287
                                                            • SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00855296
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
                                                            • String ID:
                                                            • API String ID: 3210457359-0
                                                            • Opcode ID: 33117f2f06b6a3353abfc608c49c1a3258bf50d33af087dc2f586768ece78ee8
                                                            • Instruction ID: 18ca3a688ade054c403ff73cb2f014919265f0ba615df94e765a9b297b104c4b
                                                            • Opcode Fuzzy Hash: 33117f2f06b6a3353abfc608c49c1a3258bf50d33af087dc2f586768ece78ee8
                                                            • Instruction Fuzzy Hash: 4C518F30A90A09BEEF209F24CC69B983BA5FB05367F144016FE15D66E0C775A988DF41
                                                            Function 007D8B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00816890
                                                            • ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 008168A9
                                                            • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 008168B9
                                                            • ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 008168D1
                                                            • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 008168F2
                                                            • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,007D8874,00000000,00000000,00000000,000000FF,00000000), ref: 00816901
                                                            • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0081691E
                                                            • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,007D8874,00000000,00000000,00000000,000000FF,00000000), ref: 0081692D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Icon$DestroyExtractImageLoadMessageSend
                                                            • String ID:
                                                            • API String ID: 1268354404-0
                                                            • Opcode ID: 6f58edd349530dc4748dd7c2b5755c61b182fa7bd101d4cd3cd32b1d25c521ea
                                                            • Instruction ID: 35a7f22effe271234a2e4a27f2b0d7205f7cd8c0b0e06e82e41cf8501165d792
                                                            • Opcode Fuzzy Hash: 6f58edd349530dc4748dd7c2b5755c61b182fa7bd101d4cd3cd32b1d25c521ea
                                                            • Instruction Fuzzy Hash: 69518AB0600305EFDB20DF28CC95FAA7BB5FF48351F14452AF956D62A0EB74A990DB50
                                                            Function 0083C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0083C182
                                                            • GetLastError.KERNEL32 ref: 0083C195
                                                            • SetEvent.KERNEL32(?), ref: 0083C1A9
                                                              • Part of subcall function 0083C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0083C272
                                                              • Part of subcall function 0083C253: GetLastError.KERNEL32 ref: 0083C322
                                                              • Part of subcall function 0083C253: SetEvent.KERNEL32(?), ref: 0083C336
                                                              • Part of subcall function 0083C253: InternetCloseHandle.WININET(00000000), ref: 0083C341
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
                                                            • String ID:
                                                            • API String ID: 337547030-0
                                                            • Opcode ID: 3c5f5ce8dcd88b892bae7295606955a3dae050b54e8220e570441d1ca6d32710
                                                            • Instruction ID: 55a03792e8d970f7e1cb8b637689345fc726e385bf9329e2c6fdd7acb07f66be
                                                            • Opcode Fuzzy Hash: 3c5f5ce8dcd88b892bae7295606955a3dae050b54e8220e570441d1ca6d32710
                                                            • Instruction Fuzzy Hash: CC317871200705AFDB219FA9DC44A6BBBE9FF98301F00442DF956E6610DB34E814EFA0
                                                            Function 008225A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00823A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00823A57
                                                              • Part of subcall function 00823A3D: GetCurrentThreadId.KERNEL32 ref: 00823A5E
                                                              • Part of subcall function 00823A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,008225B3), ref: 00823A65
                                                            • MapVirtualKeyW.USER32(00000025,00000000), ref: 008225BD
                                                            • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 008225DB
                                                            • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 008225DF
                                                            • MapVirtualKeyW.USER32(00000025,00000000), ref: 008225E9
                                                            • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00822601
                                                            • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00822605
                                                            • MapVirtualKeyW.USER32(00000025,00000000), ref: 0082260F
                                                            • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00822623
                                                            • Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00822627
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                            • String ID:
                                                            • API String ID: 2014098862-0
                                                            • Opcode ID: f3729a2411a822b5660c9290ac5975a35eb63dbe1e2289509019801618d7d5ee
                                                            • Instruction ID: aadd33f229d9ee95b329cb83597e25192174aed9aff3668e8486854835b64916
                                                            • Opcode Fuzzy Hash: f3729a2411a822b5660c9290ac5975a35eb63dbe1e2289509019801618d7d5ee
                                                            • Instruction Fuzzy Hash: AE01D431390724BBFB1067689C8AF593F99FB5EB12F100016F318EE1D1C9E624848E6A
                                                            Function 00821803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00821449,?,?,00000000), ref: 0082180C
                                                            • HeapAlloc.KERNEL32(00000000,?,00821449,?,?,00000000), ref: 00821813
                                                            • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00821449,?,?,00000000), ref: 00821828
                                                            • GetCurrentProcess.KERNEL32(?,00000000,?,00821449,?,?,00000000), ref: 00821830
                                                            • DuplicateHandle.KERNEL32(00000000,?,00821449,?,?,00000000), ref: 00821833
                                                            • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00821449,?,?,00000000), ref: 00821843
                                                            • GetCurrentProcess.KERNEL32(00821449,00000000,?,00821449,?,?,00000000), ref: 0082184B
                                                            • DuplicateHandle.KERNEL32(00000000,?,00821449,?,?,00000000), ref: 0082184E
                                                            • CreateThread.KERNEL32(00000000,00000000,00821874,00000000,00000000,00000000), ref: 00821868
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                            • String ID:
                                                            • API String ID: 1957940570-0
                                                            • Opcode ID: 21d88d27ecd1774a3c9566dddd3e4035c028c4a0abdc300d2e6ac9c4a8c947a1
                                                            • Instruction ID: c9b630d17981d7986f3ee78d21fa1528d1a997e1db6ebe5b7e38d34d8272e93c
                                                            • Opcode Fuzzy Hash: 21d88d27ecd1774a3c9566dddd3e4035c028c4a0abdc300d2e6ac9c4a8c947a1
                                                            • Instruction Fuzzy Hash: 9101A8B5680708BFEA10ABA5DC4DF6B7BACFB89B11F404411FA05DB2A1CA749844CF20
                                                            Function 007F3E80 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 305COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: __alldvrm$_strrchr
                                                            • String ID: }}~$}}~$}}~
                                                            • API String ID: 1036877536-980401515
                                                            • Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
                                                            • Instruction ID: a83b395225473955e3d6d073bf53ac8486c36a11e46acbf9b6e35fe3aeecbd3d
                                                            • Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
                                                            • Instruction Fuzzy Hash: 60A12672E0028E9FEB25CE18C8917BFBBE4EF65350F1441ADE6959B382D63C8981C751
                                                            Function 0084A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0082D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0082D501
                                                              • Part of subcall function 0082D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0082D50F
                                                              • Part of subcall function 0082D4DC: CloseHandle.KERNEL32(00000000), ref: 0082D5DC
                                                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0084A16D
                                                            • GetLastError.KERNEL32 ref: 0084A180
                                                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0084A1B3
                                                            • TerminateProcess.KERNEL32(00000000,00000000), ref: 0084A268
                                                            • GetLastError.KERNEL32(00000000), ref: 0084A273
                                                            • CloseHandle.KERNEL32(00000000), ref: 0084A2C4
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                            • String ID: SeDebugPrivilege
                                                            • API String ID: 2533919879-2896544425
                                                            • Opcode ID: d1827643e29534127f5ae9649f141327f8b32fe10fd88224a56f6af397828716
                                                            • Instruction ID: eb6881e024c5b5ab7fe1706f7e8a1a05c455af64474c84fd168dcbb4e315c2f8
                                                            • Opcode Fuzzy Hash: d1827643e29534127f5ae9649f141327f8b32fe10fd88224a56f6af397828716
                                                            • Instruction Fuzzy Hash: DD617B312442569FD724DF18C498F2ABBA1FF54318F18848CE4668F7A2C7B6ED45CB92
                                                            Function 00853886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00853925
                                                            • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0085393A
                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00853954
                                                            • _wcslen.LIBCMT ref: 00853999
                                                            • SendMessageW.USER32(?,00001057,00000000,?), ref: 008539C6
                                                            • SendMessageW.USER32(?,00001061,?,0000000F), ref: 008539F4
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$Window_wcslen
                                                            • String ID: SysListView32
                                                            • API String ID: 2147712094-78025650
                                                            • Opcode ID: b142457c139606c6a6d2d2ea0a80a6bf664eb0ea376de8e8074874bbc543a112
                                                            • Instruction ID: cd63969a9a7897e7bf89b5248c65ba31ff5ede642a17bae90bea9d0bfb493fb5
                                                            • Opcode Fuzzy Hash: b142457c139606c6a6d2d2ea0a80a6bf664eb0ea376de8e8074874bbc543a112
                                                            • Instruction Fuzzy Hash: 21419571A00319ABEF219F64CC49FEA7BA9FF08395F10052AF954E7281D7759E84CB90
                                                            Function 0082BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0082BCFD
                                                            • IsMenu.USER32(00000000), ref: 0082BD1D
                                                            • CreatePopupMenu.USER32 ref: 0082BD53
                                                            • GetMenuItemCount.USER32(00D35610), ref: 0082BDA4
                                                            • InsertMenuItemW.USER32(00D35610,?,00000001,00000030), ref: 0082BDCC
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Menu$Item$CountCreateInfoInsertPopup
                                                            • String ID: 0$2
                                                            • API String ID: 93392585-3793063076
                                                            • Opcode ID: f82b0dd104e58dfa16f17663b70b7898024c85092ba4fa8c7d1fbc892f06d1dd
                                                            • Instruction ID: de5a772d43b379bae56b7f94c523db56320e00e86f5ed700f302b2e3eb224c78
                                                            • Opcode Fuzzy Hash: f82b0dd104e58dfa16f17663b70b7898024c85092ba4fa8c7d1fbc892f06d1dd
                                                            • Instruction Fuzzy Hash: BD51AD70A02329ABDB10CFA8E888BEEBBF4FF45354F148159E851D72D1E7749981CB61
                                                            Function 007E2D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _ValidateLocalCookies.LIBCMT ref: 007E2D4B
                                                            • ___except_validate_context_record.LIBVCRUNTIME ref: 007E2D53
                                                            • _ValidateLocalCookies.LIBCMT ref: 007E2DE1
                                                            • __IsNonwritableInCurrentImage.LIBCMT ref: 007E2E0C
                                                            • _ValidateLocalCookies.LIBCMT ref: 007E2E61
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                            • String ID: &H~$csm
                                                            • API String ID: 1170836740-3418752573
                                                            • Opcode ID: c887d400749ae42c76fbd2a13e09c8f693649b1686cb1ccf9b9b6a8468c5c748
                                                            • Instruction ID: d0d074d5457f3f40d52769fed0f9e79a1335d4f8535167e878daac8cc9d822c1
                                                            • Opcode Fuzzy Hash: c887d400749ae42c76fbd2a13e09c8f693649b1686cb1ccf9b9b6a8468c5c748
                                                            • Instruction Fuzzy Hash: CE41A934E02249EBCF10DF59CC49A9EBBB9BF48314F148155E9149B353D7799A12CB90
                                                            Function 0082C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadIconW.USER32(00000000,00007F03), ref: 0082C913
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: IconLoad
                                                            • String ID: blank$info$question$stop$warning
                                                            • API String ID: 2457776203-404129466
                                                            • Opcode ID: 0a87fa9c2af5e981d1ae4a9c41bbbb56ffa1539d5d091f14587f66eeffc7ca9d
                                                            • Instruction ID: 72d82e15cff4d987e9a9eb35d4323dcf661ae38b10df57d546cd7a208b041e17
                                                            • Opcode Fuzzy Hash: 0a87fa9c2af5e981d1ae4a9c41bbbb56ffa1539d5d091f14587f66eeffc7ca9d
                                                            • Instruction Fuzzy Hash: 26112E3168931ABAE7006B54AC82CBE2B9CFF15324B50403AF500E6281E7A85DC05768
                                                            Function 0082DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
                                                            • String ID: 0.0.0.0
                                                            • API String ID: 642191829-3771769585
                                                            • Opcode ID: be4fe60530c0ae8176c266b191bfb5943f569f5b90fd35a4dafc3fa791d1caf6
                                                            • Instruction ID: 374c53dbccb141e0e47bca5ee0d0986e0abd7cdd1003c043b6f4acb88e568464
                                                            • Opcode Fuzzy Hash: be4fe60530c0ae8176c266b191bfb5943f569f5b90fd35a4dafc3fa791d1caf6
                                                            • Instruction Fuzzy Hash: 1B110A75904318AFDB20BB64AC0ADEE7B6CFF18711F0101B9F445EA091EF789AC18A60
                                                            Function 00859F86 Relevance: 12.3, APIs: 8, Instructions: 260windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 007D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 007D9BB2
                                                            • GetSystemMetrics.USER32(0000000F), ref: 00859FC7
                                                            • GetSystemMetrics.USER32(0000000F), ref: 00859FE7
                                                            • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0085A224
                                                            • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0085A242
                                                            • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0085A263
                                                            • ShowWindow.USER32(00000003,00000000), ref: 0085A282
                                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 0085A2A7
                                                            • DefDlgProcW.USER32(?,00000005,?,?), ref: 0085A2CA
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                                            • String ID:
                                                            • API String ID: 1211466189-0
                                                            • Opcode ID: cdfbac1703eb9f7f5e8c75176fddc226ef3123369eb8e87848a35b78807cac28
                                                            • Instruction ID: 2b263212240770f56277c11ca1462b7495c771d799e3889619898d8ed954fbd2
                                                            • Opcode Fuzzy Hash: cdfbac1703eb9f7f5e8c75176fddc226ef3123369eb8e87848a35b78807cac28
                                                            • Instruction Fuzzy Hash: D2B17835600619DFDF18CF68C9C57AA7BB2FF48702F088169EC89EB295D731A948CB51
                                                            Function 0082ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: _wcslen$LocalTime
                                                            • String ID:
                                                            • API String ID: 952045576-0
                                                            • Opcode ID: 0e78d5b186ef999d215e9c1f8564f774860e72f32d783fecbb2b65b12c7c2029
                                                            • Instruction ID: 7f4806df5adaee17ab1fc8458681e8bf1a51d50b100a644447daaaabd71efa52
                                                            • Opcode Fuzzy Hash: 0e78d5b186ef999d215e9c1f8564f774860e72f32d783fecbb2b65b12c7c2029
                                                            • Instruction Fuzzy Hash: F1417266C11258B5CB11EBF5888E9CF77ACFF49710F504462E614E3122EB38E655C3E9
                                                            Function 007DF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0081682C,00000004,00000000,00000000), ref: 007DF953
                                                            • ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0081682C,00000004,00000000,00000000), ref: 0081F3D1
                                                            • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0081682C,00000004,00000000,00000000), ref: 0081F454
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: ShowWindow
                                                            • String ID:
                                                            • API String ID: 1268545403-0
                                                            • Opcode ID: 5d780a9bbb6da38b4795f5aa586e4318f437b26760a907e593e278b97cc8f049
                                                            • Instruction ID: a2eac427a6189a2d23532ce8322ffced11f0765e2d626d7494f752f314a3e708
                                                            • Opcode Fuzzy Hash: 5d780a9bbb6da38b4795f5aa586e4318f437b26760a907e593e278b97cc8f049
                                                            • Instruction Fuzzy Hash: 3A410870A08780BECB399B2D88A876A7AB5FF55314F14403EE18BD6761C639B8C0CB11
                                                            Function 00852D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DeleteObject.GDI32(00000000), ref: 00852D1B
                                                            • GetDC.USER32(00000000), ref: 00852D23
                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00852D2E
                                                            • ReleaseDC.USER32(00000000,00000000), ref: 00852D3A
                                                            • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00852D76
                                                            • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00852D87
                                                            • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00855A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00852DC2
                                                            • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00852DE1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                            • String ID:
                                                            • API String ID: 3864802216-0
                                                            • Opcode ID: 43ae84b9a0ef33d9f480f669aefe49aaa1e490f0b73ea10f39db50510924932a
                                                            • Instruction ID: 465d927982271e0990244e69a0d33e4a28c51290bed385fb4df16cd2400b1a87
                                                            • Opcode Fuzzy Hash: 43ae84b9a0ef33d9f480f669aefe49aaa1e490f0b73ea10f39db50510924932a
                                                            • Instruction Fuzzy Hash: 60316B72201714BFEB118F548C8AFEB3FA9FB1A756F044055FE08DA291C6799C50CBA4
                                                            Function 00825622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: _memcmp
                                                            • String ID:
                                                            • API String ID: 2931989736-0
                                                            • Opcode ID: 1bc43a31db38b938d5118ffc1f2be9829304ac0af1234a49ead3301be2818235
                                                            • Instruction ID: a538a66cb5c5f305e6b1a26f352b1248adce2ce722fa71f30ce33d0e3e3af508
                                                            • Opcode Fuzzy Hash: 1bc43a31db38b938d5118ffc1f2be9829304ac0af1234a49ead3301be2818235
                                                            • Instruction Fuzzy Hash: 5321B371AC2A69BBD2149525AE82FBB235CFF34395F840030FE05DA686F738ED5481A5
                                                            Function 00844FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: NULL Pointer assignment$Not an Object type
                                                            • API String ID: 0-572801152
                                                            • Opcode ID: 2b99fc7ffede0469337e864967f07a15f621e4064c34fab105a1f2db408046e4
                                                            • Instruction ID: 9f11ed61effe3b1202cb7047dc3749c7ef5e5d2999bcd30fffd3d6591bbfc6b6
                                                            • Opcode Fuzzy Hash: 2b99fc7ffede0469337e864967f07a15f621e4064c34fab105a1f2db408046e4
                                                            • Instruction Fuzzy Hash: 99D18C75A0061EAFDB10CFA8C881BAEB7B5FF48344F148469E915EB282E771DD45CB90
                                                            Function 00801522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,008017FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 008015CE
                                                            • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,008017FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00801651
                                                            • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,008017FB,?,008017FB,00000000,00000000,?,00000000,?,?,?,?), ref: 008016E4
                                                            • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,008017FB,00000000,00000000,?,00000000,?,?,?,?), ref: 008016FB
                                                              • Part of subcall function 007F3820: RtlAllocateHeap.NTDLL(00000000,?,00891444,?,007DFDF5,?,?,007CA976,00000010,00891440,007C13FC,?,007C13C6,?,007C1129), ref: 007F3852
                                                            • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,008017FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00801777
                                                            • __freea.LIBCMT ref: 008017A2
                                                            • __freea.LIBCMT ref: 008017AE
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
                                                            • String ID:
                                                            • API String ID: 2829977744-0
                                                            • Opcode ID: 6340e59447d84d55aa3d9393bb76f65ac0c3860d81051305e6a9022f30376dd6
                                                            • Instruction ID: bb0c76376fce074beb8107cf584df1b6695a30720795a44aae83973b680ad5b2
                                                            • Opcode Fuzzy Hash: 6340e59447d84d55aa3d9393bb76f65ac0c3860d81051305e6a9022f30376dd6
                                                            • Instruction Fuzzy Hash: 02919472E0021A9EDF608E64CC89AFE7BB5FF49724F184659E911EB2C5DB25DC40CB60
                                                            Function 00844523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Variant$ClearInit
                                                            • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                            • API String ID: 2610073882-625585964
                                                            • Opcode ID: e9b05e8431eeb1257a1bc041fa71c4b1b2b789b0fb6a0e1e2d530fb87837f282
                                                            • Instruction ID: 5498833e78a6addc9177ad3ab499107db2c898db1db8898972eca4d579306ca4
                                                            • Opcode Fuzzy Hash: e9b05e8431eeb1257a1bc041fa71c4b1b2b789b0fb6a0e1e2d530fb87837f282
                                                            • Instruction Fuzzy Hash: 80918971A0021DABDF20CFA4C888FAEBBB8FF46714F109559E515EB281D7749946CFA0
                                                            Function 00831187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0083125C
                                                            • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00831284
                                                            • SafeArrayUnaccessData.OLEAUT32(00000001), ref: 008312A8
                                                            • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 008312D8
                                                            • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0083135F
                                                            • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 008313C4
                                                            • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00831430
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: ArraySafe$Data$Access$UnaccessVartype
                                                            • String ID:
                                                            • API String ID: 2550207440-0
                                                            • Opcode ID: a23838bb7f75a48bfbd6562bda8694b26f906296833ca976b356edda3c037942
                                                            • Instruction ID: db9ad9cf690ed972d5f597f4c563a5db164328cda020265339807434eb02d3fc
                                                            • Opcode Fuzzy Hash: a23838bb7f75a48bfbd6562bda8694b26f906296833ca976b356edda3c037942
                                                            • Instruction Fuzzy Hash: 9191D271A002099FDF00DFA8C898BBEB7B5FF84B15F144429E911EB291DB78A941CBD5
                                                            Function 007D948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: ObjectSelect$BeginCreatePath
                                                            • String ID:
                                                            • API String ID: 3225163088-0
                                                            • Opcode ID: 9b9e114eb9db3d60655231bf17aaae27173a497d8c63be46c8a40e4df4e7dca3
                                                            • Instruction ID: 61d866f9acd12799a97bf74b5ff5cbe1d245edc3120e3526c09602fadbf8fb3f
                                                            • Opcode Fuzzy Hash: 9b9e114eb9db3d60655231bf17aaae27173a497d8c63be46c8a40e4df4e7dca3
                                                            • Instruction Fuzzy Hash: 14912971D40219EFCB10CFA9CC88AEEBBB8FF49320F14455AE516B7291D378A951CB60
                                                            Function 00843947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VariantInit.OLEAUT32(?), ref: 0084396B
                                                            • CharUpperBuffW.USER32(?,?), ref: 00843A7A
                                                            • _wcslen.LIBCMT ref: 00843A8A
                                                            • VariantClear.OLEAUT32(?), ref: 00843C1F
                                                              • Part of subcall function 00830CDF: VariantInit.OLEAUT32(00000000), ref: 00830D1F
                                                              • Part of subcall function 00830CDF: VariantCopy.OLEAUT32(?,?), ref: 00830D28
                                                              • Part of subcall function 00830CDF: VariantClear.OLEAUT32(?), ref: 00830D34
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
                                                            • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                            • API String ID: 4137639002-1221869570
                                                            • Opcode ID: cfd2d2616f658c1524ca117a0f78b4275e9f68386a68ce59d6f9757b2e7a725f
                                                            • Instruction ID: e32b35823c0deebf4d2e883ffbf2b600287979f1dac293bcc334f990e347e6ed
                                                            • Opcode Fuzzy Hash: cfd2d2616f658c1524ca117a0f78b4275e9f68386a68ce59d6f9757b2e7a725f
                                                            • Instruction Fuzzy Hash: 139133746083099FC704EF28C48596AB7E5FF88314F14882EF88A9B351DB35EE45CB92
                                                            Function 00844BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0082000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0081FF41,80070057,?,?,?,0082035E), ref: 0082002B
                                                              • Part of subcall function 0082000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0081FF41,80070057,?,?), ref: 00820046
                                                              • Part of subcall function 0082000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0081FF41,80070057,?,?), ref: 00820054
                                                              • Part of subcall function 0082000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0081FF41,80070057,?), ref: 00820064
                                                            • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00844C51
                                                            • _wcslen.LIBCMT ref: 00844D59
                                                            • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00844DCF
                                                            • CoTaskMemFree.OLE32(?), ref: 00844DDA
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
                                                            • String ID: NULL Pointer assignment
                                                            • API String ID: 614568839-2785691316
                                                            • Opcode ID: 07b0e55f923fe90e3b4606c5922d839fd81f9aa155096000c2e9026cedadecc5
                                                            • Instruction ID: aa66dacace15bc8cb718323d6e8f127c38ea22e7319c9290ef5ec586c2490acc
                                                            • Opcode Fuzzy Hash: 07b0e55f923fe90e3b4606c5922d839fd81f9aa155096000c2e9026cedadecc5
                                                            • Instruction Fuzzy Hash: AC910171D0021DEFDF10DFA4D895AEEB7B9FF08314F10816AE915A7251EB34AA458FA0
                                                            Function 008520FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetMenu.USER32(?), ref: 00852183
                                                            • GetMenuItemCount.USER32(00000000), ref: 008521B5
                                                            • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 008521DD
                                                            • _wcslen.LIBCMT ref: 00852213
                                                            • GetMenuItemID.USER32(?,?), ref: 0085224D
                                                            • GetSubMenu.USER32(?,?), ref: 0085225B
                                                              • Part of subcall function 00823A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00823A57
                                                              • Part of subcall function 00823A3D: GetCurrentThreadId.KERNEL32 ref: 00823A5E
                                                              • Part of subcall function 00823A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,008225B3), ref: 00823A65
                                                            • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 008522E3
                                                              • Part of subcall function 0082E97B: Sleep.KERNEL32 ref: 0082E9F3
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
                                                            • String ID:
                                                            • API String ID: 4196846111-0
                                                            • Opcode ID: d43e42fde20b0c5f25444afcd1895929b1c4d6e14197ce22add8a477e39ca4ba
                                                            • Instruction ID: e1be0b351cda687cc9927434cd9ff54796521a583a9b2ed18cf335b4c6d9744d
                                                            • Opcode Fuzzy Hash: d43e42fde20b0c5f25444afcd1895929b1c4d6e14197ce22add8a477e39ca4ba
                                                            • Instruction Fuzzy Hash: 0B718E75A00215EFCB10DF68C885AAEB7F1FF49311F148499E816EB351DB38AE458F90
                                                            Function 00857E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • IsWindow.USER32(00D35700), ref: 00857F37
                                                            • IsWindowEnabled.USER32(00D35700), ref: 00857F43
                                                            • SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 0085801E
                                                            • SendMessageW.USER32(00D35700,000000B0,?,?), ref: 00858051
                                                            • IsDlgButtonChecked.USER32(?,?), ref: 00858089
                                                            • GetWindowLongW.USER32(00D35700,000000EC), ref: 008580AB
                                                            • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 008580C3
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                            • String ID:
                                                            • API String ID: 4072528602-0
                                                            • Opcode ID: 458e630bda4bbcd48719478298b43ca51a210144c485437a395dca7ea07d4bea
                                                            • Instruction ID: 9080c0823951ef37beaf0ed9a1e7050515132b684ff1dc68716b29bda6c2ac8a
                                                            • Opcode Fuzzy Hash: 458e630bda4bbcd48719478298b43ca51a210144c485437a395dca7ea07d4bea
                                                            • Instruction Fuzzy Hash: E5718C34608204EFEF21DF64D884FAABBB5FF09302F14845AED45E72A1CB31A949CB10
                                                            Function 0082AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetParent.USER32(?), ref: 0082AEF9
                                                            • GetKeyboardState.USER32(?), ref: 0082AF0E
                                                            • SetKeyboardState.USER32(?), ref: 0082AF6F
                                                            • PostMessageW.USER32(?,00000101,00000010,?), ref: 0082AF9D
                                                            • PostMessageW.USER32(?,00000101,00000011,?), ref: 0082AFBC
                                                            • PostMessageW.USER32(?,00000101,00000012,?), ref: 0082AFFD
                                                            • PostMessageW.USER32(?,00000101,0000005B,?), ref: 0082B020
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: MessagePost$KeyboardState$Parent
                                                            • String ID:
                                                            • API String ID: 87235514-0
                                                            • Opcode ID: e01d214a18312f96e23d9ba32c685ca4c431f7e567ce949b479f634b164d66da
                                                            • Instruction ID: f2ab9d4218a2f0ad9c03138c5f79e4d342d687dc55fba7224f845ddc7176608a
                                                            • Opcode Fuzzy Hash: e01d214a18312f96e23d9ba32c685ca4c431f7e567ce949b479f634b164d66da
                                                            • Instruction Fuzzy Hash: C951B1A06047E53EFB3A42349945BBA7FE9FF06304F088489E1E5D54C2D7A9ACC4D752
                                                            Function 0082ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetParent.USER32(00000000), ref: 0082AD19
                                                            • GetKeyboardState.USER32(?), ref: 0082AD2E
                                                            • SetKeyboardState.USER32(?), ref: 0082AD8F
                                                            • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0082ADBB
                                                            • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0082ADD8
                                                            • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0082AE17
                                                            • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0082AE38
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: MessagePost$KeyboardState$Parent
                                                            • String ID:
                                                            • API String ID: 87235514-0
                                                            • Opcode ID: 74eaa447a0190d3c1cdf5af005973c15388e4a6c4e1809911fad57c039cf142f
                                                            • Instruction ID: 8cedbc0c71b72bd2621151c3c16dcbd37962b288b772d8334de72e347d4d7c45
                                                            • Opcode Fuzzy Hash: 74eaa447a0190d3c1cdf5af005973c15388e4a6c4e1809911fad57c039cf142f
                                                            • Instruction Fuzzy Hash: 2A51D3A15047E53EFB3A82249C95B7ABEE8FF46300F088489E1D5D68C2D294ECC9D752
                                                            Function 007F542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • GetConsoleCP.KERNEL32(00803CD6,?,?,?,?,?,?,?,?,007F5BA3,?,?,00803CD6,?,?), ref: 007F5470
                                                            • __fassign.LIBCMT ref: 007F54EB
                                                            • __fassign.LIBCMT ref: 007F5506
                                                            • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00803CD6,00000005,00000000,00000000), ref: 007F552C
                                                            • WriteFile.KERNEL32(?,00803CD6,00000000,007F5BA3,00000000,?,?,?,?,?,?,?,?,?,007F5BA3,?), ref: 007F554B
                                                            • WriteFile.KERNEL32(?,?,00000001,007F5BA3,00000000,?,?,?,?,?,?,?,?,?,007F5BA3,?), ref: 007F5584
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                            • String ID:
                                                            • API String ID: 1324828854-0
                                                            • Opcode ID: b72c8d1d5839da68faed5349454b5471767cc965807d32cdc4979730b5d5e446
                                                            • Instruction ID: 8532078c2fd2b5b38892178fcf37f877d779258e6778e88addb82ca513a94113
                                                            • Opcode Fuzzy Hash: b72c8d1d5839da68faed5349454b5471767cc965807d32cdc4979730b5d5e446
                                                            • Instruction Fuzzy Hash: 52519F71A006499FDB10CFA8D845AEEBBFAEF09300F14411AE655E7391E634AA51CB60
                                                            Function 008410B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0084304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0084307A
                                                              • Part of subcall function 0084304E: _wcslen.LIBCMT ref: 0084309B
                                                            • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00841112
                                                            • WSAGetLastError.WSOCK32 ref: 00841121
                                                            • WSAGetLastError.WSOCK32 ref: 008411C9
                                                            • closesocket.WSOCK32(00000000), ref: 008411F9
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
                                                            • String ID:
                                                            • API String ID: 2675159561-0
                                                            • Opcode ID: 62a47c7d1431d029e73532b005952d7f92769cb7eb344e57a56dd93dfaaf57ae
                                                            • Instruction ID: 554d4639b1706e12f6e5c2f3d32779a1eaee9752efc4d98230802471bbdc4bbd
                                                            • Opcode Fuzzy Hash: 62a47c7d1431d029e73532b005952d7f92769cb7eb344e57a56dd93dfaaf57ae
                                                            • Instruction Fuzzy Hash: 5A41D431600208AFDF109F24C889BA9BBE9FF45369F148059F919DB291D774ED81CFA1
                                                            Function 0082CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0082DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0082CF22,?), ref: 0082DDFD
                                                              • Part of subcall function 0082DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0082CF22,?), ref: 0082DE16
                                                            • lstrcmpiW.KERNEL32(?,?), ref: 0082CF45
                                                            • MoveFileW.KERNEL32(?,?), ref: 0082CF7F
                                                            • _wcslen.LIBCMT ref: 0082D005
                                                            • _wcslen.LIBCMT ref: 0082D01B
                                                            • SHFileOperationW.SHELL32(?), ref: 0082D061
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
                                                            • String ID: \*.*
                                                            • API String ID: 3164238972-1173974218
                                                            • Opcode ID: 2463bae54e259a78e0a37b522192157bfddf505f328cc4ee61113ec497664020
                                                            • Instruction ID: da0c43342e0f4787e4395c3a453c37198e2cc1ab345bc73e0e74f3883c19175b
                                                            • Opcode Fuzzy Hash: 2463bae54e259a78e0a37b522192157bfddf505f328cc4ee61113ec497664020
                                                            • Instruction Fuzzy Hash: B84155719452299FDF12EBA4DA85EEDB7B8FF08340F1000E6E545EB142EF74A684CB51
                                                            Function 00852DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00852E1C
                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00852E4F
                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00852E84
                                                            • SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00852EB6
                                                            • SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00852EE0
                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00852EF1
                                                            • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00852F0B
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: LongWindow$MessageSend
                                                            • String ID:
                                                            • API String ID: 2178440468-0
                                                            • Opcode ID: a164dac699f67fb3d9715358ad526d03c0ab5ad91ce94326c2518688dced6dee
                                                            • Instruction ID: 2d4f55938f6f6c95453e3dda2d76ab442f5f7f0100582a95d38f22c8cbea5dd2
                                                            • Opcode Fuzzy Hash: a164dac699f67fb3d9715358ad526d03c0ab5ad91ce94326c2518688dced6dee
                                                            • Instruction Fuzzy Hash: 2D31F230604255AFDB21DF58EC8AF653BE1FB9A712F5901A5F901CB2B2CB71B8449B41
                                                            Function 00827726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00827769
                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0082778F
                                                            • SysAllocString.OLEAUT32(00000000), ref: 00827792
                                                            • SysAllocString.OLEAUT32(?), ref: 008277B0
                                                            • SysFreeString.OLEAUT32(?), ref: 008277B9
                                                            • StringFromGUID2.OLE32(?,?,00000028), ref: 008277DE
                                                            • SysAllocString.OLEAUT32(?), ref: 008277EC
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                            • String ID:
                                                            • API String ID: 3761583154-0
                                                            • Opcode ID: 5b308d460d8502c237d25abfdf6f6d2fa3aee6fc5003b5283ae9f20786af6ddb
                                                            • Instruction ID: e4fba6bcbcef34ad428fdebeb9315c039c077e5dccea0f0951a0599ff386c2d7
                                                            • Opcode Fuzzy Hash: 5b308d460d8502c237d25abfdf6f6d2fa3aee6fc5003b5283ae9f20786af6ddb
                                                            • Instruction Fuzzy Hash: 22219076604329AFDB10DFA9DC88CBB77ACFB097647448025FA15DB290D674DC818B64
                                                            Function 008277FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00827842
                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00827868
                                                            • SysAllocString.OLEAUT32(00000000), ref: 0082786B
                                                            • SysAllocString.OLEAUT32 ref: 0082788C
                                                            • SysFreeString.OLEAUT32 ref: 00827895
                                                            • StringFromGUID2.OLE32(?,?,00000028), ref: 008278AF
                                                            • SysAllocString.OLEAUT32(?), ref: 008278BD
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                            • String ID:
                                                            • API String ID: 3761583154-0
                                                            • Opcode ID: 584bc99e80fe2e75cd34091fe1a5191ad21326a782a21c7820133054c70b5c5f
                                                            • Instruction ID: 6901ff76b9e1789b2c63dadbfe0ff5a2c9eec77c3a76f7154cfead02d2a552a3
                                                            • Opcode Fuzzy Hash: 584bc99e80fe2e75cd34091fe1a5191ad21326a782a21c7820133054c70b5c5f
                                                            • Instruction Fuzzy Hash: BD217435604228AFDB109FA9DC8CDAA77ECFB097607508135F915CB2A1D674DC81CB68
                                                            Function 008304D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetStdHandle.KERNEL32(0000000C), ref: 008304F2
                                                            • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0083052E
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: CreateHandlePipe
                                                            • String ID: nul
                                                            • API String ID: 1424370930-2873401336
                                                            • Opcode ID: d2087d3a9427f597210d993f0db6f3b81ac8c2bbd96141c652ad79b475deb977
                                                            • Instruction ID: e163939e10db7e051b5effb09a5c1821cc7a90caa99a1c5c10fcc616432454fa
                                                            • Opcode Fuzzy Hash: d2087d3a9427f597210d993f0db6f3b81ac8c2bbd96141c652ad79b475deb977
                                                            • Instruction Fuzzy Hash: 3B214C75500309AFDF209F69DC54A9A7BB4FF84725F204A19F8A1E72E0E7709950CFA0
                                                            Function 008305A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetStdHandle.KERNEL32(000000F6), ref: 008305C6
                                                            • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00830601
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: CreateHandlePipe
                                                            • String ID: nul
                                                            • API String ID: 1424370930-2873401336
                                                            • Opcode ID: 18cc0819998b71c8a7b8909f290441e183b41c507ef1422241ed23ca4eccd62d
                                                            • Instruction ID: 39853d01765f1aafac110bde4f354ea7b000bfff32f68dc8217a59583dd548df
                                                            • Opcode Fuzzy Hash: 18cc0819998b71c8a7b8909f290441e183b41c507ef1422241ed23ca4eccd62d
                                                            • Instruction Fuzzy Hash: 332195755003059FDB209F69CC15A9A77E8FFE5B25F200A19F8A1E72D4E7709860CF90
                                                            Function 008540AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 007C600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 007C604C
                                                              • Part of subcall function 007C600E: GetStockObject.GDI32(00000011), ref: 007C6060
                                                              • Part of subcall function 007C600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 007C606A
                                                            • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00854112
                                                            • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0085411F
                                                            • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0085412A
                                                            • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00854139
                                                            • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00854145
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$CreateObjectStockWindow
                                                            • String ID: Msctls_Progress32
                                                            • API String ID: 1025951953-3636473452
                                                            • Opcode ID: 0443d26079f5f24e42d7c802f38c4aed6b1e76811dba5c03a45f5cabecdc6a0f
                                                            • Instruction ID: 1b8eb47718b7362f9d49c91e44d1afd5e88808585149b9dced74be19a6ccf51d
                                                            • Opcode Fuzzy Hash: 0443d26079f5f24e42d7c802f38c4aed6b1e76811dba5c03a45f5cabecdc6a0f
                                                            • Instruction Fuzzy Hash: BD1190B218021DBEEF119E64CC85EE77FADFF18798F105111BA18E2190C6769C619BA4
                                                            Function 007FD7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 007FD7A3: _free.LIBCMT ref: 007FD7CC
                                                            • _free.LIBCMT ref: 007FD82D
                                                              • Part of subcall function 007F29C8: HeapFree.KERNEL32(00000000,00000000,?,007FD7D1,00000000,00000000,00000000,00000000,?,007FD7F8,00000000,00000007,00000000,?,007FDBF5,00000000), ref: 007F29DE
                                                              • Part of subcall function 007F29C8: GetLastError.KERNEL32(00000000,?,007FD7D1,00000000,00000000,00000000,00000000,?,007FD7F8,00000000,00000007,00000000,?,007FDBF5,00000000,00000000), ref: 007F29F0
                                                            • _free.LIBCMT ref: 007FD838
                                                            • _free.LIBCMT ref: 007FD843
                                                            • _free.LIBCMT ref: 007FD897
                                                            • _free.LIBCMT ref: 007FD8A2
                                                            • _free.LIBCMT ref: 007FD8AD
                                                            • _free.LIBCMT ref: 007FD8B8
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: _free$ErrorFreeHeapLast
                                                            • String ID:
                                                            • API String ID: 776569668-0
                                                            • Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                                                            • Instruction ID: 8956c552c3231eaeca6cd31189136c557aecdf09ecc86ff17c0af1eb67743721
                                                            • Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                                                            • Instruction Fuzzy Hash: 3811D07158170CEAD531FFB0CC4BFEB7BDD6F05700F404815B399AA6A2D669B9054A60
                                                            Function 0082DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0082DA74
                                                            • LoadStringW.USER32(00000000), ref: 0082DA7B
                                                            • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0082DA91
                                                            • LoadStringW.USER32(00000000), ref: 0082DA98
                                                            • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0082DADC
                                                            Strings
                                                            • %s (%d) : ==> %s: %s %s, xrefs: 0082DAB9
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: HandleLoadModuleString$Message
                                                            • String ID: %s (%d) : ==> %s: %s %s
                                                            • API String ID: 4072794657-3128320259
                                                            • Opcode ID: a943e74e9cd9758b72e2b4fd4559bd38a2cc5c2f25927f4a9e0040bdcb8c8a41
                                                            • Instruction ID: 911b50cd9b55a526dcc1e754163492e4b9f128b59d2b195dce1b40862b0d9a8a
                                                            • Opcode Fuzzy Hash: a943e74e9cd9758b72e2b4fd4559bd38a2cc5c2f25927f4a9e0040bdcb8c8a41
                                                            • Instruction Fuzzy Hash: 3F0162F25003187FE710ABE49D89EEB376CF708306F404495B746E2041EA789E848F74
                                                            Function 0083096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InterlockedExchange.KERNEL32(00D3E9F8,00D3E9F8), ref: 0083097B
                                                            • EnterCriticalSection.KERNEL32(00D3E9D8,00000000), ref: 0083098D
                                                            • TerminateThread.KERNEL32(?,000001F6), ref: 0083099B
                                                            • WaitForSingleObject.KERNEL32(?,000003E8), ref: 008309A9
                                                            • CloseHandle.KERNEL32(?), ref: 008309B8
                                                            • InterlockedExchange.KERNEL32(00D3E9F8,000001F6), ref: 008309C8
                                                            • LeaveCriticalSection.KERNEL32(00D3E9D8), ref: 008309CF
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                            • String ID:
                                                            • API String ID: 3495660284-0
                                                            • Opcode ID: 64072677c92868a2ad7608ed1a067b0fee388a7d3624dc176e23028ab899c9bf
                                                            • Instruction ID: de54cd6122c0304fce091d4ca059bd18da45b45bc087406504ae3a5680c0b80f
                                                            • Opcode Fuzzy Hash: 64072677c92868a2ad7608ed1a067b0fee388a7d3624dc176e23028ab899c9bf
                                                            • Instruction Fuzzy Hash: 08F0C932442B12AFD7515BA4EE89BDABA69FF45703F802025F202948A1CB7994A5CF91
                                                            Function 00841C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00841DC0
                                                            • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00841DE1
                                                            • WSAGetLastError.WSOCK32 ref: 00841DF2
                                                            • htons.WSOCK32(?,?,?,?,?), ref: 00841EDB
                                                            • inet_ntoa.WSOCK32(?), ref: 00841E8C
                                                              • Part of subcall function 008239E8: _strlen.LIBCMT ref: 008239F2
                                                              • Part of subcall function 00843224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,0083EC0C), ref: 00843240
                                                            • _strlen.LIBCMT ref: 00841F35
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
                                                            • String ID:
                                                            • API String ID: 3203458085-0
                                                            • Opcode ID: 69a48260cb87ffcd96a864fc40f04665d80de9504b172535895f8f9751bd8c71
                                                            • Instruction ID: 86b3f3fbc2f8b9bbe834522f3fe5681261ff60ec7ef43ee8aad1927d4332bec1
                                                            • Opcode Fuzzy Hash: 69a48260cb87ffcd96a864fc40f04665d80de9504b172535895f8f9751bd8c71
                                                            • Instruction Fuzzy Hash: CDB1CE31204344AFCB24DF24C889F2ABBA5FF85318F54855CF4569B2A2DB35ED86CB91
                                                            Function 007C5D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetClientRect.USER32(?,?), ref: 007C5D30
                                                            • GetWindowRect.USER32(?,?), ref: 007C5D71
                                                            • ScreenToClient.USER32(?,?), ref: 007C5D99
                                                            • GetClientRect.USER32(?,?), ref: 007C5ED7
                                                            • GetWindowRect.USER32(?,?), ref: 007C5EF8
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Rect$Client$Window$Screen
                                                            • String ID:
                                                            • API String ID: 1296646539-0
                                                            • Opcode ID: 6b0633d66ba4efcbdbd017e14ec76644f7145fe568418c2286e691b47ed0520d
                                                            • Instruction ID: 271895621ad5fa9abeff797ad1726d9ebbf2c521804b77f604c24ad82d709fa3
                                                            • Opcode Fuzzy Hash: 6b0633d66ba4efcbdbd017e14ec76644f7145fe568418c2286e691b47ed0520d
                                                            • Instruction Fuzzy Hash: 08B16C74A0074ADBDB14CFA9C880BEAB7F1FF54310F14951EE8A9D7290DB34AA91DB50
                                                            Function 007F01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __allrem.LIBCMT ref: 007F00BA
                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 007F00D6
                                                            • __allrem.LIBCMT ref: 007F00ED
                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 007F010B
                                                            • __allrem.LIBCMT ref: 007F0122
                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 007F0140
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                            • String ID:
                                                            • API String ID: 1992179935-0
                                                            • Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
                                                            • Instruction ID: ed8eba516debf7e20e25c71bd34530234b0fa90510db3706a9678172983557d1
                                                            • Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
                                                            • Instruction Fuzzy Hash: 19810772601B0ADBEB209F69CC45B7E73E9EF45724F24453AF611D6782EB78D9008790
                                                            Function 007F61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,007E82D9,007E82D9,?,?,?,007F644F,00000001,00000001,8BE85006), ref: 007F6258
                                                            • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,007F644F,00000001,00000001,8BE85006,?,?,?), ref: 007F62DE
                                                            • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 007F63D8
                                                            • __freea.LIBCMT ref: 007F63E5
                                                              • Part of subcall function 007F3820: RtlAllocateHeap.NTDLL(00000000,?,00891444,?,007DFDF5,?,?,007CA976,00000010,00891440,007C13FC,?,007C13C6,?,007C1129), ref: 007F3852
                                                            • __freea.LIBCMT ref: 007F63EE
                                                            • __freea.LIBCMT ref: 007F6413
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                            • String ID:
                                                            • API String ID: 1414292761-0
                                                            • Opcode ID: eaaf6021a9a93cb59f66526b31929e39d02f2097c901a8d9bbb63a21ad703f57
                                                            • Instruction ID: 6715f12537c7d57216114b8bdac2c7034369b8e75b393cbb4050d110aff48719
                                                            • Opcode Fuzzy Hash: eaaf6021a9a93cb59f66526b31929e39d02f2097c901a8d9bbb63a21ad703f57
                                                            • Instruction Fuzzy Hash: C051F072A0021AAFEB258F64CC85EBF77AAEF54750F154229FE05D7240EB38DC44D6A1
                                                            Function 0084BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 007C9CB3: _wcslen.LIBCMT ref: 007C9CBD
                                                              • Part of subcall function 0084C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0084B6AE,?,?), ref: 0084C9B5
                                                              • Part of subcall function 0084C998: _wcslen.LIBCMT ref: 0084C9F1
                                                              • Part of subcall function 0084C998: _wcslen.LIBCMT ref: 0084CA68
                                                              • Part of subcall function 0084C998: _wcslen.LIBCMT ref: 0084CA9E
                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0084BCCA
                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0084BD25
                                                            • RegCloseKey.ADVAPI32(00000000), ref: 0084BD6A
                                                            • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0084BD99
                                                            • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0084BDF3
                                                            • RegCloseKey.ADVAPI32(?), ref: 0084BDFF
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
                                                            • String ID:
                                                            • API String ID: 1120388591-0
                                                            • Opcode ID: 93c2dd5fb82a507a13e47377ecd96993a64b4ec8ab2d3b47e1604e8965094619
                                                            • Instruction ID: f988809f679c0635ead9d6dbef5c888ea947a191ae3485fdf042b5734f62e7d5
                                                            • Opcode Fuzzy Hash: 93c2dd5fb82a507a13e47377ecd96993a64b4ec8ab2d3b47e1604e8965094619
                                                            • Instruction Fuzzy Hash: BE817B30208245EFD714DF24C895E2ABBE5FF84308F14899CF5598B2A2DB36ED45CB92
                                                            Function 0081F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VariantInit.OLEAUT32(00000035), ref: 0081F7B9
                                                            • SysAllocString.OLEAUT32(00000001), ref: 0081F860
                                                            • VariantCopy.OLEAUT32(0081FA64,00000000), ref: 0081F889
                                                            • VariantClear.OLEAUT32(0081FA64), ref: 0081F8AD
                                                            • VariantCopy.OLEAUT32(0081FA64,00000000), ref: 0081F8B1
                                                            • VariantClear.OLEAUT32(?), ref: 0081F8BB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Variant$ClearCopy$AllocInitString
                                                            • String ID:
                                                            • API String ID: 3859894641-0
                                                            • Opcode ID: 4ceeeca25f762584362b3ba9dd50b01425d8606a5d1d04193dcf8f786b21fd53
                                                            • Instruction ID: 73e8122d6cefbca35046737789ff8a7271073ac84d1546510e992fca1a098e53
                                                            • Opcode Fuzzy Hash: 4ceeeca25f762584362b3ba9dd50b01425d8606a5d1d04193dcf8f786b21fd53
                                                            • Instruction Fuzzy Hash: 4251D731600314FACF10AB65D895BA9B7ACFF45714F14446BEA06DF293DB748C80CB96
                                                            Function 0083910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 007C7620: _wcslen.LIBCMT ref: 007C7625
                                                              • Part of subcall function 007C6B57: _wcslen.LIBCMT ref: 007C6B6A
                                                            • GetOpenFileNameW.COMDLG32(00000058), ref: 008394E5
                                                            • _wcslen.LIBCMT ref: 00839506
                                                            • _wcslen.LIBCMT ref: 0083952D
                                                            • GetSaveFileNameW.COMDLG32(00000058), ref: 00839585
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: _wcslen$FileName$OpenSave
                                                            • String ID: X
                                                            • API String ID: 83654149-3081909835
                                                            • Opcode ID: 897f68d5a12ff2797f02448d72449d6b2e588065484bd078e4c5414168325269
                                                            • Instruction ID: 35e41e0421134ae870bef4a11cf93c82e201c3e807e16c8c31cef6d249249b5a
                                                            • Opcode Fuzzy Hash: 897f68d5a12ff2797f02448d72449d6b2e588065484bd078e4c5414168325269
                                                            • Instruction Fuzzy Hash: 14E16B71608340DFC724EF24C885A6AB7E0FF84314F04896DE9999B3A2DB75ED45CB92
                                                            Function 007D920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 007D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 007D9BB2
                                                            • BeginPaint.USER32(?,?,?), ref: 007D9241
                                                            • GetWindowRect.USER32(?,?), ref: 007D92A5
                                                            • ScreenToClient.USER32(?,?), ref: 007D92C2
                                                            • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 007D92D3
                                                            • EndPaint.USER32(?,?,?,?,?), ref: 007D9321
                                                            • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 008171EA
                                                              • Part of subcall function 007D9339: BeginPath.GDI32(00000000), ref: 007D9357
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
                                                            • String ID:
                                                            • API String ID: 3050599898-0
                                                            • Opcode ID: 1a00b00203fde40182a5236aafc9bae5ebbc3e0046e28ed1cfe3c0a8fff1b369
                                                            • Instruction ID: d61d1f1d733c9b3c4b5939b8cd8995f0406f0e548fea6f3f3908935a97a6d993
                                                            • Opcode Fuzzy Hash: 1a00b00203fde40182a5236aafc9bae5ebbc3e0046e28ed1cfe3c0a8fff1b369
                                                            • Instruction Fuzzy Hash: 77418C70108301AFDB11EF24CC88FAA7BB8FF55721F14062AFA95D72A1C735A845DB61
                                                            Function 008307EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InterlockedExchange.KERNEL32(?,000001F5), ref: 0083080C
                                                            • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00830847
                                                            • EnterCriticalSection.KERNEL32(?), ref: 00830863
                                                            • LeaveCriticalSection.KERNEL32(?), ref: 008308DC
                                                            • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 008308F3
                                                            • InterlockedExchange.KERNEL32(?,000001F6), ref: 00830921
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
                                                            • String ID:
                                                            • API String ID: 3368777196-0
                                                            • Opcode ID: bae1e53ebefa9085f16703362761076f56b9843a7501be7eb18cbfc1d3fe890c
                                                            • Instruction ID: d1e5b2c28ffabfba200ff7a1fac268246939e6d7570037f0eaf032b299d6da22
                                                            • Opcode Fuzzy Hash: bae1e53ebefa9085f16703362761076f56b9843a7501be7eb18cbfc1d3fe890c
                                                            • Instruction Fuzzy Hash: 0A415771900205EFDF14AF64DC85A6ABBB9FF44300F1440A9ED05EA296DB34DE64DFA0
                                                            Function 008581DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0081F3AB,00000000,?,?,00000000,?,0081682C,00000004,00000000,00000000), ref: 0085824C
                                                            • EnableWindow.USER32(?,00000000), ref: 00858272
                                                            • ShowWindow.USER32(FFFFFFFF,00000000), ref: 008582D1
                                                            • ShowWindow.USER32(?,00000004), ref: 008582E5
                                                            • EnableWindow.USER32(?,00000001), ref: 0085830B
                                                            • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0085832F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Window$Show$Enable$MessageSend
                                                            • String ID:
                                                            • API String ID: 642888154-0
                                                            • Opcode ID: 938831d43b666dd30ccaaff32535fc2e85cf5160df0e072278d960e8e884d25f
                                                            • Instruction ID: 2c6d77b5c18af4ec93a42cd992b7f24bb18de8c1c3a2baade0a7be2ee50a7b6c
                                                            • Opcode Fuzzy Hash: 938831d43b666dd30ccaaff32535fc2e85cf5160df0e072278d960e8e884d25f
                                                            • Instruction Fuzzy Hash: F5418234601645EFDF12DF25C899BE47FE1FB0A716F18416AE908DB262CB31A849CF50
                                                            Function 00824C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • IsWindowVisible.USER32(?), ref: 00824C95
                                                            • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00824CB2
                                                            • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00824CEA
                                                            • _wcslen.LIBCMT ref: 00824D08
                                                            • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00824D10
                                                            • _wcsstr.LIBVCRUNTIME ref: 00824D1A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
                                                            • String ID:
                                                            • API String ID: 72514467-0
                                                            • Opcode ID: 9b8daf60958deabea7af54592522a580e22463035575e3bb9933790cbfab3111
                                                            • Instruction ID: dd28442d4a90dabbddc1ca86ba346355c9f8b34949571d950fc34e65d50abc23
                                                            • Opcode Fuzzy Hash: 9b8daf60958deabea7af54592522a580e22463035575e3bb9933790cbfab3111
                                                            • Instruction Fuzzy Hash: AA212931204214BBEB155B39FC09E7B7BECEF45750F10507EF805CA192EA65DD4086B0
                                                            Function 0083581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 007C3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,007C3A97,?,?,007C2E7F,?,?,?,00000000), ref: 007C3AC2
                                                            • _wcslen.LIBCMT ref: 0083587B
                                                            • CoInitialize.OLE32(00000000), ref: 00835995
                                                            • CoCreateInstance.OLE32(0085FCF8,00000000,00000001,0085FB68,?), ref: 008359AE
                                                            • CoUninitialize.OLE32 ref: 008359CC
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
                                                            • String ID: .lnk
                                                            • API String ID: 3172280962-24824748
                                                            • Opcode ID: 05ba5da93f7d29b88756fbe5dca0d05eeae494bc12a93b99eeade28db4949847
                                                            • Instruction ID: 01a7f1d309e52f12d0c1413fbf2e2a980b2261b0060e33a89e1d5fed89286de3
                                                            • Opcode Fuzzy Hash: 05ba5da93f7d29b88756fbe5dca0d05eeae494bc12a93b99eeade28db4949847
                                                            • Instruction Fuzzy Hash: 98D14E71608601DFC714EF24C488A2ABBE1FF89724F14885DF88A9B361DB35ED45CB92
                                                            Function 0082175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00820FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00820FCA
                                                              • Part of subcall function 00820FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00820FD6
                                                              • Part of subcall function 00820FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00820FE5
                                                              • Part of subcall function 00820FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00820FEC
                                                              • Part of subcall function 00820FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00821002
                                                            • GetLengthSid.ADVAPI32(?,00000000,00821335), ref: 008217AE
                                                            • GetProcessHeap.KERNEL32(00000008,00000000), ref: 008217BA
                                                            • HeapAlloc.KERNEL32(00000000), ref: 008217C1
                                                            • CopySid.ADVAPI32(00000000,00000000,?), ref: 008217DA
                                                            • GetProcessHeap.KERNEL32(00000000,00000000,00821335), ref: 008217EE
                                                            • HeapFree.KERNEL32(00000000), ref: 008217F5
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                            • String ID:
                                                            • API String ID: 3008561057-0
                                                            • Opcode ID: 4320e387720e33bc5b4c77b4b4483f94086a1f4618c6520ad38e43c2bd2ccd93
                                                            • Instruction ID: d6467e739118b6ca63200cc2b02f3d3322db7a341f4ef359ff5ff37d47d40001
                                                            • Opcode Fuzzy Hash: 4320e387720e33bc5b4c77b4b4483f94086a1f4618c6520ad38e43c2bd2ccd93
                                                            • Instruction Fuzzy Hash: 4B11AC31500715EFDF109FA4EC49BAE7BA9FB95356F204018F441D7255C739A984CF60
                                                            Function 008214CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 008214FF
                                                            • OpenProcessToken.ADVAPI32(00000000), ref: 00821506
                                                            • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00821515
                                                            • CloseHandle.KERNEL32(00000004), ref: 00821520
                                                            • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0082154F
                                                            • DestroyEnvironmentBlock.USERENV(00000000), ref: 00821563
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                            • String ID:
                                                            • API String ID: 1413079979-0
                                                            • Opcode ID: 5451372b3118de1686bd800bab08465259aed05bf198d302f985ff9cabc0125f
                                                            • Instruction ID: c351abba588df93283ff7ce8143043d5209ab53554e2641ff34bd23c3dc7500b
                                                            • Opcode Fuzzy Hash: 5451372b3118de1686bd800bab08465259aed05bf198d302f985ff9cabc0125f
                                                            • Instruction Fuzzy Hash: 9D11597250030DAFDF118F98EE49BDE7BA9FF48705F144055FA05A2160C3758EA0DB60
                                                            Function 007E3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLastError.KERNEL32(?,?,007E3379,007E2FE5), ref: 007E3390
                                                            • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 007E339E
                                                            • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 007E33B7
                                                            • SetLastError.KERNEL32(00000000,?,007E3379,007E2FE5), ref: 007E3409
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: ErrorLastValue___vcrt_
                                                            • String ID:
                                                            • API String ID: 3852720340-0
                                                            • Opcode ID: aafe719be724d4934610f40f43e2347e0af77a6e86e0bb55bd32e98de29b5118
                                                            • Instruction ID: 0923b255494b954ba284a6af4be40a9ddf77b9f07f01be8fd864d7fb989e0aef
                                                            • Opcode Fuzzy Hash: aafe719be724d4934610f40f43e2347e0af77a6e86e0bb55bd32e98de29b5118
                                                            • Instruction Fuzzy Hash: 1501283220B791FFE726277B7C8D9662A94FB0D3B97300229F410872F1EF694D015664
                                                            Function 007F2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLastError.KERNEL32(?,?,007F5686,00803CD6,?,00000000,?,007F5B6A,?,?,?,?,?,007EE6D1,?,00888A48), ref: 007F2D78
                                                            • _free.LIBCMT ref: 007F2DAB
                                                            • _free.LIBCMT ref: 007F2DD3
                                                            • SetLastError.KERNEL32(00000000,?,?,?,?,007EE6D1,?,00888A48,00000010,007C4F4A,?,?,00000000,00803CD6), ref: 007F2DE0
                                                            • SetLastError.KERNEL32(00000000,?,?,?,?,007EE6D1,?,00888A48,00000010,007C4F4A,?,?,00000000,00803CD6), ref: 007F2DEC
                                                            • _abort.LIBCMT ref: 007F2DF2
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$_free$_abort
                                                            • String ID:
                                                            • API String ID: 3160817290-0
                                                            • Opcode ID: 3ca95612453d670ada79c4dd5f70e01596be1c2535632a972a228c516dc73c74
                                                            • Instruction ID: 96f3c6fbfbfef75f8e063bb7463c08bfe3b580a4776a3f79dc01745f4bab69a3
                                                            • Opcode Fuzzy Hash: 3ca95612453d670ada79c4dd5f70e01596be1c2535632a972a228c516dc73c74
                                                            • Instruction Fuzzy Hash: 81F0F435645B0CBBC2122738BC0EA7A2559BFC17A1B240118FB24D23A3EE2C88034561
                                                            Function 00858A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 007D9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 007D9693
                                                              • Part of subcall function 007D9639: SelectObject.GDI32(?,00000000), ref: 007D96A2
                                                              • Part of subcall function 007D9639: BeginPath.GDI32(?), ref: 007D96B9
                                                              • Part of subcall function 007D9639: SelectObject.GDI32(?,00000000), ref: 007D96E2
                                                            • MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00858A4E
                                                            • LineTo.GDI32(?,00000003,00000000), ref: 00858A62
                                                            • MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00858A70
                                                            • LineTo.GDI32(?,00000000,00000003), ref: 00858A80
                                                            • EndPath.GDI32(?), ref: 00858A90
                                                            • StrokePath.GDI32(?), ref: 00858AA0
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                            • String ID:
                                                            • API String ID: 43455801-0
                                                            • Opcode ID: 2dcadd2afac4907f25f17f2155131f1d0b6e9805fbc3e54ddfedf4cdfe6ffcf4
                                                            • Instruction ID: aef8c4a85c7e9390fee8d5e6de8eb9e53577ec1c876375995974dcea18daed1f
                                                            • Opcode Fuzzy Hash: 2dcadd2afac4907f25f17f2155131f1d0b6e9805fbc3e54ddfedf4cdfe6ffcf4
                                                            • Instruction Fuzzy Hash: 77110976000219FFDF129F90DC88EAA7F6DFB08391F048012FA199A1A1C7729D55DFA0
                                                            Function 008251FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetDC.USER32(00000000), ref: 00825218
                                                            • GetDeviceCaps.GDI32(00000000,00000058), ref: 00825229
                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00825230
                                                            • ReleaseDC.USER32(00000000,00000000), ref: 00825238
                                                            • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0082524F
                                                            • MulDiv.KERNEL32(000009EC,00000001,?), ref: 00825261
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: CapsDevice$Release
                                                            • String ID:
                                                            • API String ID: 1035833867-0
                                                            • Opcode ID: 2a97616122b8baf5d1e1747bcb59c5199779ff1a0acce04ff68c77024f1ca849
                                                            • Instruction ID: ffb38f04313ebeffced521fd80cd5bf6cac6b91875ea4586286f1811b7b8eec4
                                                            • Opcode Fuzzy Hash: 2a97616122b8baf5d1e1747bcb59c5199779ff1a0acce04ff68c77024f1ca849
                                                            • Instruction Fuzzy Hash: 09014F75A40718BFEB109BA69C49E5EBFB8FF48752F044065FA04E7281DA749900CFA0
                                                            Function 007C1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • MapVirtualKeyW.USER32(0000005B,00000000), ref: 007C1BF4
                                                            • MapVirtualKeyW.USER32(00000010,00000000), ref: 007C1BFC
                                                            • MapVirtualKeyW.USER32(000000A0,00000000), ref: 007C1C07
                                                            • MapVirtualKeyW.USER32(000000A1,00000000), ref: 007C1C12
                                                            • MapVirtualKeyW.USER32(00000011,00000000), ref: 007C1C1A
                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 007C1C22
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Virtual
                                                            • String ID:
                                                            • API String ID: 4278518827-0
                                                            • Opcode ID: dbcbe7ff841e91a5b37935c495e649e591fd34ea1319ecc12088192f330202e7
                                                            • Instruction ID: 246239c133a2435621cac8e372caf596f171679365a37f04dd9651d48404ebb1
                                                            • Opcode Fuzzy Hash: dbcbe7ff841e91a5b37935c495e649e591fd34ea1319ecc12088192f330202e7
                                                            • Instruction Fuzzy Hash: 980144B0902B5ABDE3008F6A8C85A52FEA8FF19354F00411BA15C4BA42C7B5A864CBE5
                                                            Function 0082EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0082EB30
                                                            • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0082EB46
                                                            • GetWindowThreadProcessId.USER32(?,?), ref: 0082EB55
                                                            • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0082EB64
                                                            • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0082EB6E
                                                            • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0082EB75
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                            • String ID:
                                                            • API String ID: 839392675-0
                                                            • Opcode ID: 9baac0b712e47b49fd89a8e42dd11749470cb27b7fa543a695878befbaafd31e
                                                            • Instruction ID: 80becd73c53bfe9a63cd898acf7954af3b4648e0219fa92bbbc42e97fceb4c9c
                                                            • Opcode Fuzzy Hash: 9baac0b712e47b49fd89a8e42dd11749470cb27b7fa543a695878befbaafd31e
                                                            • Instruction Fuzzy Hash: 29F01D72140758BFE6215B529C0DEEB7EBCFBCAB12F000159F601D119196A45A418AB5
                                                            Function 00817439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetClientRect.USER32(?), ref: 00817452
                                                            • SendMessageW.USER32(?,00001328,00000000,?), ref: 00817469
                                                            • GetWindowDC.USER32(?), ref: 00817475
                                                            • GetPixel.GDI32(00000000,?,?), ref: 00817484
                                                            • ReleaseDC.USER32(?,00000000), ref: 00817496
                                                            • GetSysColor.USER32(00000005), ref: 008174B0
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: ClientColorMessagePixelRectReleaseSendWindow
                                                            • String ID:
                                                            • API String ID: 272304278-0
                                                            • Opcode ID: 6e24b8aaa6f16bb1da52d5f03d42de1a1c5120babb56ccd3e4effea8a17485b8
                                                            • Instruction ID: b62b6cf5711cee6371131b2645bdd25bc28d526d32efd9f29cf866c5553c1873
                                                            • Opcode Fuzzy Hash: 6e24b8aaa6f16bb1da52d5f03d42de1a1c5120babb56ccd3e4effea8a17485b8
                                                            • Instruction Fuzzy Hash: 4A012431404315EFEB515FA4DC48BEA7BBAFF04322F650168FA16A21A1CB391E91EF50
                                                            Function 00821874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0082187F
                                                            • UnloadUserProfile.USERENV(?,?), ref: 0082188B
                                                            • CloseHandle.KERNEL32(?), ref: 00821894
                                                            • CloseHandle.KERNEL32(?), ref: 0082189C
                                                            • GetProcessHeap.KERNEL32(00000000,?), ref: 008218A5
                                                            • HeapFree.KERNEL32(00000000), ref: 008218AC
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                            • String ID:
                                                            • API String ID: 146765662-0
                                                            • Opcode ID: 6f8fdc14ca60018c1ee99ba8199211915442a9eabac216039539bddc0b275cd2
                                                            • Instruction ID: ed697d00b4ccd78f69ababa5262be49e41ad9417f1c5cd0380e70bdb782557e0
                                                            • Opcode Fuzzy Hash: 6f8fdc14ca60018c1ee99ba8199211915442a9eabac216039539bddc0b275cd2
                                                            • Instruction Fuzzy Hash: C9E0C236044705BFDA015BA5ED0C94ABB69FB49B22B908220F22681570CB36A4A0DF50
                                                            Function 0082C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 007C7620: _wcslen.LIBCMT ref: 007C7625
                                                            • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0082C6EE
                                                            • _wcslen.LIBCMT ref: 0082C735
                                                            • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0082C79C
                                                            • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0082C7CA
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: ItemMenu$Info_wcslen$Default
                                                            • String ID: 0
                                                            • API String ID: 1227352736-4108050209
                                                            • Opcode ID: dfeb9cc64d4842ce6b63e327fcd0b173dd99a219795cb813fa747771e39f1d0a
                                                            • Instruction ID: b839aa9af4c6bd609105afce6772574700fabd64a9b0d53a051eabd899cf5d6b
                                                            • Opcode Fuzzy Hash: dfeb9cc64d4842ce6b63e327fcd0b173dd99a219795cb813fa747771e39f1d0a
                                                            • Instruction Fuzzy Hash: 4251BD716043219FD714AF28E889B7E77E8FF49314F040A2DF996E32A0DB64D984CB52
                                                            Function 0084AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ShellExecuteExW.SHELL32(0000003C), ref: 0084AEA3
                                                              • Part of subcall function 007C7620: _wcslen.LIBCMT ref: 007C7625
                                                            • GetProcessId.KERNEL32(00000000), ref: 0084AF38
                                                            • CloseHandle.KERNEL32(00000000), ref: 0084AF67
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: CloseExecuteHandleProcessShell_wcslen
                                                            • String ID: <$@
                                                            • API String ID: 146682121-1426351568
                                                            • Opcode ID: 712cc16bce5998e927af7d58cdffea96d7f2581fc2a1e3de445f40330b20fbe5
                                                            • Instruction ID: 3d34a2c1e2d2c2cf2aae71a14285f540646f7546056359036c5d68317de7604a
                                                            • Opcode Fuzzy Hash: 712cc16bce5998e927af7d58cdffea96d7f2581fc2a1e3de445f40330b20fbe5
                                                            • Instruction Fuzzy Hash: 94712375A00619DFCB18DF54D488A9EBBB4FF08314F04849DE856AB3A2CB78ED45CB91
                                                            Function 0082719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00827206
                                                            • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0082723C
                                                            • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0082724D
                                                            • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 008272CF
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: ErrorMode$AddressCreateInstanceProc
                                                            • String ID: DllGetClassObject
                                                            • API String ID: 753597075-1075368562
                                                            • Opcode ID: a7da78526891eddc245bd08a671a5b34b71731706634acfdcb6c91c91d81f32c
                                                            • Instruction ID: dafed3950d79ed56f134074dc00c429f134a201e7ccec8a677c2bf8d6f4c6948
                                                            • Opcode Fuzzy Hash: a7da78526891eddc245bd08a671a5b34b71731706634acfdcb6c91c91d81f32c
                                                            • Instruction Fuzzy Hash: 35418CB1A04214EFDB15CF55D884A9A7BA9FF44314F1480ADFD06DF20AD7B4D984CBA0
                                                            Function 00853D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00853E35
                                                            • IsMenu.USER32(?), ref: 00853E4A
                                                            • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00853E92
                                                            • DrawMenuBar.USER32 ref: 00853EA5
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Menu$Item$DrawInfoInsert
                                                            • String ID: 0
                                                            • API String ID: 3076010158-4108050209
                                                            • Opcode ID: e89575ecce07ae75ed0abead28bafc9d4bd5a165bc0cc8f3b2cf9e3cba647563
                                                            • Instruction ID: ba03248175ac3acc6da7af7139b1069a50393dc8156ec224c827a341ef15ac4b
                                                            • Opcode Fuzzy Hash: e89575ecce07ae75ed0abead28bafc9d4bd5a165bc0cc8f3b2cf9e3cba647563
                                                            • Instruction Fuzzy Hash: 09414675A01209EFDB10DF90D889AAABBF9FF48396F044129ED05A7650D734AE49CF60
                                                            Function 00821DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 007C9CB3: _wcslen.LIBCMT ref: 007C9CBD
                                                              • Part of subcall function 00823CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00823CCA
                                                            • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00821E66
                                                            • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00821E79
                                                            • SendMessageW.USER32(?,00000189,?,00000000), ref: 00821EA9
                                                              • Part of subcall function 007C6B57: _wcslen.LIBCMT ref: 007C6B6A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$_wcslen$ClassName
                                                            • String ID: ComboBox$ListBox
                                                            • API String ID: 2081771294-1403004172
                                                            • Opcode ID: 27cfac436d16f71e8c54f35da5581330809e138702513f66cb5fe1f0ed5b6377
                                                            • Instruction ID: 8aef3db14526e634adcd5a60c66c0cd8de73b256097eb29cde560c865018b5ab
                                                            • Opcode Fuzzy Hash: 27cfac436d16f71e8c54f35da5581330809e138702513f66cb5fe1f0ed5b6377
                                                            • Instruction Fuzzy Hash: EA21E475A00204AEDB14AB64EC5DDFFB7B9FF65350B20412DF825E72E1DB384E498A20
                                                            Function 00852F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00852F8D
                                                            • LoadLibraryW.KERNEL32(?), ref: 00852F94
                                                            • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00852FA9
                                                            • DestroyWindow.USER32(?), ref: 00852FB1
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$DestroyLibraryLoadWindow
                                                            • String ID: SysAnimate32
                                                            • API String ID: 3529120543-1011021900
                                                            • Opcode ID: 2856b21e2b850bce291ea94f95510b88a47f0b8abdada190a61af1a352be1818
                                                            • Instruction ID: 700c6373995f7a604c8979fbfa59a1e4cacb082810117871b227d161095b8f7f
                                                            • Opcode Fuzzy Hash: 2856b21e2b850bce291ea94f95510b88a47f0b8abdada190a61af1a352be1818
                                                            • Instruction Fuzzy Hash: 67218872204209ABEB205F64AC84EBB37B9FB5A366F100228FD50E6190DF71DC959B60
                                                            Function 007E4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,007E4D1E,007F28E9,?,007E4CBE,007F28E9,008888B8,0000000C,007E4E15,007F28E9,00000002), ref: 007E4D8D
                                                            • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 007E4DA0
                                                            • FreeLibrary.KERNEL32(00000000,?,?,?,007E4D1E,007F28E9,?,007E4CBE,007F28E9,008888B8,0000000C,007E4E15,007F28E9,00000002,00000000), ref: 007E4DC3
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: AddressFreeHandleLibraryModuleProc
                                                            • String ID: CorExitProcess$mscoree.dll
                                                            • API String ID: 4061214504-1276376045
                                                            • Opcode ID: 94f42eb307fa197bc71cf7ee6ab79edaf17b53c291ff795cfa76e45032451cbb
                                                            • Instruction ID: 5eab3dc45105511779dacae85799ceeb41043b155020d08b0f980085e18e742c
                                                            • Opcode Fuzzy Hash: 94f42eb307fa197bc71cf7ee6ab79edaf17b53c291ff795cfa76e45032451cbb
                                                            • Instruction Fuzzy Hash: DFF03C34A41308BFDB119F95DC49BAEBBA5FB48752F0000A4A905A6260CB795940CF94
                                                            Function 0081D3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32 ref: 0081D3AD
                                                            • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0081D3BF
                                                            • FreeLibrary.KERNEL32(00000000), ref: 0081D3E5
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Library$AddressFreeLoadProc
                                                            • String ID: GetSystemWow64DirectoryW$X64
                                                            • API String ID: 145871493-2590602151
                                                            • Opcode ID: 9aefed68fdd35fddbd1797ec64177a1b07e4ca42d7a95861b4a249b8996514bc
                                                            • Instruction ID: 9e03b24b36164ccf41b693dab37765c7b542682c2c99731ac73739f200054e59
                                                            • Opcode Fuzzy Hash: 9aefed68fdd35fddbd1797ec64177a1b07e4ca42d7a95861b4a249b8996514bc
                                                            • Instruction Fuzzy Hash: F4F020B0845B218FCB7527208C88BEA332CFF11706B548056F822E2204EB78CCC48A92
                                                            Function 007C4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32(kernel32.dll,?,?,007C4EDD,?,00891418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007C4E9C
                                                            • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 007C4EAE
                                                            • FreeLibrary.KERNEL32(00000000,?,?,007C4EDD,?,00891418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007C4EC0
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Library$AddressFreeLoadProc
                                                            • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                            • API String ID: 145871493-3689287502
                                                            • Opcode ID: 3a6901525f8551db5cc390adf1132ba30655313dc4f3bfdf41d1b953679c8bd1
                                                            • Instruction ID: 0180438e53a295bcdb23e3c864451ac7b716d31d007c89b866b38b44a819bd33
                                                            • Opcode Fuzzy Hash: 3a6901525f8551db5cc390adf1132ba30655313dc4f3bfdf41d1b953679c8bd1
                                                            • Instruction Fuzzy Hash: 82E08C36A42B226F92322B25AC28F6B7758BF81F63B06011DFC00E2200DB6CCD0189A1
                                                            Function 007C4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00803CDE,?,00891418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007C4E62
                                                            • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 007C4E74
                                                            • FreeLibrary.KERNEL32(00000000,?,?,00803CDE,?,00891418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007C4E87
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Library$AddressFreeLoadProc
                                                            • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                            • API String ID: 145871493-1355242751
                                                            • Opcode ID: c5d2c762857d98098f18a95410e15c92e0279e9ed8e5b8a82b2b5beb340c2c58
                                                            • Instruction ID: 6a58f582c8fbbc271a76b764b192986f5cc580a8ab61cd195e27b5bda36fdff3
                                                            • Opcode Fuzzy Hash: c5d2c762857d98098f18a95410e15c92e0279e9ed8e5b8a82b2b5beb340c2c58
                                                            • Instruction Fuzzy Hash: 6DD01235542B615B56221B297C28E8B7B19FF85F62306051DBD05E2215CF6CCD01CAD0
                                                            Function 00832947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00832C05
                                                            • DeleteFileW.KERNEL32(?), ref: 00832C87
                                                            • CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00832C9D
                                                            • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00832CAE
                                                            • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00832CC0
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: File$Delete$Copy
                                                            • String ID:
                                                            • API String ID: 3226157194-0
                                                            • Opcode ID: 944473026d01cccc60aba2ee6395ef2ecdf1a326dca6ee9c5072f2a963195c19
                                                            • Instruction ID: 65a3f2db11f3e1cf95b1509a1e62df2288aa4bd2011effa981b589d52585c8cf
                                                            • Opcode Fuzzy Hash: 944473026d01cccc60aba2ee6395ef2ecdf1a326dca6ee9c5072f2a963195c19
                                                            • Instruction Fuzzy Hash: 8CB13071901119EBDF21EBA4CC89EDEB77DFF48350F1040AAF509E6151EA35AA448FA1
                                                            Function 0084A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentProcessId.KERNEL32 ref: 0084A427
                                                            • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0084A435
                                                            • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0084A468
                                                            • CloseHandle.KERNEL32(?), ref: 0084A63D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Process$CloseCountersCurrentHandleOpen
                                                            • String ID:
                                                            • API String ID: 3488606520-0
                                                            • Opcode ID: 2a9d481a94646aacb5785e1438b92d6be4d15ce863e0db6d4cd9cde0a196f2a3
                                                            • Instruction ID: a165496444ab38ac5aadd734e97772b8cb717549b1b0d72639ff175e330b9823
                                                            • Opcode Fuzzy Hash: 2a9d481a94646aacb5785e1438b92d6be4d15ce863e0db6d4cd9cde0a196f2a3
                                                            • Instruction Fuzzy Hash: A5A18C71644300AFD724DF24D886F2AB7E5EB88714F14885DF59ADB392DBB4EC418B82
                                                            Function 007FBB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00863700), ref: 007FBB91
                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,0089121C,000000FF,00000000,0000003F,00000000,?,?), ref: 007FBC09
                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00891270,000000FF,?,0000003F,00000000,?), ref: 007FBC36
                                                            • _free.LIBCMT ref: 007FBB7F
                                                              • Part of subcall function 007F29C8: HeapFree.KERNEL32(00000000,00000000,?,007FD7D1,00000000,00000000,00000000,00000000,?,007FD7F8,00000000,00000007,00000000,?,007FDBF5,00000000), ref: 007F29DE
                                                              • Part of subcall function 007F29C8: GetLastError.KERNEL32(00000000,?,007FD7D1,00000000,00000000,00000000,00000000,?,007FD7F8,00000000,00000007,00000000,?,007FDBF5,00000000,00000000), ref: 007F29F0
                                                            • _free.LIBCMT ref: 007FBD4B
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                                            • String ID:
                                                            • API String ID: 1286116820-0
                                                            • Opcode ID: 5bad8f0a52cbf4c4c78ecb6a807fde021fc1f3abc69d4237cba5fbfd1348ae92
                                                            • Instruction ID: 806d0be767eae83d2427b2f94dc5722631d5f1bc667d5c6a364846eda804a2b5
                                                            • Opcode Fuzzy Hash: 5bad8f0a52cbf4c4c78ecb6a807fde021fc1f3abc69d4237cba5fbfd1348ae92
                                                            • Instruction Fuzzy Hash: 7E51A47190420DEFCB10EFA9DC859BAB7B8FF44350B14426AE664D7391EB749D41CB60
                                                            Function 0082E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0082DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0082CF22,?), ref: 0082DDFD
                                                              • Part of subcall function 0082DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0082CF22,?), ref: 0082DE16
                                                              • Part of subcall function 0082E199: GetFileAttributesW.KERNEL32(?,0082CF95), ref: 0082E19A
                                                            • lstrcmpiW.KERNEL32(?,?), ref: 0082E473
                                                            • MoveFileW.KERNEL32(?,?), ref: 0082E4AC
                                                            • _wcslen.LIBCMT ref: 0082E5EB
                                                            • _wcslen.LIBCMT ref: 0082E603
                                                            • SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0082E650
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
                                                            • String ID:
                                                            • API String ID: 3183298772-0
                                                            • Opcode ID: d54dd183a97b3656b170c3ee45de45c815997cf8226ec77215b4f181a5de4462
                                                            • Instruction ID: 4f4fbf2e2602a0c7717cef155ad2ba019bfd4525c5b30858794b72332d4d42f6
                                                            • Opcode Fuzzy Hash: d54dd183a97b3656b170c3ee45de45c815997cf8226ec77215b4f181a5de4462
                                                            • Instruction Fuzzy Hash: 185163B24087959BC724EB94DC859DFB3DCEF84340F40492EF689D3151EF74A588876A
                                                            Function 0084B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 007C9CB3: _wcslen.LIBCMT ref: 007C9CBD
                                                              • Part of subcall function 0084C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0084B6AE,?,?), ref: 0084C9B5
                                                              • Part of subcall function 0084C998: _wcslen.LIBCMT ref: 0084C9F1
                                                              • Part of subcall function 0084C998: _wcslen.LIBCMT ref: 0084CA68
                                                              • Part of subcall function 0084C998: _wcslen.LIBCMT ref: 0084CA9E
                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0084BAA5
                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0084BB00
                                                            • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0084BB63
                                                            • RegCloseKey.ADVAPI32(?,?), ref: 0084BBA6
                                                            • RegCloseKey.ADVAPI32(00000000), ref: 0084BBB3
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
                                                            • String ID:
                                                            • API String ID: 826366716-0
                                                            • Opcode ID: 6376b65f580723461e721cb34ba60c0bea5fba50d48516a23111035333cb7cae
                                                            • Instruction ID: 6698f8772486a672c83b1ebd6f79e21d69370b4746a05896393e3d2245df9f7b
                                                            • Opcode Fuzzy Hash: 6376b65f580723461e721cb34ba60c0bea5fba50d48516a23111035333cb7cae
                                                            • Instruction Fuzzy Hash: E061AE31208245EFD714DF24C895E2ABBE5FF84318F14895CF4998B2A2DB35ED45CB92
                                                            Function 00828BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VariantInit.OLEAUT32(?), ref: 00828BCD
                                                            • VariantClear.OLEAUT32 ref: 00828C3E
                                                            • VariantClear.OLEAUT32 ref: 00828C9D
                                                            • VariantClear.OLEAUT32(?), ref: 00828D10
                                                            • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00828D3B
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Variant$Clear$ChangeInitType
                                                            • String ID:
                                                            • API String ID: 4136290138-0
                                                            • Opcode ID: c22fff47b16a4003b207e863d9d578ed6f009878c319bdf0ffbf20b2f16a5957
                                                            • Instruction ID: 1aa78ab92a93ed75bb40975a9d72e5bff6dbe6e35c0b4762806b6d2fc4c9bedd
                                                            • Opcode Fuzzy Hash: c22fff47b16a4003b207e863d9d578ed6f009878c319bdf0ffbf20b2f16a5957
                                                            • Instruction Fuzzy Hash: E65188B5A01219EFDB10CF68D884EAAB7F8FF89314B118559E909DB350E734E951CFA0
                                                            Function 00838AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00838BAE
                                                            • GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00838BDA
                                                            • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00838C32
                                                            • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00838C57
                                                            • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00838C5F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: PrivateProfile$SectionWrite$String
                                                            • String ID:
                                                            • API String ID: 2832842796-0
                                                            • Opcode ID: 993da17134888393d93b5877963ccefde4497467c30403cf9d337fcdb9aedebc
                                                            • Instruction ID: 568ba8311af31cc400d7af912b04a6b00a9afbed80b3b0e41bdf1ecb21702514
                                                            • Opcode Fuzzy Hash: 993da17134888393d93b5877963ccefde4497467c30403cf9d337fcdb9aedebc
                                                            • Instruction Fuzzy Hash: E7510535A00215DFCB05DF64C885E69BBF5FF48314F088459E849AB362DB39ED51DB90
                                                            Function 00848EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryW.KERNEL32(?,00000000,?), ref: 00848F40
                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 00848FD0
                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00848FEC
                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 00849032
                                                            • FreeLibrary.KERNEL32(00000000), ref: 00849052
                                                              • Part of subcall function 007DF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00831043,?,75C0E610), ref: 007DF6E6
                                                              • Part of subcall function 007DF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0081FA64,00000000,00000000,?,?,00831043,?,75C0E610,?,0081FA64), ref: 007DF70D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
                                                            • String ID:
                                                            • API String ID: 666041331-0
                                                            • Opcode ID: eb279ca31c8d671271ab012eb6556ce324ca57ec3db90dd5b63197321a70cd40
                                                            • Instruction ID: 5becd9a1cbb0874eaddc89060dc2ca36eb3b778e715a3416e103641f3666c16f
                                                            • Opcode Fuzzy Hash: eb279ca31c8d671271ab012eb6556ce324ca57ec3db90dd5b63197321a70cd40
                                                            • Instruction Fuzzy Hash: CE511735600609DFC715DF68C498DADBBF1FF49314B0580A9E84A9B362DB35ED85CB90
                                                            Function 00856B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetWindowLongW.USER32(00000002,000000F0,?), ref: 00856C33
                                                            • SetWindowLongW.USER32(?,000000EC,?), ref: 00856C4A
                                                            • SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00856C73
                                                            • ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0083AB79,00000000,00000000), ref: 00856C98
                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00856CC7
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Window$Long$MessageSendShow
                                                            • String ID:
                                                            • API String ID: 3688381893-0
                                                            • Opcode ID: 4b1fb35c5d4a7a0664b4f44005029fd13b97b7dc0af1cccb396fcf2bb0d0b559
                                                            • Instruction ID: 2e83d2902cb20d625800660c7c5de9edcdd7cac45d5de2425569602ea22b26aa
                                                            • Opcode Fuzzy Hash: 4b1fb35c5d4a7a0664b4f44005029fd13b97b7dc0af1cccb396fcf2bb0d0b559
                                                            • Instruction Fuzzy Hash: 5041D635A04204AFDB24DF28CC59FA97FA5FB09365F940228FC95E72E0E371AD65CA40
                                                            Function 007F2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: _free
                                                            • String ID:
                                                            • API String ID: 269201875-0
                                                            • Opcode ID: 3a4c1a8cd245ecc0b26260792068cada884d0b955ccc05ec1e1a8ddcc093ca5e
                                                            • Instruction ID: d8ae56b6296fb84adb53279e384412e128ebe68d5254ccae692a6ad53e03112e
                                                            • Opcode Fuzzy Hash: 3a4c1a8cd245ecc0b26260792068cada884d0b955ccc05ec1e1a8ddcc093ca5e
                                                            • Instruction Fuzzy Hash: 0041F232A00208DFCB20DF78C884A6DB7F5EF89314F1545A9E615EB392DB35AD02CB90
                                                            Function 007D912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCursorPos.USER32(?), ref: 007D9141
                                                            • ScreenToClient.USER32(00000000,?), ref: 007D915E
                                                            • GetAsyncKeyState.USER32(00000001), ref: 007D9183
                                                            • GetAsyncKeyState.USER32(00000002), ref: 007D919D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: AsyncState$ClientCursorScreen
                                                            • String ID:
                                                            • API String ID: 4210589936-0
                                                            • Opcode ID: 6a19b51430905938e80140157afd70bb052bc24f7a598f388f5eb5b0e482e03a
                                                            • Instruction ID: 5adba376d4f3edb220890b28aa70aa4e889677c6fd7aa92f28901422ea0a5364
                                                            • Opcode Fuzzy Hash: 6a19b51430905938e80140157afd70bb052bc24f7a598f388f5eb5b0e482e03a
                                                            • Instruction Fuzzy Hash: 5641607190860AFBDF199F68C848BEEB775FF05324F20421AE525A3290D7356D94CF51
                                                            Function 00833874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetInputState.USER32 ref: 008338CB
                                                            • TranslateAcceleratorW.USER32(?,00000000,?), ref: 00833922
                                                            • TranslateMessage.USER32(?), ref: 0083394B
                                                            • DispatchMessageW.USER32(?), ref: 00833955
                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00833966
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Message$Translate$AcceleratorDispatchInputPeekState
                                                            • String ID:
                                                            • API String ID: 2256411358-0
                                                            • Opcode ID: d6d43aeb55e94851ab491fdb28966b434f67d4d61d1640c98c1e2dd87479848a
                                                            • Instruction ID: 433fae251bf93c34df21886206db8da64c00b6a4d7ce90a077012e00e9ee309d
                                                            • Opcode Fuzzy Hash: d6d43aeb55e94851ab491fdb28966b434f67d4d61d1640c98c1e2dd87479848a
                                                            • Instruction Fuzzy Hash: 34310670508346DFEF25DB34D809BB67FA8FB86304F08046AE862D25A0E3F49685DB91
                                                            Function 0083CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0083C21E,00000000), ref: 0083CF38
                                                            • InternetReadFile.WININET(?,00000000,?,?), ref: 0083CF6F
                                                            • GetLastError.KERNEL32(?,00000000,?,?,?,0083C21E,00000000), ref: 0083CFB4
                                                            • SetEvent.KERNEL32(?,?,00000000,?,?,?,0083C21E,00000000), ref: 0083CFC8
                                                            • SetEvent.KERNEL32(?,?,00000000,?,?,?,0083C21E,00000000), ref: 0083CFF2
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: EventInternet$AvailableDataErrorFileLastQueryRead
                                                            • String ID:
                                                            • API String ID: 3191363074-0
                                                            • Opcode ID: e402b2d011f758f7cd2519c7ca1ce895c0c05ece5589497e5d7346812fbd4811
                                                            • Instruction ID: 43d6b3dbdce73e584282f2b181642544464580551f0bdf31bcf71047d4ee2ee7
                                                            • Opcode Fuzzy Hash: e402b2d011f758f7cd2519c7ca1ce895c0c05ece5589497e5d7346812fbd4811
                                                            • Instruction Fuzzy Hash: 99313A71600709EFDB20DFA5C8849AABBF9FB54355F10442EE506E2241DB74AE419BA0
                                                            Function 00821901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetWindowRect.USER32(?,?), ref: 00821915
                                                            • PostMessageW.USER32(00000001,00000201,00000001), ref: 008219C1
                                                            • Sleep.KERNEL32(00000000,?,?,?), ref: 008219C9
                                                            • PostMessageW.USER32(00000001,00000202,00000000), ref: 008219DA
                                                            • Sleep.KERNEL32(00000000,?,?,?,?), ref: 008219E2
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: MessagePostSleep$RectWindow
                                                            • String ID:
                                                            • API String ID: 3382505437-0
                                                            • Opcode ID: 482e5714fe81da1d791e86ea98de9b351047bee348a4c8c5de465cae182133a4
                                                            • Instruction ID: 6003c4fcab7b3875b63584d6e356ab33dbd48247e44e398b5cba1a154ce39ea9
                                                            • Opcode Fuzzy Hash: 482e5714fe81da1d791e86ea98de9b351047bee348a4c8c5de465cae182133a4
                                                            • Instruction Fuzzy Hash: 60319C71A00229EFCB00CFA8D99DA9E7BB5FB14315F204229F921E72D1C7709A84CB90
                                                            Function 00855706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00855745
                                                            • SendMessageW.USER32(?,00001074,?,00000001), ref: 0085579D
                                                            • _wcslen.LIBCMT ref: 008557AF
                                                            • _wcslen.LIBCMT ref: 008557BA
                                                            • SendMessageW.USER32(?,00001002,00000000,?), ref: 00855816
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$_wcslen
                                                            • String ID:
                                                            • API String ID: 763830540-0
                                                            • Opcode ID: e81af5807344a4929e8ea26ed912c052deca3d92690b5f52520e54c7581a74c2
                                                            • Instruction ID: 04758a8592c7ddba432d8f8bbfe16a9a1aa9ce52a40b5bb47db7bfdc97198de4
                                                            • Opcode Fuzzy Hash: e81af5807344a4929e8ea26ed912c052deca3d92690b5f52520e54c7581a74c2
                                                            • Instruction Fuzzy Hash: C721B671904618DBDB209FA0DC84AEE7BB9FF04326F108256FD29EB180D7749A89CF50
                                                            Function 007D990F Relevance: 7.6, APIs: 5, Instructions: 74COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetSysColor.USER32(00000008), ref: 007D98CC
                                                            • SetTextColor.GDI32(?,?), ref: 007D98D6
                                                            • SetBkMode.GDI32(?,00000001), ref: 007D98E9
                                                            • GetStockObject.GDI32(00000005), ref: 007D98F1
                                                            • GetWindowLongW.USER32(?,000000EB), ref: 007D9952
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Color$LongModeObjectStockTextWindow
                                                            • String ID:
                                                            • API String ID: 1860813098-0
                                                            • Opcode ID: 113f3c7c4175d095e63c7cca875cc2500082514d7c674bdcb800118874a6354b
                                                            • Instruction ID: 6c3bd15fac99ba27b16da6a12ad5fe53bac310ac133d954ecc7888ff119c3c24
                                                            • Opcode Fuzzy Hash: 113f3c7c4175d095e63c7cca875cc2500082514d7c674bdcb800118874a6354b
                                                            • Instruction Fuzzy Hash: 5E21F6714453909FCB114F24ECA8BE53FB4AF67722F18418EE6D28B2A2D7396991DF10
                                                            Function 00840930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • IsWindow.USER32(00000000), ref: 00840951
                                                            • GetForegroundWindow.USER32 ref: 00840968
                                                            • GetDC.USER32(00000000), ref: 008409A4
                                                            • GetPixel.GDI32(00000000,?,00000003), ref: 008409B0
                                                            • ReleaseDC.USER32(00000000,00000003), ref: 008409E8
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Window$ForegroundPixelRelease
                                                            • String ID:
                                                            • API String ID: 4156661090-0
                                                            • Opcode ID: ea7baf9b8e8563f13c017a409080604a4ee89d808c507346f9877b938dc771e3
                                                            • Instruction ID: 5feab19f172e2a157ba23acba481e9e0704f8b8346f1e2369203c86be98f9148
                                                            • Opcode Fuzzy Hash: ea7baf9b8e8563f13c017a409080604a4ee89d808c507346f9877b938dc771e3
                                                            • Instruction Fuzzy Hash: 76215E35A00214AFD704EF69D889AAEBBE5FF48701F04846CE84AD7752CA34AD04CF90
                                                            Function 007FCDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetEnvironmentStringsW.KERNEL32 ref: 007FCDC6
                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 007FCDE9
                                                              • Part of subcall function 007F3820: RtlAllocateHeap.NTDLL(00000000,?,00891444,?,007DFDF5,?,?,007CA976,00000010,00891440,007C13FC,?,007C13C6,?,007C1129), ref: 007F3852
                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 007FCE0F
                                                            • _free.LIBCMT ref: 007FCE22
                                                            • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 007FCE31
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                            • String ID:
                                                            • API String ID: 336800556-0
                                                            • Opcode ID: c5c4377698c40a5cca6f1c963d0089b9db2140fe9c5a75aecf606609ea95a577
                                                            • Instruction ID: 2dd39d26fa96b5d0ea6bf42ef8afcbdc20bf4927922c2ac97548dae54f06f957
                                                            • Opcode Fuzzy Hash: c5c4377698c40a5cca6f1c963d0089b9db2140fe9c5a75aecf606609ea95a577
                                                            • Instruction Fuzzy Hash: F4018472A0171D7F23221AB66D8CDBB796DEEC6BA1315012DFA05D7301EA6D8D0195F0
                                                            Function 007D9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 007D9693
                                                            • SelectObject.GDI32(?,00000000), ref: 007D96A2
                                                            • BeginPath.GDI32(?), ref: 007D96B9
                                                            • SelectObject.GDI32(?,00000000), ref: 007D96E2
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: ObjectSelect$BeginCreatePath
                                                            • String ID:
                                                            • API String ID: 3225163088-0
                                                            • Opcode ID: df9e92dcdc1af6fe69215619716cace11b226a9f0a52555dc12bddd3e36186ab
                                                            • Instruction ID: d86df606e073bfdd567d7daa37d796d1dac06124dbc2e54dabb1268f7c2af874
                                                            • Opcode Fuzzy Hash: df9e92dcdc1af6fe69215619716cace11b226a9f0a52555dc12bddd3e36186ab
                                                            • Instruction Fuzzy Hash: 5A215E30806306EFDF11AF65EC187A97FB8BB50366F984217F511A62B0D3799892CF94
                                                            Function 00825711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: _memcmp
                                                            • String ID:
                                                            • API String ID: 2931989736-0
                                                            • Opcode ID: a41b76d6546ab49039c907c2c37a7802e0959804ba92bc35303e2228d9729d8e
                                                            • Instruction ID: dfeb58b4bcc09ce28ae484b29b1b0c6ae9f5d4f5a7f6124f5bd00c8ff50e0b82
                                                            • Opcode Fuzzy Hash: a41b76d6546ab49039c907c2c37a7802e0959804ba92bc35303e2228d9729d8e
                                                            • Instruction Fuzzy Hash: 3E01F5716C2669FFD2089115AE86FBB734DFB243A9F404030FE04DA242F734ED5482A1
                                                            Function 0082000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0081FF41,80070057,?,?,?,0082035E), ref: 0082002B
                                                            • ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0081FF41,80070057,?,?), ref: 00820046
                                                            • lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0081FF41,80070057,?,?), ref: 00820054
                                                            • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0081FF41,80070057,?), ref: 00820064
                                                            • CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0081FF41,80070057,?,?), ref: 00820070
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: From$Prog$FreeStringTasklstrcmpi
                                                            • String ID:
                                                            • API String ID: 3897988419-0
                                                            • Opcode ID: 9b53beaf9ce4bc521a4243136f7655acf0a61b81b3992b8889a742f7350980e8
                                                            • Instruction ID: 232f63ac15f5abd6575653fa9d3b1e5e76d3cad68122e55b567d3de37124282c
                                                            • Opcode Fuzzy Hash: 9b53beaf9ce4bc521a4243136f7655acf0a61b81b3992b8889a742f7350980e8
                                                            • Instruction Fuzzy Hash: 2601A276A00724BFEB104F68EC44BAA7AEDFF44752F144124F905D2222E775DD808FA0
                                                            Function 0082E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • QueryPerformanceCounter.KERNEL32(?), ref: 0082E997
                                                            • QueryPerformanceFrequency.KERNEL32(?), ref: 0082E9A5
                                                            • Sleep.KERNEL32(00000000), ref: 0082E9AD
                                                            • QueryPerformanceCounter.KERNEL32(?), ref: 0082E9B7
                                                            • Sleep.KERNEL32 ref: 0082E9F3
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: PerformanceQuery$CounterSleep$Frequency
                                                            • String ID:
                                                            • API String ID: 2833360925-0
                                                            • Opcode ID: c10bf463f27f2a538d25b6879a1a78c8412d26c20016ed73b5c6feba069e9622
                                                            • Instruction ID: fdc7a1f8d45e2e8203036776ad561e489e67a4b65a1f2d2fafd032fd18b0f6b9
                                                            • Opcode Fuzzy Hash: c10bf463f27f2a538d25b6879a1a78c8412d26c20016ed73b5c6feba069e9622
                                                            • Instruction Fuzzy Hash: ED010531C01A3DDBCF40ABE5E859AEDBB78FB09701F000556E502F2291CB3495948BA6
                                                            Function 008210F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00821114
                                                            • GetLastError.KERNEL32(?,00000000,00000000,?,?,00820B9B,?,?,?), ref: 00821120
                                                            • GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00820B9B,?,?,?), ref: 0082112F
                                                            • HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00820B9B,?,?,?), ref: 00821136
                                                            • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0082114D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                            • String ID:
                                                            • API String ID: 842720411-0
                                                            • Opcode ID: 44a7f7026a636921c767a8ec5fdff2bf55f566764a6c5ae5db0e77e55be6fce3
                                                            • Instruction ID: 3569eec15e3533e4d67b25a3f4af53c2c52a85fb0f3c77e6595099df428b8953
                                                            • Opcode Fuzzy Hash: 44a7f7026a636921c767a8ec5fdff2bf55f566764a6c5ae5db0e77e55be6fce3
                                                            • Instruction Fuzzy Hash: 97014675200315BFDB114BA8EC4DA6A3FAEFF892A1B200418FA41D2360EA35DC50CE60
                                                            Function 00820FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00820FCA
                                                            • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00820FD6
                                                            • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00820FE5
                                                            • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00820FEC
                                                            • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00821002
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: HeapInformationToken$AllocErrorLastProcess
                                                            • String ID:
                                                            • API String ID: 44706859-0
                                                            • Opcode ID: 90389e75299a2ab56ca4404f1d2f52bd7c73eefa4457d6b6bd2dadd6ffefe834
                                                            • Instruction ID: e94f0386d9b3379d889e94b37a777506565b4c839b2d7478b123d39492115a00
                                                            • Opcode Fuzzy Hash: 90389e75299a2ab56ca4404f1d2f52bd7c73eefa4457d6b6bd2dadd6ffefe834
                                                            • Instruction Fuzzy Hash: DDF04935240B15AFDB214FA5AC4DF5A3BADFF89B62F604414FA46C6291CA74DC808E60
                                                            Function 00821014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0082102A
                                                            • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00821036
                                                            • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00821045
                                                            • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0082104C
                                                            • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00821062
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: HeapInformationToken$AllocErrorLastProcess
                                                            • String ID:
                                                            • API String ID: 44706859-0
                                                            • Opcode ID: ab714eef816441c8fd6ea2b6e60cbbfa141733c05142948490fb4be0a32990ff
                                                            • Instruction ID: cc6a4774cab0dd0a848ff6bb902f8d3644910f751a61712b16a37118e4d3ec68
                                                            • Opcode Fuzzy Hash: ab714eef816441c8fd6ea2b6e60cbbfa141733c05142948490fb4be0a32990ff
                                                            • Instruction Fuzzy Hash: 55F04935240B55AFDB219FA5EC4DF5A3BADFF89762F200414FA46C6290CA74D8808E60
                                                            Function 0083030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CloseHandle.KERNEL32(?,?,?,?,0083017D,?,008332FC,?,00000001,00802592,?), ref: 00830324
                                                            • CloseHandle.KERNEL32(?,?,?,?,0083017D,?,008332FC,?,00000001,00802592,?), ref: 00830331
                                                            • CloseHandle.KERNEL32(?,?,?,?,0083017D,?,008332FC,?,00000001,00802592,?), ref: 0083033E
                                                            • CloseHandle.KERNEL32(?,?,?,?,0083017D,?,008332FC,?,00000001,00802592,?), ref: 0083034B
                                                            • CloseHandle.KERNEL32(?,?,?,?,0083017D,?,008332FC,?,00000001,00802592,?), ref: 00830358
                                                            • CloseHandle.KERNEL32(?,?,?,?,0083017D,?,008332FC,?,00000001,00802592,?), ref: 00830365
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: CloseHandle
                                                            • String ID:
                                                            • API String ID: 2962429428-0
                                                            • Opcode ID: f9ed309813edaf03c1a124d14681fb5d975231f5aff9e740aec149f0d7083591
                                                            • Instruction ID: 0032c67647c106c7a78eaedce86665800cc18e94ae45d8238dcdfcf610c3fd0a
                                                            • Opcode Fuzzy Hash: f9ed309813edaf03c1a124d14681fb5d975231f5aff9e740aec149f0d7083591
                                                            • Instruction Fuzzy Hash: C801A272800B159FCB309F66D890412F7F9FF903157158A3FD19692A31C371A954CF80
                                                            Function 007FD73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • _free.LIBCMT ref: 007FD752
                                                              • Part of subcall function 007F29C8: HeapFree.KERNEL32(00000000,00000000,?,007FD7D1,00000000,00000000,00000000,00000000,?,007FD7F8,00000000,00000007,00000000,?,007FDBF5,00000000), ref: 007F29DE
                                                              • Part of subcall function 007F29C8: GetLastError.KERNEL32(00000000,?,007FD7D1,00000000,00000000,00000000,00000000,?,007FD7F8,00000000,00000007,00000000,?,007FDBF5,00000000,00000000), ref: 007F29F0
                                                            • _free.LIBCMT ref: 007FD764
                                                            • _free.LIBCMT ref: 007FD776
                                                            • _free.LIBCMT ref: 007FD788
                                                            • _free.LIBCMT ref: 007FD79A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: _free$ErrorFreeHeapLast
                                                            • String ID:
                                                            • API String ID: 776569668-0
                                                            • Opcode ID: 629525ab6f0a0bc8770618741b5fc5bef7dd84ecbbaabc0474d4b72d0c84ef16
                                                            • Instruction ID: 4b466713ea8e07440c39715a166b7fdad3b1d5eb9371f90eed8016521ef8a74b
                                                            • Opcode Fuzzy Hash: 629525ab6f0a0bc8770618741b5fc5bef7dd84ecbbaabc0474d4b72d0c84ef16
                                                            • Instruction Fuzzy Hash: AEF0FF3259420DAB8621FB68F9C5C3A7BDEBB447107A40805F258EB626C778FC808B74
                                                            Function 00825C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetDlgItem.USER32(?,000003E9), ref: 00825C58
                                                            • GetWindowTextW.USER32(00000000,?,00000100), ref: 00825C6F
                                                            • MessageBeep.USER32(00000000), ref: 00825C87
                                                            • KillTimer.USER32(?,0000040A), ref: 00825CA3
                                                            • EndDialog.USER32(?,00000001), ref: 00825CBD
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                            • String ID:
                                                            • API String ID: 3741023627-0
                                                            • Opcode ID: 117d3687f61f19dcfdfe37ffa49d38e08f743ea562641f5290d9f033d277b3f6
                                                            • Instruction ID: be93153f7922a6dd4a2b4dfb98b64f5fb8adb85983f935eb60e50cb974736ca3
                                                            • Opcode Fuzzy Hash: 117d3687f61f19dcfdfe37ffa49d38e08f743ea562641f5290d9f033d277b3f6
                                                            • Instruction Fuzzy Hash: D3018170540B14AFEB215B50ED5EFA677F8FB14B46F00055DA583A14E1EBF8AA888E90
                                                            Function 007F22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _free.LIBCMT ref: 007F22BE
                                                              • Part of subcall function 007F29C8: HeapFree.KERNEL32(00000000,00000000,?,007FD7D1,00000000,00000000,00000000,00000000,?,007FD7F8,00000000,00000007,00000000,?,007FDBF5,00000000), ref: 007F29DE
                                                              • Part of subcall function 007F29C8: GetLastError.KERNEL32(00000000,?,007FD7D1,00000000,00000000,00000000,00000000,?,007FD7F8,00000000,00000007,00000000,?,007FDBF5,00000000,00000000), ref: 007F29F0
                                                            • _free.LIBCMT ref: 007F22D0
                                                            • _free.LIBCMT ref: 007F22E3
                                                            • _free.LIBCMT ref: 007F22F4
                                                            • _free.LIBCMT ref: 007F2305
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: _free$ErrorFreeHeapLast
                                                            • String ID:
                                                            • API String ID: 776569668-0
                                                            • Opcode ID: a053191d2170143411ca281ee17f3c04803022c0f7929e7c9d1c13586ae210da
                                                            • Instruction ID: b09b7e83b4da207c761f31d64458a099ffb1cf29526ffe48f95ba08b8d7f3a2b
                                                            • Opcode Fuzzy Hash: a053191d2170143411ca281ee17f3c04803022c0f7929e7c9d1c13586ae210da
                                                            • Instruction Fuzzy Hash: 3FF05E71884126CF8A12FF98BC098283B64FB18760709051BF514E73BACB781912AFE4
                                                            Function 007D95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • EndPath.GDI32(?), ref: 007D95D4
                                                            • StrokeAndFillPath.GDI32(?,?,008171F7,00000000,?,?,?), ref: 007D95F0
                                                            • SelectObject.GDI32(?,00000000), ref: 007D9603
                                                            • DeleteObject.GDI32 ref: 007D9616
                                                            • StrokePath.GDI32(?), ref: 007D9631
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Path$ObjectStroke$DeleteFillSelect
                                                            • String ID:
                                                            • API String ID: 2625713937-0
                                                            • Opcode ID: 0cda37a1c8c9d015bd3f06d78e705aea3f876c1ac1016f7e6cdf57e3a815b092
                                                            • Instruction ID: 27402454472b09c5f3559e180611679818d6faa00f35da472488d6414ebf786c
                                                            • Opcode Fuzzy Hash: 0cda37a1c8c9d015bd3f06d78e705aea3f876c1ac1016f7e6cdf57e3a815b092
                                                            • Instruction Fuzzy Hash: 4FF01930009705EFDB126F65ED1C7A43F71BB00362F488216F525551F0D73989A1DF20
                                                            Function 007F0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: __freea$_free
                                                            • String ID: a/p$am/pm
                                                            • API String ID: 3432400110-3206640213
                                                            • Opcode ID: 1d7ae476ff71016067041c16f9a02aa4ffafda2fc4de4797d6ed169b27533bc6
                                                            • Instruction ID: 22b0d142463c0148510520220dc809f79f6fb38a8bdacde15bd3e6d93c48ddd7
                                                            • Opcode Fuzzy Hash: 1d7ae476ff71016067041c16f9a02aa4ffafda2fc4de4797d6ed169b27533bc6
                                                            • Instruction Fuzzy Hash: 31D1F231A1020ECADB289F68C855BFAB7B1FF06310FA84159EB11AB751D77D9D80CB91
                                                            Function 00847B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 007E0242: EnterCriticalSection.KERNEL32(0089070C,00891884,?,?,007D198B,00892518,?,?,?,007C12F9,00000000), ref: 007E024D
                                                              • Part of subcall function 007E0242: LeaveCriticalSection.KERNEL32(0089070C,?,007D198B,00892518,?,?,?,007C12F9,00000000), ref: 007E028A
                                                              • Part of subcall function 007C9CB3: _wcslen.LIBCMT ref: 007C9CBD
                                                              • Part of subcall function 007E00A3: __onexit.LIBCMT ref: 007E00A9
                                                            • __Init_thread_footer.LIBCMT ref: 00847BFB
                                                              • Part of subcall function 007E01F8: EnterCriticalSection.KERNEL32(0089070C,?,?,007D8747,00892514), ref: 007E0202
                                                              • Part of subcall function 007E01F8: LeaveCriticalSection.KERNEL32(0089070C,?,007D8747,00892514), ref: 007E0235
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
                                                            • String ID: 5$G$Variable must be of type 'Object'.
                                                            • API String ID: 535116098-3733170431
                                                            • Opcode ID: 5993577b4eee9ec06e8d5bd2e883b183b20d1ed38fcf30b158927e8c5c224098
                                                            • Instruction ID: ef7cd21b62c6156295a73a82e1d2203ad2e6033f106e0a7586cc0ac66c968948
                                                            • Opcode Fuzzy Hash: 5993577b4eee9ec06e8d5bd2e883b183b20d1ed38fcf30b158927e8c5c224098
                                                            • Instruction Fuzzy Hash: AE915674A0420DEFCB14EF98D895EADB7B2FF48304F148059F806AB292DB75AE45CB51
                                                            Function 007F5AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: JO|
                                                            • API String ID: 0-2887696345
                                                            • Opcode ID: da214a9845865a79e57d21e2c12ceae0c728f570d0631f369fd87d4b4c08297e
                                                            • Instruction ID: a67a72bab9d489e23be8fca55af7aeadfa73f7c8e4f6e39d7b836146dfa1bf57
                                                            • Opcode Fuzzy Hash: da214a9845865a79e57d21e2c12ceae0c728f570d0631f369fd87d4b4c08297e
                                                            • Instruction Fuzzy Hash: 7A518EB1901A0EEFCB11AFA5C849ABE7BB8BF49310F14015AF705A7391D7799A01CB61
                                                            Function 007F8A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 007F8B6E
                                                            • GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 007F8B7A
                                                            • __dosmaperr.LIBCMT ref: 007F8B81
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: ByteCharErrorLastMultiWide__dosmaperr
                                                            • String ID: .~
                                                            • API String ID: 2434981716-505086709
                                                            • Opcode ID: 06c9cedee000b3643ffa922ffe08edd86ed2f58d1ddb415cddddf5bc1c4b05b8
                                                            • Instruction ID: 53e013105071bac08744e369e43c686731152807fdb14b0ebaf3739e80d320f7
                                                            • Opcode Fuzzy Hash: 06c9cedee000b3643ffa922ffe08edd86ed2f58d1ddb415cddddf5bc1c4b05b8
                                                            • Instruction Fuzzy Hash: 65419FF160414DAFCB659F24DC85A7D7FA5EB85300F2C819AFA548B742DE39CD028751
                                                            Function 00822716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0082B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,008221D0,?,?,00000034,00000800,?,00000034), ref: 0082B42D
                                                            • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00822760
                                                              • Part of subcall function 0082B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,008221FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0082B3F8
                                                              • Part of subcall function 0082B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0082B355
                                                              • Part of subcall function 0082B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00822194,00000034,?,?,00001004,00000000,00000000), ref: 0082B365
                                                              • Part of subcall function 0082B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00822194,00000034,?,?,00001004,00000000,00000000), ref: 0082B37B
                                                            • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 008227CD
                                                            • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0082281A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                            • String ID: @
                                                            • API String ID: 4150878124-2766056989
                                                            • Opcode ID: 537734bcbd890846e3fb703cbd10248cc1bd5cb9bb2d841982b1a5c78724e1f1
                                                            • Instruction ID: 52a7d83939bb32342cd8a9e66307ccdbe18699a006442b9dfa788c57945e0e7c
                                                            • Opcode Fuzzy Hash: 537734bcbd890846e3fb703cbd10248cc1bd5cb9bb2d841982b1a5c78724e1f1
                                                            • Instruction Fuzzy Hash: 1B411D72901228BFDB10DBA8DD85ADEBBB8FF09700F104099FA55B7181DB706E85CB61
                                                            Function 007F172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 007F1769
                                                            • _free.LIBCMT ref: 007F1834
                                                            • _free.LIBCMT ref: 007F183E
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: _free$FileModuleName
                                                            • String ID: C:\Users\user\Desktop\file.exe
                                                            • API String ID: 2506810119-4010620828
                                                            • Opcode ID: e37fe49537fac19dcb975639e2008a42ca2ed98eed218bed614219c97bd8f844
                                                            • Instruction ID: 5b4b43f379e86c97f901c489aafd69bf65d0d70809f80cc8920109a4eadae799
                                                            • Opcode Fuzzy Hash: e37fe49537fac19dcb975639e2008a42ca2ed98eed218bed614219c97bd8f844
                                                            • Instruction Fuzzy Hash: 92319D71A0420CEFCB21EB999989DAEBBFCEB85360F544166EA0497311D6748A40CBA0
                                                            Function 0082C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0082C306
                                                            • DeleteMenu.USER32(?,00000007,00000000), ref: 0082C34C
                                                            • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00891990,00D35610), ref: 0082C395
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Menu$Delete$InfoItem
                                                            • String ID: 0
                                                            • API String ID: 135850232-4108050209
                                                            • Opcode ID: 3c046e6a37e4dd0f631699c06c813209673b0c1ce5af2ccdf63861f92b755cde
                                                            • Instruction ID: 128aece3e6d6ece3a6cf61edda215c54705176c0038d0b54b4e41d7889d0eb3d
                                                            • Opcode Fuzzy Hash: 3c046e6a37e4dd0f631699c06c813209673b0c1ce5af2ccdf63861f92b755cde
                                                            • Instruction Fuzzy Hash: F0418B31204351AFD720DF29E888B6EBBA8FF85324F008A1DE9A5D7391D734A944CB52
                                                            Function 00854416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0085CC08,00000000,?,?,?,?), ref: 008544AA
                                                            • GetWindowLongW.USER32 ref: 008544C7
                                                            • SetWindowLongW.USER32(?,000000F0,00000000), ref: 008544D7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Window$Long
                                                            • String ID: SysTreeView32
                                                            • API String ID: 847901565-1698111956
                                                            • Opcode ID: 7b68cad5e425434258f72db2135e4b73d5e7b86a56e03699d86456a2615fbd19
                                                            • Instruction ID: 355c2fb02c6827ded6fd2ec976502b933cd69d373269591bfa9f7dae780935e3
                                                            • Opcode Fuzzy Hash: 7b68cad5e425434258f72db2135e4b73d5e7b86a56e03699d86456a2615fbd19
                                                            • Instruction Fuzzy Hash: 63318B31240205AFDF209E38DC45BEA7BA9FB08329F205319F979E22D0D774EC949B50
                                                            Function 0084304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0084335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00843077,?,?), ref: 00843378
                                                            • inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0084307A
                                                            • _wcslen.LIBCMT ref: 0084309B
                                                            • htons.WSOCK32(00000000,?,?,00000000), ref: 00843106
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: ByteCharMultiWide_wcslenhtonsinet_addr
                                                            • String ID: 255.255.255.255
                                                            • API String ID: 946324512-2422070025
                                                            • Opcode ID: 8d79af8b35a8a033d5ad43b0b9ad0d1321e0cb216cec5397a229b727a2384e8f
                                                            • Instruction ID: d9dbc7e93298c3ee8366971cbf3525f9d85876962c6f796028eeb9b8cf52437a
                                                            • Opcode Fuzzy Hash: 8d79af8b35a8a033d5ad43b0b9ad0d1321e0cb216cec5397a229b727a2384e8f
                                                            • Instruction Fuzzy Hash: CE31E435200209DFDB10CF68C485EAA77E0FF14318F248199E915DB392DB76EE45CB60
                                                            Function 00853EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00853F40
                                                            • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00853F54
                                                            • SendMessageW.USER32(?,00001002,00000000,?), ref: 00853F78
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$Window
                                                            • String ID: SysMonthCal32
                                                            • API String ID: 2326795674-1439706946
                                                            • Opcode ID: aa35f7d4928ad424f19daf9edbe040ed468d099a39f294c8d66d6e593ff82f16
                                                            • Instruction ID: 5286916e50c78f6e440909814958b523427afde67c3890de5c71e8890f6d25a9
                                                            • Opcode Fuzzy Hash: aa35f7d4928ad424f19daf9edbe040ed468d099a39f294c8d66d6e593ff82f16
                                                            • Instruction Fuzzy Hash: 0221AB32600219BFDF219E54DC46FEA3BB9FB48754F110218FE15BB190DAB5A9948BA0
                                                            Function 00854653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00854705
                                                            • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00854713
                                                            • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0085471A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$DestroyWindow
                                                            • String ID: msctls_updown32
                                                            • API String ID: 4014797782-2298589950
                                                            • Opcode ID: c8196ba334c455552098e150af1f54643bbb000433f063c12b92c3c1a8c64714
                                                            • Instruction ID: aae452a5ebf7ed9e473ab555d490c1b27bd4e8ecd5b36888bfe76eea4101807d
                                                            • Opcode Fuzzy Hash: c8196ba334c455552098e150af1f54643bbb000433f063c12b92c3c1a8c64714
                                                            • Instruction Fuzzy Hash: 97218CB5604209AFEB11DF68DCC5DA737EDFB5A3A9B041049FA01DB291CB30EC55CA60
                                                            Function 008295AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: _wcslen
                                                            • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                            • API String ID: 176396367-2734436370
                                                            • Opcode ID: f4bc47a97964f213ea1cfd47eaf015ec59be931719b65f17baa9d0a2e5baf3a6
                                                            • Instruction ID: 31c2173baf76b92fe582a649a8e87ad42954119a2430a85f95d74732c5b524b4
                                                            • Opcode Fuzzy Hash: f4bc47a97964f213ea1cfd47eaf015ec59be931719b65f17baa9d0a2e5baf3a6
                                                            • Instruction Fuzzy Hash: 0F213832204530A6D331AA25AD06FB773D8FF65314F10402AF9DAD7182EB59AD85C2A6
                                                            Function 008537B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00853840
                                                            • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00853850
                                                            • MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00853876
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$MoveWindow
                                                            • String ID: Listbox
                                                            • API String ID: 3315199576-2633736733
                                                            • Opcode ID: b55cf22dea26d95d0ec8678349f5891e6237ec98eda1694b4690ccea49e323a9
                                                            • Instruction ID: f4d366058e3a799d404ed15193cc4b30c15f20a512c77937d136f299ba489a18
                                                            • Opcode Fuzzy Hash: b55cf22dea26d95d0ec8678349f5891e6237ec98eda1694b4690ccea49e323a9
                                                            • Instruction Fuzzy Hash: 2921CF72600218BBEF219FA4CC85FBB376EFF89791F108124F910AB190C675DC568BA0
                                                            Function 008349F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetErrorMode.KERNEL32(00000001), ref: 00834A08
                                                            • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00834A5C
                                                            • SetErrorMode.KERNEL32(00000000,?,?,0085CC08), ref: 00834AD0
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: ErrorMode$InformationVolume
                                                            • String ID: %lu
                                                            • API String ID: 2507767853-685833217
                                                            • Opcode ID: 5eca4f84ae38b7c90ef4fac08867831c3278b49fca097d9bd18195842733be8c
                                                            • Instruction ID: 12c3b554e7d51a88f234f2c714a43583ea733e0c2bdbebdce204673cb5744fb0
                                                            • Opcode Fuzzy Hash: 5eca4f84ae38b7c90ef4fac08867831c3278b49fca097d9bd18195842733be8c
                                                            • Instruction Fuzzy Hash: 75312F75A00219AFDB10DF64C885EAA7BF8FF44308F144099F905DB252DB75ED45CBA1
                                                            Function 008541EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0085424F
                                                            • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00854264
                                                            • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00854271
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: MessageSend
                                                            • String ID: msctls_trackbar32
                                                            • API String ID: 3850602802-1010561917
                                                            • Opcode ID: e4a16bb6fe39a6c711659c991ee998de3da4701e9820099438fd145db8a76c04
                                                            • Instruction ID: db852f0bed99de2bb0af5f6253555947620930a5ebab7396c8542192b94dbeab
                                                            • Opcode Fuzzy Hash: e4a16bb6fe39a6c711659c991ee998de3da4701e9820099438fd145db8a76c04
                                                            • Instruction Fuzzy Hash: 0011E331240208BEEF205E29CC46FAB3BACFF95B59F110128FA55E2090D271D8519B20
                                                            Function 00822F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 007C6B57: _wcslen.LIBCMT ref: 007C6B6A
                                                              • Part of subcall function 00822DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00822DC5
                                                              • Part of subcall function 00822DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00822DD6
                                                              • Part of subcall function 00822DA7: GetCurrentThreadId.KERNEL32 ref: 00822DDD
                                                              • Part of subcall function 00822DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00822DE4
                                                            • GetFocus.USER32 ref: 00822F78
                                                              • Part of subcall function 00822DEE: GetParent.USER32(00000000), ref: 00822DF9
                                                            • GetClassNameW.USER32(?,?,00000100), ref: 00822FC3
                                                            • EnumChildWindows.USER32(?,0082303B), ref: 00822FEB
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
                                                            • String ID: %s%d
                                                            • API String ID: 1272988791-1110647743
                                                            • Opcode ID: d6b353ed4bbe74df5d29c7011d60f4c7b01ac30b13f6066384692d3eb19a621e
                                                            • Instruction ID: 28e1b67a8f1a6981317948b519559db1e2a9e772bf88d565a7704fa514e255f7
                                                            • Opcode Fuzzy Hash: d6b353ed4bbe74df5d29c7011d60f4c7b01ac30b13f6066384692d3eb19a621e
                                                            • Instruction Fuzzy Hash: 0A11C3B1200219ABCF00BF749C95EED37AAFF94304F044079B909DB252DE385E898B70
                                                            Function 00855882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 008558C1
                                                            • SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 008558EE
                                                            • DrawMenuBar.USER32(?), ref: 008558FD
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Menu$InfoItem$Draw
                                                            • String ID: 0
                                                            • API String ID: 3227129158-4108050209
                                                            • Opcode ID: 64222d56168cc74e89932842d3606247503e77911c370f9da0b556ff10a6921c
                                                            • Instruction ID: b52ef3680a142ca8e605d10eb1fc9acf687747e4c1f485f275cf3ae79e1bd4ef
                                                            • Opcode Fuzzy Hash: 64222d56168cc74e89932842d3606247503e77911c370f9da0b556ff10a6921c
                                                            • Instruction Fuzzy Hash: B9018431500218EFDB119F51EC44BAEBFB5FF45362F108099E849D6261DB348A84DF71
                                                            Function 0082007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4c1ba45a9a6bcafaabb07d66c7de0194aae1644734704b8a8a26d689d5317f57
                                                            • Instruction ID: 7d64030a5e0f8e819c4666b7c5538d55c01e897be25b79c729ded36bdeedeccd
                                                            • Opcode Fuzzy Hash: 4c1ba45a9a6bcafaabb07d66c7de0194aae1644734704b8a8a26d689d5317f57
                                                            • Instruction Fuzzy Hash: 7BC14C75A0021AEFDB14CF94D898AAEB7B5FF48704F108599E905EB252D731ED81CF90
                                                            Function 0084342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Variant$ClearInitInitializeUninitialize
                                                            • String ID:
                                                            • API String ID: 1998397398-0
                                                            • Opcode ID: 22e74d9f8751b7a59706bb1fd5ecdfdab9faae4aafb13582f32f20ee619436c5
                                                            • Instruction ID: 4f440d179eb729dfa824147b5150c142c5a8045f8e4f3a0985fd8b0a94028689
                                                            • Opcode Fuzzy Hash: 22e74d9f8751b7a59706bb1fd5ecdfdab9faae4aafb13582f32f20ee619436c5
                                                            • Instruction Fuzzy Hash: 08A103756042059FCB14DF28C489A2AB7E5FF88714F05885DF98A9B362DB34EE01DB92
                                                            Function 00820436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0085FC08,?), ref: 008205F0
                                                            • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0085FC08,?), ref: 00820608
                                                            • CLSIDFromProgID.OLE32(?,?,00000000,0085CC40,000000FF,?,00000000,00000800,00000000,?,0085FC08,?), ref: 0082062D
                                                            • _memcmp.LIBVCRUNTIME ref: 0082064E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: FromProg$FreeTask_memcmp
                                                            • String ID:
                                                            • API String ID: 314563124-0
                                                            • Opcode ID: f68f0d4ad1bfba5b10d021aed5568333e5a0f3a16c14fb499d1e9e7b4f2a3065
                                                            • Instruction ID: 53fe8ba2a88d9ca97c8c23a092149137d7bf719d110a2073ea032cb953b959e3
                                                            • Opcode Fuzzy Hash: f68f0d4ad1bfba5b10d021aed5568333e5a0f3a16c14fb499d1e9e7b4f2a3065
                                                            • Instruction Fuzzy Hash: 07810771A00219EFCB04DF94C988EEEB7B9FF89315B204558E506EB251DB71AE46CF60
                                                            Function 00801391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: _free
                                                            • String ID:
                                                            • API String ID: 269201875-0
                                                            • Opcode ID: b5c7c581c81944569cd5854931deb426504f951b8cc5dabd844ca1dacf481562
                                                            • Instruction ID: e570cc2bcf11f84f34dfc4d93e27ae780fd6d88acad25d6668cca0c23b74ed56
                                                            • Opcode Fuzzy Hash: b5c7c581c81944569cd5854931deb426504f951b8cc5dabd844ca1dacf481562
                                                            • Instruction Fuzzy Hash: 94415D32600948EBDF616FBD8C8D6BE3AAAFF45330F144225F618D72E2E73848415766
                                                            Function 00856278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetWindowRect.USER32(?,?), ref: 008562E2
                                                            • ScreenToClient.USER32(?,?), ref: 00856315
                                                            • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00856382
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Window$ClientMoveRectScreen
                                                            • String ID:
                                                            • API String ID: 3880355969-0
                                                            • Opcode ID: 7c7a7ca3302acaf76b3745099a3f4269ae9807294e8283ba0e73cf8ae33a4167
                                                            • Instruction ID: 1be255b0b380951854d75fb57ba03486aa54f5ad3581d8347083bc47885e72d3
                                                            • Opcode Fuzzy Hash: 7c7a7ca3302acaf76b3745099a3f4269ae9807294e8283ba0e73cf8ae33a4167
                                                            • Instruction Fuzzy Hash: BB513A74A00209EFCF10DF68D884AAE7BB6FB45365F508169F815DB2A0E730ED95CB50
                                                            Function 00841AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • socket.WSOCK32(00000002,00000002,00000011), ref: 00841AFD
                                                            • WSAGetLastError.WSOCK32 ref: 00841B0B
                                                            • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00841B8A
                                                            • WSAGetLastError.WSOCK32 ref: 00841B94
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$socket
                                                            • String ID:
                                                            • API String ID: 1881357543-0
                                                            • Opcode ID: efc7d14a1602e66942e46b88efcaafae91ded40abf813051e33f0cfff80da6dd
                                                            • Instruction ID: a2fc383f17477b83c81b539f096b06adcde398b0c2af4fb343e56d8a41f145c9
                                                            • Opcode Fuzzy Hash: efc7d14a1602e66942e46b88efcaafae91ded40abf813051e33f0cfff80da6dd
                                                            • Instruction Fuzzy Hash: C6417035640304AFEB20AF24C88AF2977E5EB44718F54845CF91A9F7D2D776DD828B90
                                                            Function 007FB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: fb5fa1af4f0bddc5b69b3c690a3e106c13dead4a2a29c2c2a590fae8327b4119
                                                            • Instruction ID: 413225fe76d7a2a60b8d8c35c765c48d7531b05ebcc46b1e472430f4e3de0cfb
                                                            • Opcode Fuzzy Hash: fb5fa1af4f0bddc5b69b3c690a3e106c13dead4a2a29c2c2a590fae8327b4119
                                                            • Instruction Fuzzy Hash: 63412B75900748FFD7249F78CC45B7E7BA9EB88710F10452AF251DB782D779A9018B90
                                                            Function 008356D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00835783
                                                            • GetLastError.KERNEL32(?,00000000), ref: 008357A9
                                                            • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 008357CE
                                                            • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 008357FA
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: CreateHardLink$DeleteErrorFileLast
                                                            • String ID:
                                                            • API String ID: 3321077145-0
                                                            • Opcode ID: c5aa0cdebd00a23d008b3e6e19230e08204e92db08d51865cbf24d8120e13f87
                                                            • Instruction ID: ba814c03e74319007079451c990c9fb31dfbc9b915675602eac088d0dd1be42a
                                                            • Opcode Fuzzy Hash: c5aa0cdebd00a23d008b3e6e19230e08204e92db08d51865cbf24d8120e13f87
                                                            • Instruction Fuzzy Hash: 7D410735600610DFCB15DF15D445A5ABBE2FF89320B18889CE84AAB362CB38FD41DF91
                                                            Function 007FD8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • MultiByteToWideChar.KERNEL32(?,00000000,?,007E6D71,00000000,00000000,007E82D9,?,007E82D9,?,00000001,007E6D71,?,00000001,007E82D9,007E82D9), ref: 007FD910
                                                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 007FD999
                                                            • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 007FD9AB
                                                            • __freea.LIBCMT ref: 007FD9B4
                                                              • Part of subcall function 007F3820: RtlAllocateHeap.NTDLL(00000000,?,00891444,?,007DFDF5,?,?,007CA976,00000010,00891440,007C13FC,?,007C13C6,?,007C1129), ref: 007F3852
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                            • String ID:
                                                            • API String ID: 2652629310-0
                                                            • Opcode ID: 4bcb5c6cb6de51fe7ba2c6927e3370973df0d8acb46dd037493df8300425fe2f
                                                            • Instruction ID: a67935a3ce5eb81ecab97033b5f7cf2dfe53a34acc22a89c0e193ae56958b834
                                                            • Opcode Fuzzy Hash: 4bcb5c6cb6de51fe7ba2c6927e3370973df0d8acb46dd037493df8300425fe2f
                                                            • Instruction Fuzzy Hash: 2F31CF72A0020AABDF25DFA9DC45EBE7BA6EB40310F054168FD04D7251EB79ED50CBA0
                                                            Function 008552C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(?,00001024,00000000,?), ref: 00855352
                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00855375
                                                            • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00855382
                                                            • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 008553A8
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: LongWindow$InvalidateMessageRectSend
                                                            • String ID:
                                                            • API String ID: 3340791633-0
                                                            • Opcode ID: 2c50d99ed814273fa30d42a3b093c1984075b7da759e951f273ec42e5eef5ce9
                                                            • Instruction ID: e8cd6899bd0ab7a2b5b42fc489343332621e904d830cd5821d90f3efa52701f0
                                                            • Opcode Fuzzy Hash: 2c50d99ed814273fa30d42a3b093c1984075b7da759e951f273ec42e5eef5ce9
                                                            • Instruction Fuzzy Hash: BE31C134A55A0CEFEF209F14CC25BE977A2FB06392F584016BE19D63E0C7B499889B41
                                                            Function 0082AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetKeyboardState.USER32(?,75A4C0D0,?,00008000), ref: 0082ABF1
                                                            • SetKeyboardState.USER32(00000080,?,00008000), ref: 0082AC0D
                                                            • PostMessageW.USER32(00000000,00000101,00000000), ref: 0082AC74
                                                            • SendInput.USER32(00000001,?,0000001C,75A4C0D0,?,00008000), ref: 0082ACC6
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: KeyboardState$InputMessagePostSend
                                                            • String ID:
                                                            • API String ID: 432972143-0
                                                            • Opcode ID: 991fefb9558f6b69e8864a085315d1eb05e0034dfecd813a4c965c7aea39001e
                                                            • Instruction ID: 24052af6ce448196f9b2b067141f0039d0165826be30b34962ea66a05c7ec4cc
                                                            • Opcode Fuzzy Hash: 991fefb9558f6b69e8864a085315d1eb05e0034dfecd813a4c965c7aea39001e
                                                            • Instruction Fuzzy Hash: 5931F430A04728AFFF298B65EC047FA7BAAFF89310F04421AE485D21D1D3798AC58752
                                                            Function 00857674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ClientToScreen.USER32(?,?), ref: 0085769A
                                                            • GetWindowRect.USER32(?,?), ref: 00857710
                                                            • PtInRect.USER32(?,?,00858B89), ref: 00857720
                                                            • MessageBeep.USER32(00000000), ref: 0085778C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Rect$BeepClientMessageScreenWindow
                                                            • String ID:
                                                            • API String ID: 1352109105-0
                                                            • Opcode ID: 1f2948ca9719b7853ec5893925d5bf984f78b400f7dd8e76d685caa8fc001746
                                                            • Instruction ID: 609ccaca42d67f0bf5e93689ede672ed168918dbdd3e20146ad2731dc25f36d6
                                                            • Opcode Fuzzy Hash: 1f2948ca9719b7853ec5893925d5bf984f78b400f7dd8e76d685caa8fc001746
                                                            • Instruction Fuzzy Hash: 2641AD34609255DFDB02DF58E898EA9BBF5FB49306F1880A9E814DB261C330A949CF90
                                                            Function 008516DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetForegroundWindow.USER32 ref: 008516EB
                                                              • Part of subcall function 00823A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00823A57
                                                              • Part of subcall function 00823A3D: GetCurrentThreadId.KERNEL32 ref: 00823A5E
                                                              • Part of subcall function 00823A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,008225B3), ref: 00823A65
                                                            • GetCaretPos.USER32(?), ref: 008516FF
                                                            • ClientToScreen.USER32(00000000,?), ref: 0085174C
                                                            • GetForegroundWindow.USER32 ref: 00851752
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                            • String ID:
                                                            • API String ID: 2759813231-0
                                                            • Opcode ID: ad2e878fa0ff8f4e864c27a6cf8d79bd52c0d8f1622bb6f1766402e5c7fa870c
                                                            • Instruction ID: 04a69b51a870e35e28ef122b794e44ddc43f43ff39989d8b4204309de9d7ab0d
                                                            • Opcode Fuzzy Hash: ad2e878fa0ff8f4e864c27a6cf8d79bd52c0d8f1622bb6f1766402e5c7fa870c
                                                            • Instruction Fuzzy Hash: 6F313E75D00249AFCB04EFA9C885DAEBBF9FF48304B5480AEE415E7211DA359E45CBA1
                                                            Function 0082DF95 Relevance: 6.1, APIs: 4, Instructions: 87COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 007C7620: _wcslen.LIBCMT ref: 007C7625
                                                            • _wcslen.LIBCMT ref: 0082DFCB
                                                            • _wcslen.LIBCMT ref: 0082DFE2
                                                            • _wcslen.LIBCMT ref: 0082E00D
                                                            • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 0082E018
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: _wcslen$ExtentPoint32Text
                                                            • String ID:
                                                            • API String ID: 3763101759-0
                                                            • Opcode ID: 2b69e8e4e9b06a57fb51408282b9eefa467cf1cf66802683282828fb16a7cec3
                                                            • Instruction ID: f318add96121162892f79d7ade78423c1ff7835f9521668e412c3f6a29784d7c
                                                            • Opcode Fuzzy Hash: 2b69e8e4e9b06a57fb51408282b9eefa467cf1cf66802683282828fb16a7cec3
                                                            • Instruction Fuzzy Hash: E521B171900624EFCB209FA8D981B6EBBF8FF49750F104065E805FB382D6749E818BA1
                                                            Function 0082D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateToolhelp32Snapshot.KERNEL32 ref: 0082D501
                                                            • Process32FirstW.KERNEL32(00000000,?), ref: 0082D50F
                                                            • Process32NextW.KERNEL32(00000000,?), ref: 0082D52F
                                                            • CloseHandle.KERNEL32(00000000), ref: 0082D5DC
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                            • String ID:
                                                            • API String ID: 420147892-0
                                                            • Opcode ID: 76c29e86e6569b3cf1ebff0abb2846410f5c47bd4af646eb6161147924e57cd2
                                                            • Instruction ID: 363e3dbc7e331407a2c147332b07faf7918c82c9a16b48b469cfed429637e90d
                                                            • Opcode Fuzzy Hash: 76c29e86e6569b3cf1ebff0abb2846410f5c47bd4af646eb6161147924e57cd2
                                                            • Instruction Fuzzy Hash: 2D317E711083009FD301EF64D889EAFBBF8FF99354F14092DF581861A1EB75A985CBA2
                                                            Function 00858FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 007D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 007D9BB2
                                                            • GetCursorPos.USER32(?), ref: 00859001
                                                            • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00817711,?,?,?,?,?), ref: 00859016
                                                            • GetCursorPos.USER32(?), ref: 0085905E
                                                            • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00817711,?,?,?), ref: 00859094
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                            • String ID:
                                                            • API String ID: 2864067406-0
                                                            • Opcode ID: e14fd1bd24b8d8e3f5b4b5ebae8a5a7e80222a81d2d1d94d0521e65e5371bce3
                                                            • Instruction ID: c69c3879374902e2e466c2d9886451ff89435fbb8b47fa7ac6ced40be3fa3961
                                                            • Opcode Fuzzy Hash: e14fd1bd24b8d8e3f5b4b5ebae8a5a7e80222a81d2d1d94d0521e65e5371bce3
                                                            • Instruction Fuzzy Hash: 0221BF31600518EFCF268F94CC58EEB7BF9FB89352F044465F945872A1D335A950EB60
                                                            Function 0082D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetFileAttributesW.KERNEL32(?,0085CB68), ref: 0082D2FB
                                                            • GetLastError.KERNEL32 ref: 0082D30A
                                                            • CreateDirectoryW.KERNEL32(?,00000000), ref: 0082D319
                                                            • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0085CB68), ref: 0082D376
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: CreateDirectory$AttributesErrorFileLast
                                                            • String ID:
                                                            • API String ID: 2267087916-0
                                                            • Opcode ID: b58a0945bb755a47b7df7b65c722a483ef2751fa63662cfb1d9c4e2b472866a4
                                                            • Instruction ID: a6d9573114525e602ebcbe2a594d8c9e3847fd7d23cea738501b5e990c48854e
                                                            • Opcode Fuzzy Hash: b58a0945bb755a47b7df7b65c722a483ef2751fa63662cfb1d9c4e2b472866a4
                                                            • Instruction Fuzzy Hash: 39219F70508311DF8700DF28D8898AABBE4FE56324F504A1DF4A9C33A1E734D98ACB93
                                                            Function 00821571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00821014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0082102A
                                                              • Part of subcall function 00821014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00821036
                                                              • Part of subcall function 00821014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00821045
                                                              • Part of subcall function 00821014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0082104C
                                                              • Part of subcall function 00821014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00821062
                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 008215BE
                                                            • _memcmp.LIBVCRUNTIME ref: 008215E1
                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00821617
                                                            • HeapFree.KERNEL32(00000000), ref: 0082161E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                            • String ID:
                                                            • API String ID: 1592001646-0
                                                            • Opcode ID: 11bf09595ec9e03b67b6cc3d67939dad841457bc89335d38b2f36455a6e38c4d
                                                            • Instruction ID: 548ca70d21ef131f97330c38f53191bb6600d5ac9cf41f4a68769964a0992021
                                                            • Opcode Fuzzy Hash: 11bf09595ec9e03b67b6cc3d67939dad841457bc89335d38b2f36455a6e38c4d
                                                            • Instruction Fuzzy Hash: D5215771E40218AFDF00DFA4D949BEEB7B8FF64355F284459E441AB241E734AA85CBA0
                                                            Function 00852782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetWindowLongW.USER32(?,000000EC), ref: 0085280A
                                                            • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00852824
                                                            • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00852832
                                                            • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00852840
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Window$Long$AttributesLayered
                                                            • String ID:
                                                            • API String ID: 2169480361-0
                                                            • Opcode ID: 9c04c889acbe8df5e755a80be70db32094085926fc51a0b9a8a20663c62de4a3
                                                            • Instruction ID: 135b8702c580bfc6f1af81fd9ca0debe89e4ddeaa441b78b99176e347ebab15a
                                                            • Opcode Fuzzy Hash: 9c04c889acbe8df5e755a80be70db32094085926fc51a0b9a8a20663c62de4a3
                                                            • Instruction Fuzzy Hash: A621E031204211AFD715DB24C845FAA7B95FF4A326F14825CF826CB2E2CB75EC86CB90
                                                            Function 008278F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00828D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0082790A,?,000000FF,?,00828754,00000000,?,0000001C,?,?), ref: 00828D8C
                                                              • Part of subcall function 00828D7D: lstrcpyW.KERNEL32(00000000,?,?,0082790A,?,000000FF,?,00828754,00000000,?,0000001C,?,?,00000000), ref: 00828DB2
                                                              • Part of subcall function 00828D7D: lstrcmpiW.KERNEL32(00000000,?,0082790A,?,000000FF,?,00828754,00000000,?,0000001C,?,?), ref: 00828DE3
                                                            • lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00828754,00000000,?,0000001C,?,?,00000000), ref: 00827923
                                                            • lstrcpyW.KERNEL32(00000000,?,?,00828754,00000000,?,0000001C,?,?,00000000), ref: 00827949
                                                            • lstrcmpiW.KERNEL32(00000002,cdecl,?,00828754,00000000,?,0000001C,?,?,00000000), ref: 00827984
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: lstrcmpilstrcpylstrlen
                                                            • String ID: cdecl
                                                            • API String ID: 4031866154-3896280584
                                                            • Opcode ID: b4e2ab584af08e8f4a71c8b6ac5dc556e711dbfe479780ff9f01ec5dabd13c97
                                                            • Instruction ID: 4cc5b1b5e32f759570d65d661da070cf690511eb82e05ad73b72eff9e56fb58e
                                                            • Opcode Fuzzy Hash: b4e2ab584af08e8f4a71c8b6ac5dc556e711dbfe479780ff9f01ec5dabd13c97
                                                            • Instruction Fuzzy Hash: 7111E93A200311AFCB155F39E845D7A7BA9FF45354B50402AF946C73A4EB359891C761
                                                            Function 00857CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00857D0B
                                                            • SetWindowLongW.USER32(00000000,000000F0,?), ref: 00857D2A
                                                            • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00857D42
                                                            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0083B7AD,00000000), ref: 00857D6B
                                                              • Part of subcall function 007D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 007D9BB2
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Window$Long
                                                            • String ID:
                                                            • API String ID: 847901565-0
                                                            • Opcode ID: 29f16de3eb94c9bb900f0b231cf287ea3ce600ce1b4e9cd865cbf041b7f5d40e
                                                            • Instruction ID: f0f9018e7c997cd12c22e31e2df93de26678e26fd412caddc2f7743dda57f0fa
                                                            • Opcode Fuzzy Hash: 29f16de3eb94c9bb900f0b231cf287ea3ce600ce1b4e9cd865cbf041b7f5d40e
                                                            • Instruction Fuzzy Hash: F511C031208615AFCB119F68DC08A663BA5FF45362B158325FC35D72F0E7319D58CB40
                                                            Function 00855660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(?,00001060,?,00000004), ref: 008556BB
                                                            • _wcslen.LIBCMT ref: 008556CD
                                                            • _wcslen.LIBCMT ref: 008556D8
                                                            • SendMessageW.USER32(?,00001002,00000000,?), ref: 00855816
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: MessageSend_wcslen
                                                            • String ID:
                                                            • API String ID: 455545452-0
                                                            • Opcode ID: e30a79a35be292e8237882c49a82506f22a3ba703430d72d5a24d931fdfb661a
                                                            • Instruction ID: 80497c34372689ac38e4326afe80b6442c9c87ac5399206bfb02d56bc2cf8b68
                                                            • Opcode Fuzzy Hash: e30a79a35be292e8237882c49a82506f22a3ba703430d72d5a24d931fdfb661a
                                                            • Instruction Fuzzy Hash: 78110375600608E6DF209FA1DC95AEE3BBCFF10766B10402AFD15E6081E774DA88CF64
                                                            Function 007F1D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 194832ff5efd9076562af2ccd368e6a386a4f53a3c9e1d91898e526e4ac907d1
                                                            • Instruction ID: 29c6ff9fcc1fb595059bcf3d7e687bb26dd0a1592f650bccda71a47bba365e93
                                                            • Opcode Fuzzy Hash: 194832ff5efd9076562af2ccd368e6a386a4f53a3c9e1d91898e526e4ac907d1
                                                            • Instruction Fuzzy Hash: FB018BB2319A1EBEF62126786CC4F37662DEF413B8F750329F721A13D2DB689C005660
                                                            Function 00821A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(?,000000B0,?,?), ref: 00821A47
                                                            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00821A59
                                                            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00821A6F
                                                            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00821A8A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: MessageSend
                                                            • String ID:
                                                            • API String ID: 3850602802-0
                                                            • Opcode ID: 012da72f200f9bf224f970f9dd1878b903616105602654dd20fd819a93dc95a5
                                                            • Instruction ID: 3ffa6e1ff2079fc697f31343067d5e5f9579d6a7540f9d3ea07929b0e88bffdc
                                                            • Opcode Fuzzy Hash: 012da72f200f9bf224f970f9dd1878b903616105602654dd20fd819a93dc95a5
                                                            • Instruction Fuzzy Hash: 4411273A901229FFEF109BA4C985FADBB78FB18750F2000A1EA01B7290D7716E50DB94
                                                            Function 0082E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentThreadId.KERNEL32 ref: 0082E1FD
                                                            • MessageBoxW.USER32(?,?,?,?), ref: 0082E230
                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0082E246
                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0082E24D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                            • String ID:
                                                            • API String ID: 2880819207-0
                                                            • Opcode ID: 316a44e6096717b84bf5cc66827918ef1a64143ec1915203cd7204a4afc3a186
                                                            • Instruction ID: 018cd9a0417559ca4fcb9066f1fe4e6784fbd834559024f2f95850d4f93fd64c
                                                            • Opcode Fuzzy Hash: 316a44e6096717b84bf5cc66827918ef1a64143ec1915203cd7204a4afc3a186
                                                            • Instruction Fuzzy Hash: A211C876904369FFCB019FA8AC09A9E7FACFB45311F144256F925E3391D7788D448BA0
                                                            Function 007ED1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateThread.KERNEL32(00000000,?,007ECFF9,00000000,00000004,00000000), ref: 007ED218
                                                            • GetLastError.KERNEL32 ref: 007ED224
                                                            • __dosmaperr.LIBCMT ref: 007ED22B
                                                            • ResumeThread.KERNEL32(00000000), ref: 007ED249
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Thread$CreateErrorLastResume__dosmaperr
                                                            • String ID:
                                                            • API String ID: 173952441-0
                                                            • Opcode ID: ecb72ffcaba6a0084995e957d87dcbd38a3c3bfdf587210f562755fbe667050c
                                                            • Instruction ID: 05dfce3369ded3d257633fa17cbe80c208fd1aa6d83d913b8147c74408f35b40
                                                            • Opcode Fuzzy Hash: ecb72ffcaba6a0084995e957d87dcbd38a3c3bfdf587210f562755fbe667050c
                                                            • Instruction Fuzzy Hash: C501D636807248BFC7215BA7DC09BAE7A6DFF89731F104219FA25961D0DB798D01C6A1
                                                            Function 00859EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 007D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 007D9BB2
                                                            • GetClientRect.USER32(?,?), ref: 00859F31
                                                            • GetCursorPos.USER32(?), ref: 00859F3B
                                                            • ScreenToClient.USER32(?,?), ref: 00859F46
                                                            • DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00859F7A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Client$CursorLongProcRectScreenWindow
                                                            • String ID:
                                                            • API String ID: 4127811313-0
                                                            • Opcode ID: 05d8768b3fceffb0052efa7f61347578bdad4d12f4b9a33e822e1c081bad0ba3
                                                            • Instruction ID: 02d741674c75b294bcc8406181425a1842afa251f4f59c546544cf0642cdeca8
                                                            • Opcode Fuzzy Hash: 05d8768b3fceffb0052efa7f61347578bdad4d12f4b9a33e822e1c081bad0ba3
                                                            • Instruction Fuzzy Hash: 0911183290021AEFDF10EFA9D8899EE77B9FB45312F400455F951E3150DB34BA89CBA1
                                                            Function 007C600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 007C604C
                                                            • GetStockObject.GDI32(00000011), ref: 007C6060
                                                            • SendMessageW.USER32(00000000,00000030,00000000), ref: 007C606A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: CreateMessageObjectSendStockWindow
                                                            • String ID:
                                                            • API String ID: 3970641297-0
                                                            • Opcode ID: 258b484dc80b37fff443c0149232558a5f0dc52f5abd0e21c627a19bd228206c
                                                            • Instruction ID: bf4baeca850e2db19c7020c8150d29feeee5a47227792aba920921385075aa40
                                                            • Opcode Fuzzy Hash: 258b484dc80b37fff443c0149232558a5f0dc52f5abd0e21c627a19bd228206c
                                                            • Instruction Fuzzy Hash: F7115E72501609BFEF125F949C84FEA7BA9FF18755F050119FA1562110D73A9CA09F90
                                                            Function 007E3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • ___BuildCatchObject.LIBVCRUNTIME ref: 007E3B56
                                                              • Part of subcall function 007E3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 007E3AD2
                                                              • Part of subcall function 007E3AA3: ___AdjustPointer.LIBCMT ref: 007E3AED
                                                            • _UnwindNestedFrames.LIBCMT ref: 007E3B6B
                                                            • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 007E3B7C
                                                            • CallCatchBlock.LIBVCRUNTIME ref: 007E3BA4
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                                            • String ID:
                                                            • API String ID: 737400349-0
                                                            • Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                                                            • Instruction ID: 4b22b94fcf7a57680e310593f851e22bec77f6833764d96f381c090a273ea2aa
                                                            • Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                                                            • Instruction Fuzzy Hash: 04012972101189BBDF126E96CC4AEEB3B6EEF8C754F044014FE4896121C73AE961DBA0
                                                            Function 007F3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,007C13C6,00000000,00000000,?,007F301A,007C13C6,00000000,00000000,00000000,?,007F328B,00000006,FlsSetValue), ref: 007F30A5
                                                            • GetLastError.KERNEL32(?,007F301A,007C13C6,00000000,00000000,00000000,?,007F328B,00000006,FlsSetValue,00862290,FlsSetValue,00000000,00000364,?,007F2E46), ref: 007F30B1
                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,007F301A,007C13C6,00000000,00000000,00000000,?,007F328B,00000006,FlsSetValue,00862290,FlsSetValue,00000000), ref: 007F30BF
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: LibraryLoad$ErrorLast
                                                            • String ID:
                                                            • API String ID: 3177248105-0
                                                            • Opcode ID: 759bf9fbc23ee342007876943f9aa64ef946c5ff1bd791a5f275f9fedff6b5ae
                                                            • Instruction ID: 543377cf383ee4bbef506858192cd46cd8d86d67dcf1b289f34dc980345c7c89
                                                            • Opcode Fuzzy Hash: 759bf9fbc23ee342007876943f9aa64ef946c5ff1bd791a5f275f9fedff6b5ae
                                                            • Instruction Fuzzy Hash: 1D01D43230132AAFCB214A799C449777B9AAF05BA1B210721FA06E3340CF29D941CAE0
                                                            Function 00827464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0082747F
                                                            • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00827497
                                                            • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 008274AC
                                                            • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 008274CA
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Type$Register$FileLoadModuleNameUser
                                                            • String ID:
                                                            • API String ID: 1352324309-0
                                                            • Opcode ID: f28ae5105384577044e8e08f0e292d5cfa37e63f0e16f7aef19c06d6115554d8
                                                            • Instruction ID: 73266e8d6abfd8105bf035138071218a265140cfb0f16e048aab876064ed12d0
                                                            • Opcode Fuzzy Hash: f28ae5105384577044e8e08f0e292d5cfa37e63f0e16f7aef19c06d6115554d8
                                                            • Instruction Fuzzy Hash: 7811ADB1205325AFE720AF15EC08FA27BFCFB00B04F508569E616D6191D7B4E984DFA5
                                                            Function 0082B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0082ACD3,?,00008000), ref: 0082B0C4
                                                            • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0082ACD3,?,00008000), ref: 0082B0E9
                                                            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0082ACD3,?,00008000), ref: 0082B0F3
                                                            • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0082ACD3,?,00008000), ref: 0082B126
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: CounterPerformanceQuerySleep
                                                            • String ID:
                                                            • API String ID: 2875609808-0
                                                            • Opcode ID: e836b0a1da72951e91dc024a30b3f3502ce77d8c6ef12fa0579bc7fb5447cae1
                                                            • Instruction ID: e6fbef56875121e685d5b8f0d59841209ee78f8a7e869b2d9bec725b244dde7c
                                                            • Opcode Fuzzy Hash: e836b0a1da72951e91dc024a30b3f3502ce77d8c6ef12fa0579bc7fb5447cae1
                                                            • Instruction Fuzzy Hash: A5112D31D02A3DEBCF00AFE4E9696EEBF78FF49711F114096D941B2281DB3456A08B55
                                                            Function 00857E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetWindowRect.USER32(?,?), ref: 00857E33
                                                            • ScreenToClient.USER32(?,?), ref: 00857E4B
                                                            • ScreenToClient.USER32(?,?), ref: 00857E6F
                                                            • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00857E8A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: ClientRectScreen$InvalidateWindow
                                                            • String ID:
                                                            • API String ID: 357397906-0
                                                            • Opcode ID: 2e81e821390bba8f8d604917e8b64d6eeaa45bcf3d8369c8c11a29b130561c93
                                                            • Instruction ID: ef86cc1fbcb15181534fca9c5803ca6621c9b61d49b80c5a6478b3bc320ea94e
                                                            • Opcode Fuzzy Hash: 2e81e821390bba8f8d604917e8b64d6eeaa45bcf3d8369c8c11a29b130561c93
                                                            • Instruction Fuzzy Hash: E41142B9D0020AAFDB41CF98D884AEEBBF9FF18311F509066E915E3210D735AA54CF90
                                                            Function 00822DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00822DC5
                                                            • GetWindowThreadProcessId.USER32(?,00000000), ref: 00822DD6
                                                            • GetCurrentThreadId.KERNEL32 ref: 00822DDD
                                                            • AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00822DE4
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                            • String ID:
                                                            • API String ID: 2710830443-0
                                                            • Opcode ID: f858f8caeb5752bcbab7b192152ccd47b3756abdb8063a448125556b885a0808
                                                            • Instruction ID: 477537475445f521050b83ab4d334cc21b933026ce8d26cc5d7fa530c3fdea8a
                                                            • Opcode Fuzzy Hash: f858f8caeb5752bcbab7b192152ccd47b3756abdb8063a448125556b885a0808
                                                            • Instruction Fuzzy Hash: F3E0EDB25417387BD7201B72AC0DEEB7EACFB56BA2F400119B506D50909AA99985CAB0
                                                            Function 00858863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 007D9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 007D9693
                                                              • Part of subcall function 007D9639: SelectObject.GDI32(?,00000000), ref: 007D96A2
                                                              • Part of subcall function 007D9639: BeginPath.GDI32(?), ref: 007D96B9
                                                              • Part of subcall function 007D9639: SelectObject.GDI32(?,00000000), ref: 007D96E2
                                                            • MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00858887
                                                            • LineTo.GDI32(?,?,?), ref: 00858894
                                                            • EndPath.GDI32(?), ref: 008588A4
                                                            • StrokePath.GDI32(?), ref: 008588B2
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                            • String ID:
                                                            • API String ID: 1539411459-0
                                                            • Opcode ID: 95c932b87889642c742b5852a2e0d59e2f37f9db97db3cbd9ab53f0c33376d43
                                                            • Instruction ID: ed4f286f9a576607ed99eeb52b5f6515cbd4af09861fd418e9a0b2801560340e
                                                            • Opcode Fuzzy Hash: 95c932b87889642c742b5852a2e0d59e2f37f9db97db3cbd9ab53f0c33376d43
                                                            • Instruction Fuzzy Hash: 87F03A36045759FADB126F94AC0DFCA3F69BF06312F448001FA11650E1C7795511CFA5
                                                            Function 007D98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetSysColor.USER32(00000008), ref: 007D98CC
                                                            • SetTextColor.GDI32(?,?), ref: 007D98D6
                                                            • SetBkMode.GDI32(?,00000001), ref: 007D98E9
                                                            • GetStockObject.GDI32(00000005), ref: 007D98F1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Color$ModeObjectStockText
                                                            • String ID:
                                                            • API String ID: 4037423528-0
                                                            • Opcode ID: b2ea3a2d1f04728c0bf0e07ec02e3e165b07bf5013e640b0df696f2988626d6c
                                                            • Instruction ID: 7e2710584abb0d55fa5ae400ea544202b6c31c0081ea8e9773e00c1863a5a7e3
                                                            • Opcode Fuzzy Hash: b2ea3a2d1f04728c0bf0e07ec02e3e165b07bf5013e640b0df696f2988626d6c
                                                            • Instruction Fuzzy Hash: 66E06D31284780AEDB215B78AC09BE83F21FB12376F04821AF7FA980E1C77546809F10
                                                            Function 0082162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentThread.KERNEL32 ref: 00821634
                                                            • OpenThreadToken.ADVAPI32(00000000,?,?,?,008211D9), ref: 0082163B
                                                            • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,008211D9), ref: 00821648
                                                            • OpenProcessToken.ADVAPI32(00000000,?,?,?,008211D9), ref: 0082164F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: CurrentOpenProcessThreadToken
                                                            • String ID:
                                                            • API String ID: 3974789173-0
                                                            • Opcode ID: b05583b22f4c9b77825b204d794dc10d236082f3d2d2e4d56931853df6cc2b89
                                                            • Instruction ID: 307ab00bd70c5e323d683c531c37d37db62ddfe5b4deb5a23c80e6c7f17b0977
                                                            • Opcode Fuzzy Hash: b05583b22f4c9b77825b204d794dc10d236082f3d2d2e4d56931853df6cc2b89
                                                            • Instruction Fuzzy Hash: 95E04F71602321AFDB201BA1AD0DB8A3B68FF64B93F144808F245C9080D6284480CB50
                                                            Function 0081D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetDesktopWindow.USER32 ref: 0081D858
                                                            • GetDC.USER32(00000000), ref: 0081D862
                                                            • GetDeviceCaps.GDI32(00000000,0000000C), ref: 0081D882
                                                            • ReleaseDC.USER32(?), ref: 0081D8A3
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: CapsDesktopDeviceReleaseWindow
                                                            • String ID:
                                                            • API String ID: 2889604237-0
                                                            • Opcode ID: 80321fc4900aec92d92fc004ee658de98730354d8861e62f4ed112d659213ac0
                                                            • Instruction ID: 2122ce86a743e8bf9fdece4e4af494ba75e061e3ad753030cbb76c33171f4755
                                                            • Opcode Fuzzy Hash: 80321fc4900aec92d92fc004ee658de98730354d8861e62f4ed112d659213ac0
                                                            • Instruction Fuzzy Hash: BDE075B5800305DFCB519FA09908A6DBBF5FB58712B14945DE84AE7250D73C5A41AF50
                                                            Function 0081D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetDesktopWindow.USER32 ref: 0081D86C
                                                            • GetDC.USER32(00000000), ref: 0081D876
                                                            • GetDeviceCaps.GDI32(00000000,0000000C), ref: 0081D882
                                                            • ReleaseDC.USER32(?), ref: 0081D8A3
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: CapsDesktopDeviceReleaseWindow
                                                            • String ID:
                                                            • API String ID: 2889604237-0
                                                            • Opcode ID: 24a41614a879494edfd5c8a54e3b288b047b401cbdc1e083f6d9b6fbdd5aa3c3
                                                            • Instruction ID: 2bf02e4f3862b3768e6e047bc2f1dda6218a5b5b0eef81d18ef1f5dd985acdc5
                                                            • Opcode Fuzzy Hash: 24a41614a879494edfd5c8a54e3b288b047b401cbdc1e083f6d9b6fbdd5aa3c3
                                                            • Instruction Fuzzy Hash: D6E07EB5800304EFCB51AFA09808A6DBBF5BB58712B14944DE94AE7250DB3C5A02AF50
                                                            Function 00834D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 007C7620: _wcslen.LIBCMT ref: 007C7625
                                                            • WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00834ED4
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Connection_wcslen
                                                            • String ID: *$LPT
                                                            • API String ID: 1725874428-3443410124
                                                            • Opcode ID: 30e40f1cf025156fb787638f85a5ad2c13d662d0a8998e8523bb960f13bda774
                                                            • Instruction ID: b555e8cce4bbf901e78aaf014cbc8ac07a03759b4e0a8da3e3a5d23bc8641b6e
                                                            • Opcode Fuzzy Hash: 30e40f1cf025156fb787638f85a5ad2c13d662d0a8998e8523bb960f13bda774
                                                            • Instruction Fuzzy Hash: 0C912C75A002049FCB14DF58C484EA9BBF1FF85318F19909DE80A9B362DB75ED85CB91
                                                            Function 007EE27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __startOneArgErrorHandling.LIBCMT ref: 007EE30D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: ErrorHandling__start
                                                            • String ID: pow
                                                            • API String ID: 3213639722-2276729525
                                                            • Opcode ID: 20578f5d99fdeabebcb6fc66edadaa1caa4a7bc3de4be22c8e628955f87e1117
                                                            • Instruction ID: a060e99bbe2bcb9fc0b03818c9fdbe75295246ca01e3dd15cb22ce4ef06166b0
                                                            • Opcode Fuzzy Hash: 20578f5d99fdeabebcb6fc66edadaa1caa4a7bc3de4be22c8e628955f87e1117
                                                            • Instruction Fuzzy Hash: 7E51AA61A0E64AD6CB197B15CD4537A3BA8FB04740F348DA9E1D1823E9EF3C8C91DA46
                                                            Function 007DE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: #
                                                            • API String ID: 0-1885708031
                                                            • Opcode ID: 3766ca68b92afe40e3abf0f7612e1d7b33cb143748371578a8042b3cd4ba1b3a
                                                            • Instruction ID: 772344bc0c62f28b86ca473b75b27b020ce0def21ce891dc3f94981b1c906211
                                                            • Opcode Fuzzy Hash: 3766ca68b92afe40e3abf0f7612e1d7b33cb143748371578a8042b3cd4ba1b3a
                                                            • Instruction Fuzzy Hash: 2C510575500246DFEB15EF68C485AFA7BB8FF55310F24445AEC51DB2D0D638AD82CB60
                                                            Function 007DF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Sleep.KERNEL32(00000000), ref: 007DF2A2
                                                            • GlobalMemoryStatusEx.KERNEL32(?), ref: 007DF2BB
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: GlobalMemorySleepStatus
                                                            • String ID: @
                                                            • API String ID: 2783356886-2766056989
                                                            • Opcode ID: e21d8cd01dc5abeb0c925dd77deb1b232a6c974d3371ad708307f7fc12cf4128
                                                            • Instruction ID: fe45713c5ce83b088f56652ad8fc277741686fbd8f7ce28d526c79908076813b
                                                            • Opcode Fuzzy Hash: e21d8cd01dc5abeb0c925dd77deb1b232a6c974d3371ad708307f7fc12cf4128
                                                            • Instruction Fuzzy Hash: 22513472418B44DBD320AF14DC8ABAFBBF8FB84300F81885DF1D9411A5EB749569CB66
                                                            Function 00845745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 008457E0
                                                            • _wcslen.LIBCMT ref: 008457EC
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: BuffCharUpper_wcslen
                                                            • String ID: CALLARGARRAY
                                                            • API String ID: 157775604-1150593374
                                                            • Opcode ID: 8c0b036e7193ae580c75720040eca706fba314baed042bb92a751532d2c38614
                                                            • Instruction ID: 297a8777ea2817bfb68b8d590d36ccaac18637679dd9595992486654a1096234
                                                            • Opcode Fuzzy Hash: 8c0b036e7193ae580c75720040eca706fba314baed042bb92a751532d2c38614
                                                            • Instruction Fuzzy Hash: FB418C31A00209DFCB14EFA9C8859AEBBF5FF59724F10406DE505E7292EB349D81CBA0
                                                            Function 0083D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _wcslen.LIBCMT ref: 0083D130
                                                            • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0083D13A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: CrackInternet_wcslen
                                                            • String ID: |
                                                            • API String ID: 596671847-2343686810
                                                            • Opcode ID: 2548dcee7bf3b4882d8376b47b8b1e490c5cd26b5739b839255dbd3c65e3a459
                                                            • Instruction ID: 84f4ff75506f875dd1ea11bb9cbd01811996f87c3ad7c900411dfbc86baacfec
                                                            • Opcode Fuzzy Hash: 2548dcee7bf3b4882d8376b47b8b1e490c5cd26b5739b839255dbd3c65e3a459
                                                            • Instruction Fuzzy Hash: EB310771D00209EBCF15EFA5DC89EEEBFB9FF48304F000019E815A6162E735AA16CB90
                                                            Function 0085356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DestroyWindow.USER32(?,?,?,?), ref: 00853621
                                                            • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0085365C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Window$DestroyMove
                                                            • String ID: static
                                                            • API String ID: 2139405536-2160076837
                                                            • Opcode ID: fa85bf22a1b72a642eab49562ef26c63ae7e82b18b43f52dc784cea0df6d304b
                                                            • Instruction ID: 26884efd8344ab539a03b7ea5944164997849e0272dc4ec7ef48d4fc8361d5da
                                                            • Opcode Fuzzy Hash: fa85bf22a1b72a642eab49562ef26c63ae7e82b18b43f52dc784cea0df6d304b
                                                            • Instruction Fuzzy Hash: DE318C71100604AEDB109F28DC80EBB73A9FF98765F10961DF8A5D7290DA34AD85DB60
                                                            Function 00854537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(00000027,00001132,00000000,?), ref: 0085461F
                                                            • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00854634
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: MessageSend
                                                            • String ID: '
                                                            • API String ID: 3850602802-1997036262
                                                            • Opcode ID: 60a34ef5cc03cd5f44f9f39cd30c5c475384b64a470a45c3c543652b5f6e5cfb
                                                            • Instruction ID: 8640ab8ef240325ee068772c0b57b8e17c92c57ae515d44e8dc0dc719c1c9e5a
                                                            • Opcode Fuzzy Hash: 60a34ef5cc03cd5f44f9f39cd30c5c475384b64a470a45c3c543652b5f6e5cfb
                                                            • Instruction Fuzzy Hash: 76311774A0120AAFDB14CF69C990BDABBB5FB09305F14506AED04EB341E770A985CF90
                                                            Function 008531EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0085327C
                                                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00853287
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: MessageSend
                                                            • String ID: Combobox
                                                            • API String ID: 3850602802-2096851135
                                                            • Opcode ID: 3012a9e9997bf34d44aa7a65d7f79c2d5e754ca4ec40bae30a0f4a24cfb4e3cc
                                                            • Instruction ID: 729a6476a825ee1a17a9968382750055ac57c62786effabe0b7d3114b4c140a9
                                                            • Opcode Fuzzy Hash: 3012a9e9997bf34d44aa7a65d7f79c2d5e754ca4ec40bae30a0f4a24cfb4e3cc
                                                            • Instruction Fuzzy Hash: A811B271304608BFEF219E54DC84EBB376BFB943A6F104129F918E7290D6359D558760
                                                            Function 00853710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 007C600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 007C604C
                                                              • Part of subcall function 007C600E: GetStockObject.GDI32(00000011), ref: 007C6060
                                                              • Part of subcall function 007C600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 007C606A
                                                            • GetWindowRect.USER32(00000000,?), ref: 0085377A
                                                            • GetSysColor.USER32(00000012), ref: 00853794
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                            • String ID: static
                                                            • API String ID: 1983116058-2160076837
                                                            • Opcode ID: 83a36eddb9aac5877f76159b075679f79b69bd36b248a4a0f3f9ed343fde70b8
                                                            • Instruction ID: 12d96dc54db6a9f0dc585e2ff54b6851160c6bc5635c5782badf5c66614fc2eb
                                                            • Opcode Fuzzy Hash: 83a36eddb9aac5877f76159b075679f79b69bd36b248a4a0f3f9ed343fde70b8
                                                            • Instruction Fuzzy Hash: 111129B2A10209AFDF00DFA8CC45EFA7BB8FB08355F004529FD55E2250E735E9559B50
                                                            Function 0083CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0083CD7D
                                                            • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0083CDA6
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Internet$OpenOption
                                                            • String ID: <local>
                                                            • API String ID: 942729171-4266983199
                                                            • Opcode ID: aa9b9971f1ad64919247c7d658229d5488b80ed0e015264fe50d49e4817c9565
                                                            • Instruction ID: 147cb812547f45733ec3c67fbb91f46c71496bd83cbc33cecd65152e3f14633e
                                                            • Opcode Fuzzy Hash: aa9b9971f1ad64919247c7d658229d5488b80ed0e015264fe50d49e4817c9565
                                                            • Instruction Fuzzy Hash: 6411C275205635BED7385B668C49EE7BEADFF927A8F00422AB109E3180D7749840D7F0
                                                            Function 00853429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetWindowTextLengthW.USER32(00000000), ref: 008534AB
                                                            • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 008534BA
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: LengthMessageSendTextWindow
                                                            • String ID: edit
                                                            • API String ID: 2978978980-2167791130
                                                            • Opcode ID: 1177f9945a4cb55f82c0977bad86ff1692f563bea0903a007d0a83fd338b8416
                                                            • Instruction ID: a8ec8437b6e24e2803c080bce1997bd73bfc4e16f49eeb51c66cc9d73698b3c1
                                                            • Opcode Fuzzy Hash: 1177f9945a4cb55f82c0977bad86ff1692f563bea0903a007d0a83fd338b8416
                                                            • Instruction Fuzzy Hash: D2119D71100208AFEF114E64DC44AAB376AFB243B9F504724FD61D31D0C735DD999B58
                                                            Function 00826C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 007C9CB3: _wcslen.LIBCMT ref: 007C9CBD
                                                            • CharUpperBuffW.USER32(?,?,?), ref: 00826CB6
                                                            • _wcslen.LIBCMT ref: 00826CC2
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: _wcslen$BuffCharUpper
                                                            • String ID: STOP
                                                            • API String ID: 1256254125-2411985666
                                                            • Opcode ID: 28154cd1b5286c737f77dfaa9c4be0c59f21b556422da26853d58de520102d51
                                                            • Instruction ID: 443125ecc5327234e48ad606cc77d49bde52ab192c8e15886d4a116dc820cd51
                                                            • Opcode Fuzzy Hash: 28154cd1b5286c737f77dfaa9c4be0c59f21b556422da26853d58de520102d51
                                                            • Instruction Fuzzy Hash: 89010032A0053A8BCB20AFFDEC849BF73E4FB607147400528E862D3190FA36D9A0C650
                                                            Function 00821CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 007C9CB3: _wcslen.LIBCMT ref: 007C9CBD
                                                              • Part of subcall function 00823CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00823CCA
                                                            • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00821D4C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: ClassMessageNameSend_wcslen
                                                            • String ID: ComboBox$ListBox
                                                            • API String ID: 624084870-1403004172
                                                            • Opcode ID: 100dbd80fbc4913b815d65fbd1b9b290330e4ee4bf970da55b10658c480be1ee
                                                            • Instruction ID: acbd12aa05ac1d6b35c5df17118d523f500d00ab5a457c7ebcc161206cafeddd
                                                            • Opcode Fuzzy Hash: 100dbd80fbc4913b815d65fbd1b9b290330e4ee4bf970da55b10658c480be1ee
                                                            • Instruction Fuzzy Hash: C401B575601228EBCF54EBA4EC59DFE77A8FB66350B14051DF832A73C1EA3459488760
                                                            Function 00821BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 007C9CB3: _wcslen.LIBCMT ref: 007C9CBD
                                                              • Part of subcall function 00823CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00823CCA
                                                            • SendMessageW.USER32(?,00000180,00000000,?), ref: 00821C46
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: ClassMessageNameSend_wcslen
                                                            • String ID: ComboBox$ListBox
                                                            • API String ID: 624084870-1403004172
                                                            • Opcode ID: 3b23e55ac1a258a762b6d5ff5a2c87e93ea00e4c83366fca41164bbb70a75620
                                                            • Instruction ID: 8d97e4c39c49792fa1dd8f984982b21953e40f0fd0ef146881a3764089269cff
                                                            • Opcode Fuzzy Hash: 3b23e55ac1a258a762b6d5ff5a2c87e93ea00e4c83366fca41164bbb70a75620
                                                            • Instruction Fuzzy Hash: C901AC75641118A6CF14FBA0D959EFF77E8FB31340F14001DA916B7281EA289F5887B1
                                                            Function 00821C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 007C9CB3: _wcslen.LIBCMT ref: 007C9CBD
                                                              • Part of subcall function 00823CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00823CCA
                                                            • SendMessageW.USER32(?,00000182,?,00000000), ref: 00821CC8
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: ClassMessageNameSend_wcslen
                                                            • String ID: ComboBox$ListBox
                                                            • API String ID: 624084870-1403004172
                                                            • Opcode ID: e56de663e58908d826b2a4348fdd09c4eff9af019b015ed9ffef7bf378a48f5d
                                                            • Instruction ID: 3d63aa1b108c68fc5c3ab7ae6744be395a5c79e39fa0caf8a81952c70bf8f9bc
                                                            • Opcode Fuzzy Hash: e56de663e58908d826b2a4348fdd09c4eff9af019b015ed9ffef7bf378a48f5d
                                                            • Instruction Fuzzy Hash: 06016775641128A6CF14FBA4DA19EFE77E8FB21340B64001DB911F3281EA699F588771
                                                            Function 00821D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 007C9CB3: _wcslen.LIBCMT ref: 007C9CBD
                                                              • Part of subcall function 00823CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00823CCA
                                                            • SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00821DD3
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: ClassMessageNameSend_wcslen
                                                            • String ID: ComboBox$ListBox
                                                            • API String ID: 624084870-1403004172
                                                            • Opcode ID: ac78c4ed3a72bc5d6bca78163ecfdc427f2132b8e38ce991d73635b5f094c1fd
                                                            • Instruction ID: 81427a738c3ba6807cdc060526caf9724a207275aa64f6bb0403208bd5bfeed5
                                                            • Opcode Fuzzy Hash: ac78c4ed3a72bc5d6bca78163ecfdc427f2132b8e38ce991d73635b5f094c1fd
                                                            • Instruction Fuzzy Hash: 16F0F971A40228A6CB14F7A4DC59FFE77A8FB11350F14091DB932E32C1DB6859088360
                                                            Function 0084747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: _wcslen
                                                            • String ID: 3, 3, 16, 1
                                                            • API String ID: 176396367-3042988571
                                                            • Opcode ID: 9e6789c4df23bd860134a427fa3d340e76f753d04e6cb31080daee3226bda644
                                                            • Instruction ID: 00d55c2b66d4230e393962a9223cce3db8ef2cc7c8245b6b70377638fbc87928
                                                            • Opcode Fuzzy Hash: 9e6789c4df23bd860134a427fa3d340e76f753d04e6cb31080daee3226bda644
                                                            • Instruction Fuzzy Hash: A4E02B42205260609231227A9CC597F5789EFDD750710182BF981D2267EB98DD9193F5
                                                            Function 00820B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00820B23
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Message
                                                            • String ID: AutoIt$Error allocating memory.
                                                            • API String ID: 2030045667-4017498283
                                                            • Opcode ID: b1b79a2c56e9347c71040d234b1ca6fffb750237a1723e4e9d59b4cf15f1d166
                                                            • Instruction ID: 3d2f66299078dc686590fc344f3244d226fdff7accff9dbf809e6420f4cbc081
                                                            • Opcode Fuzzy Hash: b1b79a2c56e9347c71040d234b1ca6fffb750237a1723e4e9d59b4cf15f1d166
                                                            • Instruction Fuzzy Hash: 88E0D8312443186ED21036957C0BF897F94EF09F61F10046BFB98D56C38AE928904AE9
                                                            Function 007E0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 007DF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,007E0D71,?,?,?,007C100A), ref: 007DF7CE
                                                            • IsDebuggerPresent.KERNEL32(?,?,?,007C100A), ref: 007E0D75
                                                            • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,007C100A), ref: 007E0D84
                                                            Strings
                                                            • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 007E0D7F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
                                                            • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                            • API String ID: 55579361-631824599
                                                            • Opcode ID: d3d6c6765fef715615ceb604ffbbb37a16fc3c0d2da8640bf1458557b328ecae
                                                            • Instruction ID: 0036ca8fd212bd09689b395a5af908993533146ef0fbad24d1cfbb0848676cb9
                                                            • Opcode Fuzzy Hash: d3d6c6765fef715615ceb604ffbbb37a16fc3c0d2da8640bf1458557b328ecae
                                                            • Instruction Fuzzy Hash: 40E039742003418BD320AFA9D8487467BE0BB04756F00492DE882CA652DBF8E4888BE1
                                                            Function 00833017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0083302F
                                                            • GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00833044
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: Temp$FileNamePath
                                                            • String ID: aut
                                                            • API String ID: 3285503233-3010740371
                                                            • Opcode ID: b65a86947dcca7bd0ad053875919d661ff12d1bde9fc5c50fa58fdf04fef556d
                                                            • Instruction ID: 98e58a1145cb6b1606809b517cf45f24df94bf0d7320a8b3f47ecbb33bf51f69
                                                            • Opcode Fuzzy Hash: b65a86947dcca7bd0ad053875919d661ff12d1bde9fc5c50fa58fdf04fef556d
                                                            • Instruction Fuzzy Hash: C9D05E765003286BDA30A7A4AC4EFCB3B6CEB04751F0002A1B655E2091EAB89984CFD0
                                                            Function 0081D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: LocalTime
                                                            • String ID: %.3d$X64
                                                            • API String ID: 481472006-1077770165
                                                            • Opcode ID: e625a9d04a2b230b19980cd4d3c6d7d92aa5014bf608326178f50f6855b0e3b6
                                                            • Instruction ID: d63547bdff0160e4fe89bb17e897f72241467a58c9e3b795673c680c6f15385e
                                                            • Opcode Fuzzy Hash: e625a9d04a2b230b19980cd4d3c6d7d92aa5014bf608326178f50f6855b0e3b6
                                                            • Instruction Fuzzy Hash: B9D012A180831CE9CB5096E0CC49AF9B37CFF19305F608453F826D1140D63CE9886B61
                                                            Function 00852322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0085232C
                                                            • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0085233F
                                                              • Part of subcall function 0082E97B: Sleep.KERNEL32 ref: 0082E9F3
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: FindMessagePostSleepWindow
                                                            • String ID: Shell_TrayWnd
                                                            • API String ID: 529655941-2988720461
                                                            • Opcode ID: 685b92d40226fb0dbd32b15cfd7944dc2815ef9903bc58227c504fe8f131d39d
                                                            • Instruction ID: 130bd091dcdfb62f1cc70c64e59a1e4b116a5e3fdbbd94a29f60472ba0349ff3
                                                            • Opcode Fuzzy Hash: 685b92d40226fb0dbd32b15cfd7944dc2815ef9903bc58227c504fe8f131d39d
                                                            • Instruction Fuzzy Hash: FCD0A932380310BAE2A4B770AC1FFC66A04BB00B01F004A067205EA1D0D8A8A8418A44
                                                            Function 00852356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0085236C
                                                            • PostMessageW.USER32(00000000), ref: 00852373
                                                              • Part of subcall function 0082E97B: Sleep.KERNEL32 ref: 0082E9F3
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: FindMessagePostSleepWindow
                                                            • String ID: Shell_TrayWnd
                                                            • API String ID: 529655941-2988720461
                                                            • Opcode ID: 277f9fd82da595071ca0769d738333ac62bb1d3060e880f40fcc39aed8d202e5
                                                            • Instruction ID: 22ea5ccbd88cc356f63a1a5a9610c0acc21afb50a5c48046be8a367c77a4febf
                                                            • Opcode Fuzzy Hash: 277f9fd82da595071ca0769d738333ac62bb1d3060e880f40fcc39aed8d202e5
                                                            • Instruction Fuzzy Hash: 2BD0A9323803107AE2A4B770AC0FFC66A04BB00B01F004A067201EA1D0D8A8A8418A48
                                                            Function 007FBDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 007FBE93
                                                            • GetLastError.KERNEL32 ref: 007FBEA1
                                                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 007FBEFC
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1280284651.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1280265857.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280396062.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280453366.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1280472341.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                            Similarity
                                                            • API ID: ByteCharMultiWide$ErrorLast
                                                            • String ID:
                                                            • API String ID: 1717984340-0
                                                            • Opcode ID: 77e2208cd9a11b475014227fe4451e8599156747b0457ec6b3201ec7815b9f3c
                                                            • Instruction ID: e5c26a6c2c74baa128d4fef73abc30e204b5a3684a30d56416a15e0b6e9984eb
                                                            • Opcode Fuzzy Hash: 77e2208cd9a11b475014227fe4451e8599156747b0457ec6b3201ec7815b9f3c
                                                            • Instruction Fuzzy Hash: E241F53560120AEFCF218FA5CC84ABA7BE5EF45320F144169FA59973A1DB388D00DB61