Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1524805
MD5:8d3ee4b9b4f941932e71657e1bbc0aaa
SHA1:b789aa43c4a8f53eb8e6df61747c99e70634b22c
SHA256:35359f4b8af06d6b3b37992f7ae8f9c9bea7a975f51e697cc738b4ef65715a98
Tags:exeuser-Bitsight
Infos:

Detection

Credential Flusher
Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Credential Flusher
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found API chain indicative of sandbox detection
Machine Learning detection for sample
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected non-DNS traffic on DNS port
Detected potential crypto function
Enables debug privileges
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 6476 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 8D3EE4B9B4F941932E71657E1BBC0AAA)
    • taskkill.exe (PID: 5660 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
      • conhost.exe (PID: 6256 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • taskkill.exe (PID: 4504 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
      • conhost.exe (PID: 1408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • taskkill.exe (PID: 4248 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
      • conhost.exe (PID: 4340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • taskkill.exe (PID: 6388 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
      • conhost.exe (PID: 4456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • taskkill.exe (PID: 4504 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
      • conhost.exe (PID: 5900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • chrome.exe (PID: 7316 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-infobars MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)
      • chrome.exe (PID: 7528 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 --field-trial-handle=1840,i,11361579010988229476,10119946490956885098,262144 /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)
      • chrome.exe (PID: 5420 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5340 --field-trial-handle=1840,i,11361579010988229476,10119946490956885098,262144 /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)
      • chrome.exe (PID: 6488 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 --field-trial-handle=1840,i,11361579010988229476,10119946490956885098,262144 /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: file.exe PID: 6476JoeSecurity_CredentialFlusherYara detected Credential FlusherJoe Security

    Sigma Signatures

    No Sigma rule has matched

    Suricata Signatures

    No Suricata rule has matched

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Multi AV Scanner detection for submitted file
    Source: file.exeVirustotal: Detection: 18%Perma Link
    AI detected suspicious sample
    Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
    Machine Learning detection for sample
    Source: file.exeJoe Sandbox ML: detected
    Source: file.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
    Source: unknownHTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.7:49712 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.7:49714 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.7:49736 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.7:61158 version: TLS 1.2
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AEDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_00AEDBBE
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ABC2A2 FindFirstFileExW,0_2_00ABC2A2
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AF68EE FindFirstFileW,FindClose,0_2_00AF68EE
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AF698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_00AF698F
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AED076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00AED076
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AED3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00AED3A9
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AF9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00AF9642
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AF979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00AF979D
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AF9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00AF9B2B
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AF5C97 FindFirstFileW,FindNextFileW,FindClose,0_2_00AF5C97
    Source: global trafficTCP traffic: 192.168.2.7:61153 -> 1.1.1.1:53
    Source: Joe Sandbox ViewIP Address: 239.255.255.250 239.255.255.250
    Source: Joe Sandbox ViewJA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
    Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
    Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
    Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
    Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
    Source: unknownTCP traffic detected without corresponding DNS query: 20.50.201.200
    Source: unknownTCP traffic detected without corresponding DNS query: 20.50.201.200
    Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
    Source: unknownTCP traffic detected without corresponding DNS query: 20.50.201.200
    Source: unknownTCP traffic detected without corresponding DNS query: 20.50.201.200
    Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
    Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
    Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
    Source: unknownTCP traffic detected without corresponding DNS query: 20.50.201.200
    Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
    Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
    Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
    Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
    Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
    Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
    Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
    Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
    Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
    Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
    Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
    Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
    Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
    Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
    Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
    Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
    Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
    Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
    Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
    Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
    Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
    Source: unknownTCP traffic detected without corresponding DNS query: 20.50.201.200
    Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
    Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
    Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
    Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
    Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
    Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
    Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
    Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
    Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
    Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
    Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
    Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
    Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
    Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
    Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AFCE44 InternetReadFile,SetEvent,GetLastError,SetEvent,0_2_00AFCE44
    Source: global trafficHTTP traffic detected: GET /account?=https://accounts.google.com/v3/signin/challenge/pwd HTTP/1.1Host: youtube.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIlaHLAQiFoM0BCNy9zQEIj8rNAQi5ys0BCKLRzQEIitPNAQik1s0BCPTWzQEIp9jNAQj5wNQVGPXJzQEY642lFw==Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
    Source: global trafficHTTP traffic detected: GET /account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd HTTP/1.1Host: www.youtube.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIlaHLAQiFoM0BCNy9zQEIj8rNAQi5ys0BCKLRzQEIitPNAQik1s0BCPTWzQEIp9jNAQj5wNQVGPXJzQEY642lFw==Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
    Source: global trafficHTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
    Source: global trafficHTTP traffic detected: GET /accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=1416443987&timestamp=1727940541297 HTTP/1.1Host: accounts.youtube.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-full-version: "117.0.5938.134"sec-ch-ua-arch: "x86"sec-ch-ua-platform: "Windows"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-model: ""sec-ch-ua-bitness: "64"sec-ch-ua-wow64: ?0sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIlaHLAQiFoM0BCNy9zQEIj8rNAQi5ys0BCKLRzQEIitPNAQik1s0BCPTWzQEIp9jNAQj5wNQVGPXJzQEY642lFw==Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: iframeReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
    Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.134"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8X-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIlaHLAQiFoM0BCNy9zQEIj8rNAQi5ys0BCKLRzQEIitPNAQik1s0BCPTWzQEIp9jNAQj5wNQVGPXJzQEY642lFw==Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=518=CleEhyKrsCecyKn-8vP45eNzb1S_iqL1kssAnrR6gg-yjy6PcAcWGTs1vvTKsVv4vBpwA8oA7JeQeTMWjVVHachQjjk2IqXAokGPbv2SOSo-KmnXLP7a_TD3saZotVaZERZfv6gyiNBgkvEf0HKJLTHfIZWxGBOlH9ewvvZ48kZM0bpD7A
    Source: global trafficHTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=r5e8dGmzzNT5xWy&MD=vbmEhW9l HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
    Source: global trafficHTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=r5e8dGmzzNT5xWy&MD=vbmEhW9l HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
    Source: chromecache_147.20.drString found in binary or memory: _.fq(p)+"/familylink/privacy/notice/embedded?langCountry="+_.fq(p);break;case "PuZJUb":a+="https://www.youtube.com/t/terms?chromeless=1&hl="+_.fq(m);break;case "fxTQxb":a+="https://youtube.com/t/terms?gl="+_.fq(_.oq(c))+"&hl="+_.fq(d)+"&override_hl=1"+(f?"&linkless=1":"");break;case "prAmvd":a+="https://www.google.com/intl/"+_.fq(m)+"/chromebook/termsofservice.html?languageCode="+_.fq(d)+"&regionCode="+_.fq(c);break;case "NfnTze":a+="https://policies.google.com/privacy/google-partners"+(f?"/embedded": equals www.youtube.com (Youtube)
    Source: global trafficDNS traffic detected: DNS query: youtube.com
    Source: global trafficDNS traffic detected: DNS query: www.youtube.com
    Source: global trafficDNS traffic detected: DNS query: www.google.com
    Source: global trafficDNS traffic detected: DNS query: accounts.youtube.com
    Source: global trafficDNS traffic detected: DNS query: play.google.com
    Source: chromecache_147.20.drString found in binary or memory: https://accounts.google.com
    Source: chromecache_147.20.drString found in binary or memory: https://accounts.google.com/TOS?loc=
    Source: file.exe, 00000000.00000003.1307421037.0000000000C5D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1307566546.0000000000C60000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1308261101.0000000000C28000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/v3/signin/challenge/pwd
    Source: chromecache_145.20.drString found in binary or memory: https://apis.google.com/js/api.js
    Source: chromecache_147.20.drString found in binary or memory: https://apis.google.com/js/rpc:shindig_random.js?onload=credentialservice.postMessage
    Source: chromecache_147.20.drString found in binary or memory: https://families.google.com/intl/
    Source: chromecache_145.20.drString found in binary or memory: https://fonts.gstatic.com/s/i/productlogos/drive_2020q4/v10/192px.svg
    Source: chromecache_145.20.drString found in binary or memory: https://fonts.gstatic.com/s/i/productlogos/gmail_2020q4/v10/web-48dp/logo_gmail_2020q4_color_2x_web_
    Source: chromecache_145.20.drString found in binary or memory: https://fonts.gstatic.com/s/i/productlogos/maps/v7/192px.svg
    Source: chromecache_147.20.drString found in binary or memory: https://g.co/recover
    Source: chromecache_147.20.drString found in binary or memory: https://play.google.com/log?format=json&hasfast=true
    Source: chromecache_147.20.drString found in binary or memory: https://play.google.com/work/enroll?identifier=
    Source: chromecache_147.20.drString found in binary or memory: https://play.google/intl/
    Source: chromecache_147.20.drString found in binary or memory: https://policies.google.com/privacy
    Source: chromecache_147.20.drString found in binary or memory: https://policies.google.com/privacy/additional
    Source: chromecache_147.20.drString found in binary or memory: https://policies.google.com/privacy/google-partners
    Source: chromecache_147.20.drString found in binary or memory: https://policies.google.com/technologies/cookies
    Source: chromecache_147.20.drString found in binary or memory: https://policies.google.com/technologies/location-data
    Source: chromecache_147.20.drString found in binary or memory: https://policies.google.com/terms
    Source: chromecache_147.20.drString found in binary or memory: https://policies.google.com/terms/location
    Source: chromecache_147.20.drString found in binary or memory: https://policies.google.com/terms/service-specific
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-email-pin.gif
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-password.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-sms-or-voice-pin.gif
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-sms-pin.gif
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-stop-go-landing-page_1x.png
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/accounts/animation/
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/ble_device.png
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/ble_pin.png
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync.png
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync_1x.png
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync_2x.png
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync_darkmode_1x.png
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/continue_on_your_phone.png
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_phone_number_verification.png
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_prompt_silent_tap_yes_darkmode.gif
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_prompt_tap_yes.gif
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_prompt_tap_yes_darkmode.gif
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kid_success.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kid_success_darkmode.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_dark_v2.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_updated.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_updated_darkmode.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_v2.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_not_ready.png
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_stick_around_1.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_stick_around_dark_1.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_account_1.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_account_darkmode_1.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_privacy_1.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_privacy_darkmode_1.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_created.png
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_double_device.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_double_device_darkmode.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_full_house.png
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_link_accounts_1.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_link_accounts_darkmode_1.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_app_decision.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_app_decision_darkmode.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_supervision_1.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_supervision_darkmode_1.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_respect_others_1.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_respect_others_darkmode_1.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_single_device.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_single_device_darkmode.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_stop.png
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/personalization_reminders.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/phone_number_sign_in_2x.png
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/return_to_desktop.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/return_to_desktop_darkmode.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key.gif
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_ios_center.png
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_laptop.gif
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_nfc_discovered.gif
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_nfc_discovered_darkmode.gif
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_phone.gif
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_googleapp_ios.gif
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_googleapp_pulldown.gif
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_tapyes.gif
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/smart_lock_2x.png
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/usb_key.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/web_and_app_activity.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/who_will_be_using_this_device.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/you_tube_history.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/accounts/feature_not_available.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/accounts/feature_not_available_dark.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/gmail_ios_authzen.gif
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/paaskey.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_challenge.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_challenge_darkmode.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_darkmode.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_cross_device.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_cross_device_darkmode.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_darkmode.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_error.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_error_darkmode.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_reauth.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_reauth_darkmode.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_success.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_success_darkmode.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkeyerror.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkeyerror_darkmode.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/red_globe_dark.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/red_globe_light.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/screenlock.png
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_ipad.gif
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone.gif
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone_nfc.gif
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone_usb.gif
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_phone.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_keys.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/success_checkmark_2.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/success_checkmark_2_darkmode.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/accounts/ui/loading_spinner_gm.gif
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/accounts/ui/progress_spinner_color_20dp_4x.gif
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/accounts/ui/success-gm-default_2x.png
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/apps/signup/resources/custom-email-address.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/images/hpp/shield_security_checkup_green_2x_web_96dp.png
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/account_setup_chapter_dark_1.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/account_setup_chapter_v1.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/device_setup_chapter_dark_v1.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/device_setup_chapter_v1.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/parental_control_chapter_dark_v1.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/parental_control_chapter_v1.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_accountslinked.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_accountslinked_dark.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_childneedshelp.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_childneedshelp_dark.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_nextstepsforparents.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_nextstepsforparents_dark.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_allset.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_allset_dark.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_apps_devices.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_apps_devices_darkmode.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_areyousurekid.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_areyousurekid_dark.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_birthdayemail.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_birthdayemail_dark.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_choose_apps.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_choose_apps_darkmode.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_confirmation.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_exploremore.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_exploremore_dark.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_intro.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_intro_darkmode.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacy_terms_a18.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacy_terms_a18_darkmode.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacyterms.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacyterms_dark.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_review_settings.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_review_settings_darkmode.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_safe_search.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_safe_search_darkmode.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_unchanged_a18.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_unchanged_a18_darkmode.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_update_a18.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_update_a18_darkmode.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice_a18.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice_a18_darkmode.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice_darkmode.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervisiongrad.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervisiongrad_dark.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/guardianlinking/linking_complete_0.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/guardianlinking/linking_complete_dark_0.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/ads_personalization.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/ads_personalization_darkmode.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/confirmation.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/confirmation_darkmode.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/eligibility_error.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/eligibility_error_darkmode.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/fork.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/fork_darkmode.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/intro.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/intro_darkmode.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/personal_results.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/personal_results_darkmode.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/safe_search.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/safe_search_darkmode.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/check_notifications.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/check_notifications_dark.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_installing_family_link_2.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_installing_family_link_dark_2.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_location_sharing_2.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_location_sharing_dark_2.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_parental_controls_2.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_parental_controls_dark_2.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_school_time_2.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_school_time_dark_2.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/location_sharing_enabled_2.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/location_sharing_enabled_dark_3.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/parent_sign_in_prologue_1.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/parent_sign_in_prologue_dark_1.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_complete_1.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_complete_dark_1.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_contacts_2.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_contacts_dark_2.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_boy_1.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_boy_dark_1.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_girl_2.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_girl_dark_2.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/ulp_continue_without_gmail_dark_v2.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/ulp_continue_without_gmail_v2.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/all_set.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/all_set_dark.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/are_you_sure_parent.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/are_you_sure_parent_dark.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/content_restriction.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/content_restriction_dark.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/error.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/error_dark.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/how_controls_work.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/how_controls_work_dark.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/next_steps.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/next_steps_dark.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/setup_controls.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/setup_controls_dark.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_parent.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_parent_dark.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_teen.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_teen_dark.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/teentoadultgraduation/supervision_choice.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/teentoadultgraduation/supervision_choice_darkmode.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/kid_setup_parent_escalation.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/kid_setup_parent_escalation_dark.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/send_email_confirmation.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/send_email_confirmation_dark.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/success_sent_email.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/success_sent_email_dark.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/ulpupgrade/kidprofileupgrade_all_set.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/images/ulpupgrade/kidprofileupgrade_all_set_darkmode.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/all_set.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/all_set_dark.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/almost_done_kids_space_dark.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/almost_done_kids_space_v2.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_tablet_v2.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_tablet_v2_dark.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_v2.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_v2_dark.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/emailinstallfamilylink.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/emailinstallfamilylink_dark.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/familylinkinstalling.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/familylinkinstalling_dark.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/hand_over_device_dark_v2.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/hand_over_device_v2.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/linking_accounts_v2.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/linking_accounts_v2_dark.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/locationsetup.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/locationsetup_dark.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_email.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_email_v2.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_email_v2_dark.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_v2.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_v2_dark.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/open_family_link_v2.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/open_family_link_v2_dark.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/parents_help.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/parents_help_dark.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/set_up_kids_space.png
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/set_up_kids_space_dark.png
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setupcontrol.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setupcontrol_dark.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuplocation.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuplocation_dark.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuptimelimits.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuptimelimits_dark.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/supervision_ready_v2.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/supervision_ready_v2_dark.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/youtubeaccess.svg
    Source: chromecache_145.20.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/youtubeaccess_dark.svg
    Source: chromecache_147.20.drString found in binary or memory: https://support.google.com/accounts?hl=
    Source: chromecache_147.20.drString found in binary or memory: https://support.google.com/accounts?p=new-si-ui
    Source: chromecache_147.20.drString found in binary or memory: https://support.google.com/websearch/answer/4358949?hl=ko&ref_topic=3285072
    Source: chromecache_145.20.drString found in binary or memory: https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=
    Source: chromecache_147.20.drString found in binary or memory: https://www.google.com
    Source: chromecache_147.20.drString found in binary or memory: https://www.google.com/intl/
    Source: chromecache_145.20.drString found in binary or memory: https://www.gstatic.com/accounts/speedbump/authzen_optin_illustration.gif
    Source: chromecache_145.20.drString found in binary or memory: https://www.gstatic.com/images/branding/product/2x/chrome_48dp.png
    Source: chromecache_145.20.drString found in binary or memory: https://www.gstatic.com/images/branding/product/2x/googleg_48dp.png
    Source: chromecache_145.20.drString found in binary or memory: https://www.gstatic.com/images/branding/product/2x/gsa_48dp.png
    Source: chromecache_145.20.drString found in binary or memory: https://www.gstatic.com/images/branding/product/2x/play_prism_48dp.png
    Source: chromecache_145.20.drString found in binary or memory: https://www.gstatic.com/images/branding/product/2x/youtube_48dp.png
    Source: chromecache_147.20.drString found in binary or memory: https://www.gstatic.com/images/branding/productlogos/googleg/v6/36px.svg
    Source: chromecache_147.20.drString found in binary or memory: https://www.youtube.com/t/terms?chromeless=1&hl=
    Source: file.exe, 00000000.00000003.1307383973.0000000000C62000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/
    Source: file.exe, 00000000.00000003.1287028048.00000000001C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd
    Source: chromecache_147.20.drString found in binary or memory: https://youtube.com/t/terms?gl=
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
    Source: unknownNetwork traffic detected: HTTP traffic on port 49674 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49672 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
    Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
    Source: unknownNetwork traffic detected: HTTP traffic on port 61160 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
    Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49698 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49698
    Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49677 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 61160
    Source: unknownNetwork traffic detected: HTTP traffic on port 61158 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49671 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 61158
    Source: unknownHTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.7:49712 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.7:49714 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.7:49736 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.7:61158 version: TLS 1.2
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AFEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00AFEAFF
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AFED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00AFED6A
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AFEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00AFEAFF
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AEAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,0_2_00AEAA57
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B19576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00B19576

    System Summary

    barindex
    Binary is likely a compiled AutoIt script file
    Source: file.exeString found in binary or memory: This is a third-party compiled AutoIt script.
    Source: file.exe, 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_92592f19-c
    Source: file.exe, 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_029c7474-9
    Source: file.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_ed6c9415-e
    Source: file.exeString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_75a68737-6
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AED5EB: CreateFileW,DeviceIoControl,CloseHandle,0_2_00AED5EB
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AE1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00AE1201
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AEE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_00AEE8F6
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A880600_2_00A88060
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AF20460_2_00AF2046
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AE82980_2_00AE8298
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ABE4FF0_2_00ABE4FF
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AB676B0_2_00AB676B
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B148730_2_00B14873
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AACAA00_2_00AACAA0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A8CAF00_2_00A8CAF0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A9CC390_2_00A9CC39
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AB6DD90_2_00AB6DD9
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A9D0630_2_00A9D063
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A891C00_2_00A891C0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A9B1190_2_00A9B119
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AA13940_2_00AA1394
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AA17060_2_00AA1706
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AA781B0_2_00AA781B
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AA19B00_2_00AA19B0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A879200_2_00A87920
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A9997D0_2_00A9997D
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AA7A4A0_2_00AA7A4A
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AA7CA70_2_00AA7CA7
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AA1C770_2_00AA1C77
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AB9EEE0_2_00AB9EEE
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B0BE440_2_00B0BE44
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AA1F320_2_00AA1F32
    Source: C:\Users\user\Desktop\file.exeCode function: String function: 00A89CB3 appears 31 times
    Source: C:\Users\user\Desktop\file.exeCode function: String function: 00A9F9F2 appears 40 times
    Source: C:\Users\user\Desktop\file.exeCode function: String function: 00AA0A30 appears 46 times
    Source: file.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
    Source: classification engineClassification label: mal72.troj.evad.winEXE@52/30@12/6
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AF37B5 GetLastError,FormatMessageW,0_2_00AF37B5
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AE10BF AdjustTokenPrivileges,CloseHandle,0_2_00AE10BF
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AE16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00AE16C3
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AF51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_00AF51CD
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B0A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00B0A67C
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AF648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,0_2_00AF648E
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A842A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00A842A2
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1408:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4456:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4340:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5900:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6256:120:WilError_03
    Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
    Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
    Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
    Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
    Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
    Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
    Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
    Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: file.exeVirustotal: Detection: 18%
    Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
    Source: C:\Windows\SysWOW64\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
    Source: C:\Windows\SysWOW64\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
    Source: C:\Windows\SysWOW64\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
    Source: C:\Windows\SysWOW64\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-infobars
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 --field-trial-handle=1840,i,11361579010988229476,10119946490956885098,262144 /prefetch:8
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5340 --field-trial-handle=1840,i,11361579010988229476,10119946490956885098,262144 /prefetch:8
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 --field-trial-handle=1840,i,11361579010988229476,10119946490956885098,262144 /prefetch:8
    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /TJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /TJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /TJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /TJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /TJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-infobarsJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 --field-trial-handle=1840,i,11361579010988229476,10119946490956885098,262144 /prefetch:8Jump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5340 --field-trial-handle=1840,i,11361579010988229476,10119946490956885098,262144 /prefetch:8Jump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 --field-trial-handle=1840,i,11361579010988229476,10119946490956885098,262144 /prefetch:8Jump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: wsock32.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dllJump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
    Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
    Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
    Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
    Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
    Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
    Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
    Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
    Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
    Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A842DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00A842DE
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AA0A76 push ecx; ret 0_2_00AA0A89
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A9F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00A9F98E
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B11C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00B11C41
    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion

    barindex
    Found API chain indicative of sandbox detection
    Source: C:\Users\user\Desktop\file.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleepgraph_0-96640
    Source: C:\Users\user\Desktop\file.exeAPI coverage: 3.5 %
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AEDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_00AEDBBE
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ABC2A2 FindFirstFileExW,0_2_00ABC2A2
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AF68EE FindFirstFileW,FindClose,0_2_00AF68EE
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AF698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_00AF698F
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AED076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00AED076
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AED3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00AED3A9
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AF9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00AF9642
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AF979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00AF979D
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AF9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00AF9B2B
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AF5C97 FindFirstFileW,FindNextFileW,FindClose,0_2_00AF5C97
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A842DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00A842DE
    Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AFEAA2 BlockInput,0_2_00AFEAA2
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AB2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00AB2622
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A842DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00A842DE
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AA4CE8 mov eax, dword ptr fs:[00000030h]0_2_00AA4CE8
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AE0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00AE0B62
    Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AB2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00AB2622
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AA083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00AA083F
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AA09D5 SetUnhandledExceptionFilter,0_2_00AA09D5
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AA0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00AA0C21
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AE1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00AE1201
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AC2BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00AC2BA5
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AEB226 SendInput,keybd_event,0_2_00AEB226
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B022DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,0_2_00B022DA
    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /TJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /TJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /TJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /TJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /TJump to behavior
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AE0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00AE0B62
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AE1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00AE1663
    Source: file.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
    Source: file.exeBinary or memory string: Shell_TrayWnd
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AA0698 cpuid 0_2_00AA0698
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AF8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,0_2_00AF8195
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ADD27A GetUserNameW,0_2_00ADD27A
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ABB952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,0_2_00ABB952
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A842DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00A842DE

    Stealing of Sensitive Information

    barindex
    Yara detected Credential Flusher
    Source: Yara matchFile source: Process Memory Space: file.exe PID: 6476, type: MEMORYSTR
    Source: file.exeBinary or memory string: WIN_81
    Source: file.exeBinary or memory string: WIN_XP
    Source: file.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
    Source: file.exeBinary or memory string: WIN_XPe
    Source: file.exeBinary or memory string: WIN_VISTA
    Source: file.exeBinary or memory string: WIN_7
    Source: file.exeBinary or memory string: WIN_8

    Remote Access Functionality

    barindex
    Yara detected Credential Flusher
    Source: Yara matchFile source: Process Memory Space: file.exe PID: 6476, type: MEMORYSTR
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B01204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,0_2_00B01204
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B01806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00B01806

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire Infrastructure2
    Valid Accounts    		1
    Windows Management Instrumentation    		1
    DLL Side-Loading    		1
    Exploitation for Privilege Escalation    		2
    Disable or Modify Tools    		21
    Input Capture    		2
    System Time Discovery    		Remote Services1
    Archive Collected Data    		2
    Ingress Tool Transfer    		Exfiltration Over Other Network Medium1
    System Shutdown/Reboot
    CredentialsDomainsDefault Accounts1
    Native API    		2
    Valid Accounts    		1
    DLL Side-Loading    		1
    Deobfuscate/Decode Files or Information    		LSASS Memory1
    Account Discovery    		Remote Desktop Protocol21
    Input Capture    		11
    Encrypted Channel    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
    Valid Accounts    		2
    Obfuscated Files or Information    		Security Account Manager1
    File and Directory Discovery    		SMB/Windows Admin Shares3
    Clipboard Data    		2
    Non-Application Layer Protocol    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
    Access Token Manipulation    		1
    DLL Side-Loading    		NTDS16
    System Information Discovery    		Distributed Component Object ModelInput Capture3
    Application Layer Protocol    		Traffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script2
    Process Injection    		2
    Valid Accounts    		LSA Secrets12
    Security Software Discovery    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
    Virtualization/Sandbox Evasion    		Cached Domain Credentials1
    Virtualization/Sandbox Evasion    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
    Access Token Manipulation    		DCSync3
    Process Discovery    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
    Process Injection    		Proc Filesystem1
    Application Window Discovery    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
    System Owner/User Discovery    		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 signatures2 2 Behavior Graph ID: 1524805 Sample: file.exe Startdate: 03/10/2024 Architecture: WINDOWS Score: 72 46 Multi AV Scanner detection for submitted file 2->46 48 Yara detected Credential Flusher 2->48 50 Binary is likely a compiled AutoIt script file 2->50 52 2 other signatures 2->52 7 file.exe 2->7         started        process3 signatures4 54 Binary is likely a compiled AutoIt script file 7->54 56 Found API chain indicative of sandbox detection 7->56 10 chrome.exe 1 7->10         started        13 taskkill.exe 1 7->13         started        15 taskkill.exe 1 7->15         started        17 3 other processes 7->17 process5 dnsIp6 42 192.168.2.7, 123, 138, 443 unknown unknown 10->42 44 239.255.255.250 unknown Reserved 10->44 19 chrome.exe 10->19         started        22 chrome.exe 10->22         started        24 chrome.exe 6 10->24         started        26 conhost.exe 13->26         started        28 conhost.exe 15->28         started        30 conhost.exe 17->30         started        32 conhost.exe 17->32         started        34 conhost.exe 17->34         started        process7 dnsIp8 36 www.google.com 142.250.186.36, 443, 49710, 61160 GOOGLEUS United States 19->36 38 youtube.com 172.217.16.142, 443, 49700 GOOGLEUS United States 19->38 40 5 other IPs or domains 19->40

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    file.exe11%ReversingLabs
    file.exe18%VirustotalBrowse
    file.exe100%Joe Sandbox ML

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    SourceDetectionScannerLabelLink
    www3.l.google.com0%VirustotalBrowse
    youtube-ui.l.google.com0%VirustotalBrowse
    play.google.com0%VirustotalBrowse
    www.google.com0%VirustotalBrowse
    youtube.com0%VirustotalBrowse
    accounts.youtube.com0%VirustotalBrowse
    www.youtube.com0%VirustotalBrowse

    URLs

    SourceDetectionScannerLabelLink
    https://play.google/intl/0%URL Reputationsafe
    https://families.google.com/intl/0%URL Reputationsafe
    https://policies.google.com/technologies/location-data0%URL Reputationsafe
    https://apis.google.com/js/api.js0%URL Reputationsafe
    https://support.google.com/accounts?hl=0%URL Reputationsafe
    https://policies.google.com/privacy/google-partners0%URL Reputationsafe
    https://policies.google.com/terms/location0%URL Reputationsafe
    https://policies.google.com/terms/service-specific0%URL Reputationsafe
    https://g.co/recover0%URL Reputationsafe
    https://policies.google.com/privacy0%URL Reputationsafe
    https://policies.google.com/privacy/additional0%URL Reputationsafe
    https://support.google.com/websearch/answer/4358949?hl=ko&ref_topic=32850720%URL Reputationsafe
    https://policies.google.com/technologies/cookies0%URL Reputationsafe
    https://support.google.com/accounts?p=new-si-ui0%URL Reputationsafe
    https://apis.google.com/js/rpc:shindig_random.js?onload=credentialservice.postMessage0%URL Reputationsafe
    https://policies.google.com/terms0%URL Reputationsafe
    https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=0%URL Reputationsafe
    https://www.google.com0%VirustotalBrowse
    https://play.google.com/log?format=json&hasfast=true0%VirustotalBrowse
    https://www.youtube.com/t/terms?chromeless=1&hl=0%VirustotalBrowse
    https://youtube.com/t/terms?gl=0%VirustotalBrowse
    https://www.google.com/favicon.ico0%VirustotalBrowse
    https://play.google.com/work/enroll?identifier=0%VirustotalBrowse
    https://www.google.com/intl/1%VirustotalBrowse

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    youtube-ui.l.google.com
    		172.217.18.110
    		truefalseunknown
    www3.l.google.com
    		172.217.16.206
    		truefalseunknown
    play.google.com
    		142.250.185.142
    		truefalseunknown
    www.google.com
    		142.250.186.36
    		truefalseunknown
    youtube.com
    		172.217.16.142
    		truefalseunknown
    accounts.youtube.com
    		unknown
    		unknownfalseunknown
    www.youtube.com
    		unknown
    		unknownfalseunknown

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    https://www.google.com/favicon.icofalseunknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    https://www.google.comchromecache_147.20.drfalseunknown
    https://play.google.com/log?format=json&hasfast=truechromecache_147.20.drfalseunknown
    https://play.google/intl/chromecache_147.20.drfalse
    • URL Reputation: safe
    		unknown
    https://families.google.com/intl/chromecache_147.20.drfalse
    • URL Reputation: safe
    		unknown
    https://youtube.com/t/terms?gl=chromecache_147.20.drfalseunknown
    https://www.youtube.com/t/terms?chromeless=1&hl=chromecache_147.20.drfalseunknown
    https://policies.google.com/technologies/location-datachromecache_147.20.drfalse
    • URL Reputation: safe
    		unknown
    https://www.google.com/intl/chromecache_147.20.drfalseunknown
    https://apis.google.com/js/api.jschromecache_145.20.drfalse
    • URL Reputation: safe
    		unknown
    https://support.google.com/accounts?hl=chromecache_147.20.drfalse
    • URL Reputation: safe
    		unknown
    https://policies.google.com/privacy/google-partnerschromecache_147.20.drfalse
    • URL Reputation: safe
    		unknown
    https://policies.google.com/terms/locationchromecache_147.20.drfalse
    • URL Reputation: safe
    		unknown
    https://play.google.com/work/enroll?identifier=chromecache_147.20.drfalseunknown
    https://policies.google.com/terms/service-specificchromecache_147.20.drfalse
    • URL Reputation: safe
    		unknown
    https://g.co/recoverchromecache_147.20.drfalse
    • URL Reputation: safe
    		unknown
    https://policies.google.com/privacychromecache_147.20.drfalse
    • URL Reputation: safe
    		unknown
    https://policies.google.com/privacy/additionalchromecache_147.20.drfalse
    • URL Reputation: safe
    		unknown
    https://support.google.com/websearch/answer/4358949?hl=ko&ref_topic=3285072chromecache_147.20.drfalse
    • URL Reputation: safe
    		unknown
    https://policies.google.com/technologies/cookieschromecache_147.20.drfalse
    • URL Reputation: safe
    		unknown
    https://support.google.com/accounts?p=new-si-uichromecache_147.20.drfalse
    • URL Reputation: safe
    		unknown
    https://apis.google.com/js/rpc:shindig_random.js?onload=credentialservice.postMessagechromecache_147.20.drfalse
    • URL Reputation: safe
    		unknown
    https://policies.google.com/termschromecache_147.20.drfalse
    • URL Reputation: safe
    		unknown
    https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=chromecache_145.20.drfalse
    • URL Reputation: safe
    		unknown

    World Map of Contacted IPs

    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs

    Public IPs

    IPDomainCountryFlagASNASN NameMalicious
    142.250.186.36
    		www.google.comUnited States
    		15169GOOGLEUSfalse
    172.217.16.206
    		www3.l.google.comUnited States
    		15169GOOGLEUSfalse
    239.255.255.250
    		unknownReserved
    		unknownunknownfalse
    172.217.18.110
    		youtube-ui.l.google.comUnited States
    		15169GOOGLEUSfalse
    172.217.16.142
    		youtube.comUnited States
    		15169GOOGLEUSfalse

    Private

    IP
    192.168.2.7

    General Information

    Joe Sandbox version:41.0.0 Charoite
    Analysis ID:1524805
    Start date and time:2024-10-03 09:27:54 +02:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 5m 11s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Number of analysed new started processes analysed:30
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:file.exe
    Detection:MAL
    Classification:mal72.troj.evad.winEXE@52/30@12/6
    EGA Information:
    • Successful, ratio: 100%
    HCA Information:
    • Successful, ratio: 96%
    • Number of executed functions: 39
    • Number of non-executed functions: 314
    Cookbook Comments:
    • Found application associated with file extension: .exe

    Warnings

    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
    • Excluded IPs from analysis (whitelisted): 142.250.184.227, 142.250.184.238, 142.251.173.84, 34.104.35.123, 142.250.184.195, 142.250.185.195, 142.250.181.234, 142.250.184.234, 216.58.212.170, 142.250.185.74, 142.250.184.202, 142.250.186.42, 142.250.74.202, 142.250.185.202, 142.250.185.138, 216.58.206.42, 172.217.16.138, 142.250.185.106, 142.250.185.170, 172.217.18.10, 142.250.186.170, 142.250.185.234, 142.250.186.74, 216.58.206.74, 172.217.16.202, 142.250.186.106, 142.250.186.138, 199.232.210.172, 142.250.185.99, 64.233.184.84, 142.250.185.142
    • Excluded domains from analysis (whitelisted): clients1.google.com, fs.microsoft.com, accounts.google.com, content-autofill.googleapis.com, slscr.update.microsoft.com, fonts.gstatic.com, ctldl.windowsupdate.com, clientservices.googleapis.com, time.windows.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com, clients2.google.com, edgedl.me.gvt1.com, update.googleapis.com, clients.l.google.com, www.gstatic.com, optimizationguide-pa.googleapis.com
    • Not all processes where analyzed, report is missing behavior information
    • Report size exceeded maximum capacity and may have missing disassembly code.
    • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

    Simulations

    Behavior and APIs

    No simulations

    Joe Sandbox View / Context

    IPs

    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    239.255.255.250https://email.mg.pmctraining.com/c/eJwkkcuSojAUhp_muJOKJyHAgoXTyMw41lxaa9TepZNwkUvoEER8-i7o3Vf5_tS5qVhRobla6XgTYBCSaMP9VRFHAWWMaKZYqJifqSALMoEkyiiXWvBsVcZaCn-jwmCtA63XQaTFmoVhuNZSURVo5RPCgJEm97pGOivKtmxzT5pmVceFc10PdAuYAqbjOHq5MXmtPWm8oQJMB1sDTT-AJqz9rc_hMPwrt93h9id50qkA5FY6oMnlyEiJ-zFZQtMkT4C8F0ATB8h1byXQL5fmu5cteUx9uGswPcwxM1ipgSaAXKr5y5GfwtqEw05apk_lGF1-zE7M8tL9rZJs_1WwTvb_j-QKyO96lo9bW7n6w07X8_j289urze-_APkgliZnmsdJRNMB-pjWMhN9UZrWWd2qft7J8l6Zyiyw3-TiuJAUnZOFWBgwvZ4fncRoODRdcUW3VU39FJfX5xUj8v49Hd5e_Ns7EqDJysaiLnvTejchK2DkXval66VxtWjVcoZ7jJ8BAAD__0X-oIkGet hashmaliciousUnknownBrowse
      http://packedbrick%5B.%5DcomGet hashmaliciousUnknownBrowse
        file.exeGet hashmaliciousCredential FlusherBrowse
          https://www.diamondsbyeden.com/Get hashmaliciousUnknownBrowse
            https://www.diamondsbyeden.com/Get hashmaliciousUnknownBrowse
              file.exeGet hashmaliciousCredential FlusherBrowse
                https://porn-app.com/download2Get hashmaliciousHTMLPhisherBrowse
                  https://globalairt.com/arull.php?7104797967704b536932307464507a53744a4c53704a7a4d77727273784c7a7453725374524c7a732f564c3477776474594841413d3dkkirkman@ssc.nsw.gov.auGet hashmaliciousHTMLPhisherBrowse
                    file.exeGet hashmaliciousCredential FlusherBrowse
                      Refrence-Order#63729.pdfGet hashmaliciousAzorultBrowse

                        Domains

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        play.google.comhttp://packedbrick%5B.%5DcomGet hashmaliciousUnknownBrowse
                        • 142.250.181.238
                        file.exeGet hashmaliciousCredential FlusherBrowse
                        • 142.250.185.206
                        file.exeGet hashmaliciousCredential FlusherBrowse
                        • 142.250.186.78
                        file.exeGet hashmaliciousCredential FlusherBrowse
                        • 142.250.186.78
                        file.exeGet hashmaliciousCredential FlusherBrowse
                        • 142.250.184.238
                        file.exeGet hashmaliciousAmadey, Credential Flusher, StealcBrowse
                        • 216.58.206.78
                        file.exeGet hashmaliciousCredential FlusherBrowse
                        • 142.250.186.174
                        file.exeGet hashmaliciousCredential FlusherBrowse
                        • 216.58.206.78
                        http://www.sunsetsafaris.com.au//homeGet hashmaliciousUnknownBrowse
                        • 216.58.212.142
                        file.exeGet hashmaliciousCredential FlusherBrowse
                        • 142.250.185.142

                        ASNs

                        No context

                        JA3 Fingerprints

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        28a2c9bd18a11de089ef85a160da29e4https://email.mg.pmctraining.com/c/eJwkkcuSojAUhp_muJOKJyHAgoXTyMw41lxaa9TepZNwkUvoEER8-i7o3Vf5_tS5qVhRobla6XgTYBCSaMP9VRFHAWWMaKZYqJifqSALMoEkyiiXWvBsVcZaCn-jwmCtA63XQaTFmoVhuNZSURVo5RPCgJEm97pGOivKtmxzT5pmVceFc10PdAuYAqbjOHq5MXmtPWm8oQJMB1sDTT-AJqz9rc_hMPwrt93h9id50qkA5FY6oMnlyEiJ-zFZQtMkT4C8F0ATB8h1byXQL5fmu5cteUx9uGswPcwxM1ipgSaAXKr5y5GfwtqEw05apk_lGF1-zE7M8tL9rZJs_1WwTvb_j-QKyO96lo9bW7n6w07X8_j289urze-_APkgliZnmsdJRNMB-pjWMhN9UZrWWd2qft7J8l6Zyiyw3-TiuJAUnZOFWBgwvZ4fncRoODRdcUW3VU39FJfX5xUj8v49Hd5e_Ns7EqDJysaiLnvTejchK2DkXval66VxtWjVcoZ7jJ8BAAD__0X-oIkGet hashmaliciousUnknownBrowse
                        • 184.28.90.27
                        • 20.114.59.183
                        http://packedbrick%5B.%5DcomGet hashmaliciousUnknownBrowse
                        • 184.28.90.27
                        • 20.114.59.183
                        file.exeGet hashmaliciousCredential FlusherBrowse
                        • 184.28.90.27
                        • 20.114.59.183
                        https://www.diamondsbyeden.com/Get hashmaliciousUnknownBrowse
                        • 184.28.90.27
                        • 20.114.59.183
                        file.exeGet hashmaliciousCredential FlusherBrowse
                        • 184.28.90.27
                        • 20.114.59.183
                        https://porn-app.com/download2Get hashmaliciousHTMLPhisherBrowse
                        • 184.28.90.27
                        • 20.114.59.183
                        https://globalairt.com/arull.php?7104797967704b536932307464507a53744a4c53704a7a4d77727273784c7a7453725374524c7a732f564c3477776474594841413d3dkkirkman@ssc.nsw.gov.auGet hashmaliciousHTMLPhisherBrowse
                        • 184.28.90.27
                        • 20.114.59.183
                        file.exeGet hashmaliciousCredential FlusherBrowse
                        • 184.28.90.27
                        • 20.114.59.183
                        Refrence-Order#63729.pdfGet hashmaliciousAzorultBrowse
                        • 184.28.90.27
                        • 20.114.59.183
                        file.exeGet hashmaliciousCredential FlusherBrowse
                        • 184.28.90.27
                        • 20.114.59.183

                        Dropped Files

                        No context

                        Created / dropped Files

                        Chrome Cache Entry: 145

                        Download File
                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                        File Type:ASCII text, with very long lines (553)
                        Category:downloaded
                        Size (bytes):744362
                        Entropy (8bit):5.7913337944729175
                        Encrypted:false
                        SSDEEP:6144:HVXWBQkPdzg5pTX1ROv/duPzd8C3s891/Q:gfd8j91/Q
                        MD5:C6E31A4B08FC2DF9191AA47785B3FB31
                        SHA1:5094D16F35D927EBE73D715F95E199BB2112BFA6
                        SHA-256:67CA532191F69C2FF20D2A015493D6A4AB7ADC9C584A86F1E10E272FD72100E9
                        SHA-512:6C6E78717D44F86CA4FBCA84534810D6432913D9D61BC13FE010D03775F6FE5C4705B4D1965641C858DE68DBA7D1B306CE12FF62E4C38995C1EE3EA0541F9565
                        Malicious:false
                        URL:"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/am=xIFgKBi2EQjEH54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/excm=_b,_tp,identifierview/ed=1/dg=0/wt=2/ujg=1/rs=AOaEmlHMmP29tNFN_V7bhU8rapgP9PTgBw/m=_b,_tp"
                        Preview:"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi||{};(function(_){var window=this;.try{._._F_toggles_initialize=function(a){(typeof globalThis!=="undefined"?globalThis:typeof self!=="undefined"?self:this)._F_toggles=a||[]};(0,_._F_toggles_initialize)([0x286081c4, 0x2046d860, 0x39e1fc40, 0x14501e80, 0xe420, 0x0, 0x1a000000, 0x1d000003, 0xc, ]);./*.. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0.*/./*.. Copyright Google LLC. SPDX-License-Identifier: Apache-2.0.*/./*.. Copyright 2024 Google, Inc. SPDX-License-Identifier: MIT.*/./*. SPDX-License-Identifier: Apache-2.0.*/./*. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0.*/.var baa,daa,Ma,Sa,gaa,iaa,jb,qaa,waa,Caa,Haa,Kaa,Jb,Laa,Ob,Qb,Rb,Maa,Naa,Sb,Oaa,Paa,Qaa,Yb,Vaa,Xaa,ec,fc,gc,bba,cba,gba,jba,lba,mba,qba,tba,nba,sba,rba,pba,oba,uba,yba,Cba,Dba,Aba,Hc,Ic,Gba,Iba,Mba,Nba,Oba,Pba,Lba,Qba,Sba,dd,Uba,Vba,Xba,Zba,Yba,aca,bca,cca,dca,fca,eca,hca,ica,jca,kca,nca,

                        Chrome Cache Entry: 146

                        Download File
                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                        File Type:ASCII text, with very long lines (533)
                        Category:downloaded
                        Size (bytes):9210
                        Entropy (8bit):5.404371326611379
                        Encrypted:false
                        SSDEEP:192:EEFZpeip4HzZlY0If0Ma23jcUcrhCx6VD1TYPi8:Es/p4jgjUhtD1TY68
                        MD5:21E893B65627B397E22619A9F5BB9662
                        SHA1:F561B0F66211C1E7B22F94B4935C312AB7087E85
                        SHA-256:FFA9B8BC8EF2CDFF5EB4BA1A0BA1710A253A5B42535E2A369D5026967DCF4673
                        SHA-512:3DE3CD6A4E9B06AB3EB324E90A40B5F2AEEA8D7D6A2651C310E993CF79EEB5AC6E2E33C587F46B2DD20CC862354FD1A61AEBB9B990E6805F6629404BA285F8FA
                        Malicious:false
                        URL:"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEH54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=AvtSve,CMcBD,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PrPYRd,Rkm0ef,SCuOPb,STuCOe,SpsfSb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,ZakeSe,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,byfTOb,cYShmd,eVCnO,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,qPfo0c,qmdT9,rCcCxc,siKnQd,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlFteMt5kl2HRMM5sgqzMrw2LMDjOg/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=ltDFwf,SD8Jgb,rmumx,E87wgc,qPYxq,Tbb4sb,pxq3x,f8Gu1e,soHxf,YgOFye,yRXbo,bTi8wc,ywOR5c,PHUIyb"
                        Preview:"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi||{};(function(_){var window=this;.try{._.qNa=_.y("SD8Jgb",[]);._.GX=function(a,b){if(typeof b==="string")a.Lc(b);else if(b instanceof _.Fp&&b.ia&&b.ia===_.A)b=_.Ya(b.Lw()),a.empty().append(b);else if(b instanceof _.Ua)b=_.Ya(b),a.empty().append(b);else if(b instanceof Node)a.empty().append(b);else throw Error("Vf");};_.HX=function(a){var b=_.Io(a,"[jsslot]");if(b.size()>0)return b;b=new _.Go([_.Kk("span")]);_.Jo(b,"jsslot","");a.empty().append(b);return b};_.NLb=function(a){return a===null||typeof a==="string"&&_.Hi(a)};._.k("SD8Jgb");._.MX=function(a){_.X.call(this,a.Fa);this.Ua=a.controller.Ua;this.od=a.controllers.od[0]||null;this.header=a.controller.header;this.nav=a.controller.nav;var b;(b=this.oa().find("button:not([type])").el())==null||b.setAttribute("type","button")};_.J(_.MX,_.X);_.MX.Ba=function(){return{controller:{Ua:{jsname:"n7vHCb",ctor:_.mv},header:{jsname:"tJHJj",ctor:_.mv},nav:{jsname:"DH6Rkf",ct

                        Chrome Cache Entry: 147

                        Download File
                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                        File Type:ASCII text, with very long lines (5693)
                        Category:downloaded
                        Size (bytes):698791
                        Entropy (8bit):5.595243292922648
                        Encrypted:false
                        SSDEEP:6144:TJvaKtQfcxene0F2HhPM8RGYcBlKmd5r6XIQqS7SlncOpYMSrBg5X3O4mAEFD7:TJyKtkIct842IQqHJ09
                        MD5:7A4AEFC2F596D19F522738DB34C5A680
                        SHA1:7F6E9BE8B3C1450075365A31FF6E4B49F1D35BA7
                        SHA-256:61D7FF7565945545C0D823CCFC5DB5D09C8714FBF8AD77994F389F08289124B2
                        SHA-512:7D80188B002DB3ED7360B9B236DE435F2008345ECEC00FDE39412BE39DE5C08FD80CBD2D7370D0DBB98F4BCCA0CEF147AD9E7935AC2894DB55D81C1B32EB647E
                        Malicious:false
                        URL:"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEH54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=LEikZe,_b,_tp,byfTOb,lsjVmc/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlFteMt5kl2HRMM5sgqzMrw2LMDjOg/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=n73qwf,SCuOPb,IZT63,vfuNJf,UUJqVe,ws9Tlc,siKnQd,XVq9Qb,STuCOe,njlZCf,m9oV,vjKJJ,y5vRwf,iyZMqd,NTMZac,mzzZzc,rCcCxc,vvMGie,K1ZKnb,ziZ8Mc,b3kMqb,mvkUhe,CMcBD,Fndnac,t2srLd,EN3i8d,z0u0L,xiZRqc,NOeYWe,O6y8ed,L9OGUe,PrPYRd,MpJwZc,qPfo0c,cYShmd,hc6Ubd,Rkm0ef,KUM7Z,oLggrd,inNHtf,L1AAkb,WpP9Yc,lwddkf,gJzDyc,SpsfSb,aC1iue,tUnxGc,aW3pY,ZakeSe,EFQ78c,xQtZb,I6YDgd,zbML3c,zr1jrb,vHEMJe,YHI3We,YTxL4,bSspM,Uas9Hd,zy0vNb,K0PMbc,AvtSve,qmdT9,MY7mZe,xBaz7b,GwYlN,eVCnO,EIOG1e,LDQI"
                        Preview:"use strict";_F_installCss(".r4WGQb{position:relative}.Dl08I>:first-child{margin-top:0}.Dl08I>:last-child{margin-bottom:0}.IzwVE{color:#1f1f1f;color:var(--gm3-sys-color-on-surface,#1f1f1f);font-family:\"Google Sans\",roboto,\"Noto Sans Myanmar UI\",arial,sans-serif;font-size:1.25rem;font-weight:400;letter-spacing:0rem;line-height:1.2}.l5PPKe{color:#1f1f1f;color:var(--gm3-sys-color-on-surface,#1f1f1f);font-size:1rem}.l5PPKe .dMNVAe{margin:0;padding:0}.l5PPKe>:first-child{margin-top:0;padding-top:0}.l5PPKe>:last-child{margin-bottom:0;padding-bottom:0}.Dl08I{margin:0;padding:0;position:relative}.Dl08I>.SmR8:only-child{padding-top:1px}.Dl08I>.SmR8:only-child::before{top:0}.Dl08I>.SmR8:not(first-child){padding-bottom:1px}.Dl08I>.SmR8::after{bottom:0}.Dl08I>.SmR8:only-child::before,.Dl08I>.SmR8::after{border-bottom:1px solid #c4c7c5;border-bottom:1px solid var(--gm3-sys-color-outline-variant,#c4c7c5);content:\"\";height:0;left:0;position:absolute;width:100%}.aZvCDf{margin-top:8px;margin-left

                        Chrome Cache Entry: 148

                        Download File
                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                        File Type:ASCII text, with very long lines (2907)
                        Category:downloaded
                        Size (bytes):22833
                        Entropy (8bit):5.425034548615223
                        Encrypted:false
                        SSDEEP:384:7lFo6ZEdpgtmyiPixV9OX9gMBpHkHnfst9lZulagGcwYHiRFjJzN7:77o6ZviPixV8xpEHn89l4IgGcwYCRtb7
                        MD5:749B18538FE32BFE0815D75F899F5B21
                        SHA1:AF95A019211AF69F752A43CAA54A83C2AFD41D28
                        SHA-256:116B2687C1D5E00DB56A79894AB0C12D4E2E000B9379B7E7AD751B84DF611F3F
                        SHA-512:E4B6F4556AA0FD9979BB52681508F5E26FFB256473803F74F7F5C8D93FA3636D7D0A5835618FBC6123022805CE0D9616A7451A0F302C665E28A6090B5D588505
                        Malicious:false
                        URL:"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEH54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PHUIyb,PrPYRd,Rkm0ef,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlFteMt5kl2HRMM5sgqzMrw2LMDjOg/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=RqjULd"
                        Preview:"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi||{};(function(_){var window=this;.try{._.uu.prototype.da=_.ca(40,function(){return _.rj(this,3)});_.$y=function(a,b){this.key=a;this.defaultValue=!1;this.flagName=b};_.$y.prototype.ctor=function(a){return typeof a==="boolean"?a:this.defaultValue};_.az=function(){this.ka=!0;var a=_.vj(_.dk(_.Be("TSDtV",window),_.zya),_.uu,1,_.qj())[0];if(a){var b={};for(var c=_.n(_.vj(a,_.Aya,2,_.qj())),d=c.next();!d.done;d=c.next()){d=d.value;var e=_.Jj(d,1).toString();switch(_.tj(d,_.vu)){case 3:b[e]=_.Hj(d,_.lj(d,_.vu,3));break;case 2:b[e]=_.Jj(d,_.lj(d,_.vu,2));break;case 4:b[e]=_.Kj(d,_.lj(d,_.vu,4));break;case 5:b[e]=_.Lj(d,_.lj(d,_.vu,5));break;case 6:b[e]=_.Pj(d,_.ff,6,_.vu);break;default:throw Error("jd`"+_.tj(d,_.vu));}}}else b={};this.ea=b;this.token=.a?a.da():null};_.az.prototype.aa=function(a){if(!this.ka||a.key in this.ea)a=a.ctor(this.ea[a.key]);else if(_.Be("nQyAE",window)){var b=_.Cya(a.flagName);if(b===null)a=a.de

                        Chrome Cache Entry: 149

                        Download File
                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                        File Type:HTML document, ASCII text, with very long lines (681)
                        Category:downloaded
                        Size (bytes):4067
                        Entropy (8bit):5.363457972758152
                        Encrypted:false
                        SSDEEP:96:G2CiFZX5BReR68ujioIRVrqtyzBeTV6SfyAKLif9cLw:bCMZXVeR6jiosVrqtyzBaImyAKw9z
                        MD5:B027BF10F968F37628EB698B2CF46D8E
                        SHA1:0C9801E4FF3BE18102E6E22246B4262FCC6CE011
                        SHA-256:98608C8414932B6F029948A323B1236EFB96861306FD1EDEB6CE47E180392B47
                        SHA-512:3B1E5A3B247273F025EACF389F98BC139F8453ECEC7A2EC762A4E3279F220B7BED2CB23CD5630E92ED03187C514956DF814E9450FFAA10BFE312633B445DBEF1
                        Malicious:false
                        URL:"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEH54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlFteMt5kl2HRMM5sgqzMrw2LMDjOg/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=sOXFj,q0xTif,ZZ4WUe"
                        Preview:"use strict";_F_installCss(".N7rBcd{overflow-x:auto}sentinel{}");.this.default_AccountsSignInUi=this.default_AccountsSignInUi||{};(function(_){var window=this;.try{._.vg(_.aqa);._.k("sOXFj");.var tu=function(a){_.W.call(this,a.Fa)};_.J(tu,_.W);tu.Ba=_.W.Ba;tu.prototype.aa=function(a){return a()};_.nu(_.$pa,tu);._.l();._.k("oGtAuc");._.yya=new _.pf(_.aqa);._.l();._.k("q0xTif");.var sza=function(a){var b=function(d){_.Sn(d)&&(_.Sn(d).Jc=null,_.Du(d,null));d.XyHi9&&(d.XyHi9=null)};b(a);a=a.querySelectorAll("[c-wiz]");for(var c=0;c<a.length;c++)b(a[c])},Pu=function(a){_.kt.call(this,a.Fa);this.Qa=this.dom=null;if(this.kl()){var b=_.zm(this.Ug(),[_.Em,_.Dm]);b=_.ni([b[_.Em],b[_.Dm]]).then(function(c){this.Qa=c[0];this.dom=c[1]},null,this);_.hu(this,b)}this.Ra=a.lm.zea};_.J(Pu,_.kt);Pu.Ba=function(){return{lm:{zea:function(a){return _.Ue(a)}}}};Pu.prototype.zp=function(a){return this.Ra.zp(a)};.Pu.prototype.getData=function(a){return this.Ra.getData(a)};Pu.prototype.qo=function(){_.Kt(this.d

                        Chrome Cache Entry: 150

                        Download File
                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                        File Type:MS Windows icon resource - 2 icons, 16x16, 32 bits/pixel, 32x32, 32 bits/pixel
                        Category:downloaded
                        Size (bytes):5430
                        Entropy (8bit):3.6534652184263736
                        Encrypted:false
                        SSDEEP:48:wIJct3xIAxG/7nvWDtZcdYLtX7B6QXL3aqG8Q:wIJct+A47v+rcqlBPG9B
                        MD5:F3418A443E7D841097C714D69EC4BCB8
                        SHA1:49263695F6B0CDD72F45CF1B775E660FDC36C606
                        SHA-256:6DA5620880159634213E197FAFCA1DDE0272153BE3E4590818533FAB8D040770
                        SHA-512:82D017C4B7EC8E0C46E8B75DA0CA6A52FD8BCE7FCF4E556CBDF16B49FC81BE9953FE7E25A05F63ECD41C7272E8BB0A9FD9AEDF0AC06CB6032330B096B3702563
                        Malicious:false
                        URL:https://www.google.com/favicon.ico
                        Preview:............ .h...&... .... .........(....... ..... ............................................0...................................................................................................................................v.].X.:.X.:.r.Y........................................q.X.S.4.S.4.S.4.S.4.S.4.S.4...X....................0........q.W.S.4.X.:.................J...A...g.........................K.H.V.8..........................F..B.....................,.......................................B..............................................B..B..B..B..B...u..........................................B..B..B..B..B...{.................5.......k...........................................................7R..8F.................................................2........Vb..5C..;I..................R^.....................0................Xc..5C..5C..5C..5C..5C..5C..lv..........................................]i..<J..:G..Zf....................................................

                        Chrome Cache Entry: 151

                        Download File
                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                        File Type:ASCII text, with very long lines (683)
                        Category:downloaded
                        Size (bytes):3131
                        Entropy (8bit):5.355381206612617
                        Encrypted:false
                        SSDEEP:48:o7FEEM3MtH15jNQ8jsK3rnw0dkckTrKEp/OqLE9xz0W5Bzv3M6hIHYA+JITbwrF8:oq675jOArwoAmI/DLaxNPL5m+m6w
                        MD5:E2A7251AD83A0D0634FEA2703D10ED07
                        SHA1:90D72011F31FC40D3DA3748F2817F90A29EB5C01
                        SHA-256:1079B49C4AAF5C10E4F2E6A086623F40D200A71FF2A1F64E88AA6C91E4BE7A6F
                        SHA-512:CD6D75580EA8BD97CF7C7C0E0BD9D9A54FB6EA7DF1DDB5A95E94D38B260F9EE1425C640839ECD229B8D01E145CF2786CA374D31EC537EB8FE17FF415D5B985F5
                        Malicious:false
                        URL:"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEH54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PHUIyb,PrPYRd,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlFteMt5kl2HRMM5sgqzMrw2LMDjOg/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=ZwDk9d,RMhBfe"
                        Preview:"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi||{};(function(_){var window=this;.try{._.k("ZwDk9d");.var gA=function(a){_.W.call(this,a.Fa)};_.J(gA,_.W);gA.Ba=_.W.Ba;gA.prototype.eS=function(a){return _.Xe(this,{Xa:{gT:_.ll}}).then(function(b){var c=window._wjdd,d=window._wjdc;return!c&&d?new _.li(function(e){window._wjdc=function(f){d(f);e(ZJa(f,b,a))}}):ZJa(c,b,a)})};var ZJa=function(a,b,c){return(a=a&&a[c])?a:b.Xa.gT.eS(c)};.gA.prototype.aa=function(a,b){var c=_.Zra(b).Rj;if(c.startsWith("$")){var d=_.gm.get(a);_.uq[b]&&(d||(d={},_.gm.set(a,d)),d[c]=_.uq[b],delete _.uq[b],_.vq--);if(d)if(a=d[c])b=_.af(a);else throw Error("Jb`"+b);else b=null}else b=null;return b};_.nu(_.Lfa,gA);._.l();._.k("SNUn3");._.YJa=new _.pf(_.wg);._.l();._.k("RMhBfe");.var $Ja=function(a){var b=_.tq(a);return b?new _.li(function(c,d){var e=function(){b=_.tq(a);var f=_.Sfa(a,b);f?c(f.getAttribute("jsdata")):window.document.readyState=="complete"?(f=["Unable to find deferred jsdata wit

                        Chrome Cache Entry: 152

                        Download File
                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                        File Type:ASCII text, with very long lines (395)
                        Category:downloaded
                        Size (bytes):1608
                        Entropy (8bit):5.257113147606035
                        Encrypted:false
                        SSDEEP:48:o72ZrNZ4yNAbU+15fMxIdf5WENoBCbw7DbG2bEJrw:oyNNAY+1i4HoBNG2Ilw
                        MD5:F06E2DC5CC446B39F878B5F8E4D78418
                        SHA1:9F1F34FDD8F8DAB942A9B95D9F720587B6F6AD48
                        SHA-256:118E4D2FE7CEF205F9AFC87636554C6D8220882B158333EE3D1990282D158B8F
                        SHA-512:893C4F883CD1C88C6AAF5A6E7F232D62823A53E1FFDE5C1C52BB066D75781DD041F4D281CDBF18070D921CE862652D8863E2B9D5E0190CFA4128890D62C44168
                        Malicious:false
                        URL:"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEH54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlFteMt5kl2HRMM5sgqzMrw2LMDjOg/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=w9hDv,ZDZcre,A7fCU"
                        Preview:"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi||{};(function(_){var window=this;.try{._.k("w9hDv");._.vg(_.Hla);_.eA=function(a){_.W.call(this,a.Fa);this.aa=a.Xa.cache};_.J(_.eA,_.W);_.eA.Ba=function(){return{Xa:{cache:_.dt}}};_.eA.prototype.execute=function(a){_.Bb(a,function(b){var c;_.$e(b)&&(c=b.eb.kc(b.kb));c&&this.aa.xG(c)},this);return{}};_.nu(_.Nla,_.eA);._.l();._.k("ZDZcre");.var fH=function(a){_.W.call(this,a.Fa);this.Wl=a.Ea.Wl;this.d4=a.Ea.metadata;this.aa=a.Ea.ot};_.J(fH,_.W);fH.Ba=function(){return{Ea:{Wl:_.KG,metadata:_.VZa,ot:_.HG}}};fH.prototype.execute=function(a){var b=this;a=this.aa.create(a);return _.Bb(a,function(c){var d=b.d4.getType(c.Od())===2?b.Wl.Rb(c):b.Wl.fetch(c);return _.yl(c,_.LG)?d.then(function(e){return _.Dd(e)}):d},this)};_.nu(_.Sla,fH);._.l();._.k("K5nYTd");._.UZa=new _.pf(_.Ola);._.l();._.k("sP4Vbe");.._.l();._.k("kMFpHd");.._.l();._.k("A7fCU");.var NG=function(a){_.W.call(this,a.Fa);this.aa=a.Ea.tQ};_.J(NG,_.W);NG.Ba=func

                        Chrome Cache Entry: 153

                        Download File
                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                        File Type:Web Open Font Format (Version 2), TrueType, length 52280, version 1.0
                        Category:downloaded
                        Size (bytes):52280
                        Entropy (8bit):7.995413196679271
                        Encrypted:true
                        SSDEEP:1536:1rvqtK8DZilXxwJ8mMwAZy7phqsFLdG3B4d:xytBZits8bw4wzbFxG3B4d
                        MD5:F61F0D4D0F968D5BBA39A84C76277E1A
                        SHA1:AA3693EA140ECA418B4B2A30F6A68F6F43B4BEB2
                        SHA-256:57147F08949ABABE7DEEF611435AE418475A693E3823769A25C2A39B6EAD9CCC
                        SHA-512:6C3BD90F709BCF9151C9ED9FFEA55C4F6883E7FDA2A4E26BF018C83FE1CFBE4F4AA0DB080D6D024070D53B2257472C399C8AC44EEFD38B9445640EFA85D5C487
                        Malicious:false
                        URL:https://fonts.gstatic.com/s/googlesans/v58/4UaRrENHsxJlGDuGo1OIlJfC6l_24rlCK1Yo_Iq2vgCI.woff2
                        Preview:wOF2.......8.....................................^...$..4?HVAR..?MVAR9.`?STAT.*',..J/.......`..(..Z.0..R.6.$.... .....K..[..q..c..T.....>.P.j.`.w..#...%......N.".....$..3.0.6......... .L.rX/r[j.y.|*(.4.%#.....2.v.m..-..%.....;-.Y.{..&..O=#l@...k..7g..ZI...#.Z./+T..r7...M..3).Z%.x....s..sL..[A!.5*1w'/.8V..2Z..%.X.h.o.).]..9..Q`.$.....7..kZ.~O........d..g.n.d.Rw+&....Cz..uy#..fz,(.J....v.%..`..9.....h...?O..:...c%.....6s....xl..#...5..._......1.>.)"U.4 W....?%......6//!$...!.n9C@n...........!""^.....W..Z<.7.x.."UT.T....E.."R>.R..t.....H d..e_.K../.+8.Q.P.ZQ....;...U....]......._.e*......71.?.7.ORv.?...l...G|.P...|:...I.X..2.,.L........d.g.]}W#uW]QnuP-s.;.-Y.....].......C..j_.M0...y.......J..........NY..@A...,....-.F......'..w./j5g.vUS...U..0.&...y7.LP.....%.....Y......Y..D. e.A..G.?.$.......6...eaK.n5.m...N...,...+BCl..L> .E9~.b[.w.x....6<...}.e...%V....O.......*.?...a..#[eE.4..p..$...].....%......o._......N.._~..El....b..A.0.r8.....|..D.d..

                        Chrome Cache Entry: 154

                        Download File
                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                        File Type:ASCII text, with very long lines (1694)
                        Category:downloaded
                        Size (bytes):32500
                        Entropy (8bit):5.378903546681047
                        Encrypted:false
                        SSDEEP:768:zYlbuROstb0e39nKGrkysU0smpu4OLOdzIf1p/5GeSsngurz6aKEEEGo/:zYl61Cysbu4OLOdzIfrIen72ZFo/
                        MD5:BF4BF9728A7C302FBA5B14F3D0F1878B
                        SHA1:2607CA7A93710D629400077FF3602CB207E6F53D
                        SHA-256:8981E7B228DF7D6A8797C0CD1E9B0F1F88337D5F0E1C27A04E7A57D2C4309798
                        SHA-512:AC9E170FC3AFDC0CF6BB8E926B93EF129A5FAD1BBA51B60BABCF3555E9B652E98F86A00FB099879DED35DD3FFE72ECFA597E20E6CA8CF402BEDEC40F78412EDA
                        Malicious:false
                        URL:"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEH54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=_b,_tp/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlFteMt5kl2HRMM5sgqzMrw2LMDjOg/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=byfTOb,lsjVmc,LEikZe"
                        Preview:"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi||{};(function(_){var window=this;.try{.var Aua=function(a,b){this.da=a;this.ea=b;if(!c){var c=new _.ap("//www.google.com/images/cleardot.gif");_.op(c)}this.ka=c};_.h=Aua.prototype;_.h.Zc=null;_.h.lZ=1E4;_.h.bA=!1;_.h.nQ=0;_.h.zJ=null;_.h.bV=null;_.h.setTimeout=function(a){this.lZ=a};_.h.start=function(){if(this.bA)throw Error("dc");this.bA=!0;this.nQ=0;Bua(this)};_.h.stop=function(){Cua(this);this.bA=!1};.var Bua=function(a){a.nQ++;navigator!==null&&"onLine"in navigator&&!navigator.onLine?_.km((0,_.bg)(a.aH,a,!1),0):(a.aa=new Image,a.aa.onload=(0,_.bg)(a.Fja,a),a.aa.onerror=(0,_.bg)(a.Eja,a),a.aa.onabort=(0,_.bg)(a.Dja,a),a.zJ=_.km(a.Gja,a.lZ,a),a.aa.src=String(a.ka))};_.h=Aua.prototype;_.h.Fja=function(){this.aH(!0)};_.h.Eja=function(){this.aH(!1)};_.h.Dja=function(){this.aH(!1)};_.h.Gja=function(){this.aH(!1)};._.h.aH=function(a){Cua(this);a?(this.bA=!1,this.da.call(this.ea,!0)):this.nQ<=0?Bua(this):(this.bA=!1,

                        Chrome Cache Entry: 155

                        Download File
                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                        File Type:ASCII text, with very long lines (755)
                        Category:downloaded
                        Size (bytes):1460
                        Entropy (8bit):5.291808298251231
                        Encrypted:false
                        SSDEEP:24:kMYD7DuZvuhqCsNRxoYTY9/qoVk7hz1l2p6vDMW94uEQOeGbCx4VGbgCSFBV87OU:o7DuZWhv6oy12kvwKEeGbC6GbHSh/Hrw
                        MD5:4CA7ADFE744A690411EA4D3EA8DB9E4B
                        SHA1:2CF1777A199E25378D330DA68BED1871B5C5BC32
                        SHA-256:128129BA736B3094323499B0498A5B3A909C1529717461C34B70080A5B1603BD
                        SHA-512:8BD3477AF41D1F0FE74AFFCB177BEC0F5F4FDCBBA6BD29D9C2567E6FFDEF5DEB7FF74BF348F33209C39D7BB4958E748DF6731D3DC8F6947352276BC92EAF9E79
                        Malicious:false
                        URL:"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEH54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlFteMt5kl2HRMM5sgqzMrw2LMDjOg/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=P6sQOc"
                        Preview:"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi||{};(function(_){var window=this;.try{._.k("lOO0Vd");._.VZa=new _.pf(_.Am);._.l();._.k("P6sQOc");.var $Za=!!(_.Kh[1]&16);var b_a=function(a,b,c,d,e){this.ea=a;this.wa=b;this.ka=c;this.Ca=d;this.Ga=e;this.aa=0;this.da=a_a(this)},c_a=function(a){var b={};_.La(a.yS(),function(e){b[e]=!0});var c=a.pS(),d=a.tS();return new b_a(a.qP(),c.aa()*1E3,a.WR(),d.aa()*1E3,b)},a_a=function(a){return Math.random()*Math.min(a.wa*Math.pow(a.ka,a.aa),a.Ca)},OG=function(a,b){return a.aa>=a.ea?!1:b!=null?!!a.Ga[b]:!0};var PG=function(a){_.W.call(this,a.Fa);this.da=a.Ea.EV;this.ea=a.Ea.metadata;a=a.Ea.Xga;this.fetch=a.fetch.bind(a)};_.J(PG,_.W);PG.Ba=function(){return{Ea:{EV:_.YZa,metadata:_.VZa,Xga:_.OZa}}};PG.prototype.aa=function(a,b){if(this.ea.getType(a.Od())!==1)return _.Sm(a);var c=this.da.eV;return(c=c?c_a(c):null)&&OG(c)?_.wya(a,d_a(this,a,b,c)):_.Sm(a)};.var d_a=function(a,b,c,d){return c.then(function(e){return e},function(e)

                        Chrome Cache Entry: 156

                        Download File
                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                        File Type:ASCII text, with very long lines (570)
                        Category:downloaded
                        Size (bytes):3467
                        Entropy (8bit):5.514745431912774
                        Encrypted:false
                        SSDEEP:96:ozbld2fNUmeqJNizhNtt1W8t//loyIpXmdVE2w:onSKE8PWe/Cy4X3j
                        MD5:8DEF399E8355ABC23E64505281005099
                        SHA1:24FF74C3AEFD7696D84FF148465DF4B1B60B1696
                        SHA-256:F128D7218E1286B05DF11310AD3C8F4CF781402698E45448850D2A3A22F5F185
                        SHA-512:33721DD47658D8E12ADF6BD9E9316EB89F5B6297927F7FD60F954E04B829DCBF0E1AE6DDD9A3401F45E0011AE4B1397B960C218238A3D0F633A2173D8E604082
                        Malicious:false
                        URL:"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEH54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZZ4WUe,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,iAskyc,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,wg1P6b,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziXSP,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlFteMt5kl2HRMM5sgqzMrw2LMDjOg/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=Wt6vjf,hhhU8,FCpbqb,WhJNk"
                        Preview:"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi||{};(function(_){var window=this;.try{._.k("Wt6vjf");.var cya=function(){var a=_.He();return _.Lj(a,1)},Yt=function(a){this.Da=_.t(a,0,Yt.messageId)};_.J(Yt,_.w);Yt.prototype.Ha=function(){return _.Dj(this,1)};Yt.prototype.Va=function(a){return _.Vj(this,1,a)};Yt.messageId="f.bo";var Zt=function(){_.hm.call(this)};_.J(Zt,_.hm);Zt.prototype.xd=function(){this.CT=!1;dya(this);_.hm.prototype.xd.call(this)};Zt.prototype.aa=function(){eya(this);if(this.wC)return fya(this),!1;if(!this.KV)return $t(this),!0;this.dispatchEvent("p");if(!this.zP)return $t(this),!0;this.wM?(this.dispatchEvent("r"),$t(this)):fya(this);return!1};.var gya=function(a){var b=new _.ap(a.W4);a.qQ!=null&&_.Jn(b,"authuser",a.qQ);return b},fya=function(a){a.wC=!0;var b=gya(a),c="rt=r&f_uid="+_.pk(a.zP);_.cn(b,(0,_.bg)(a.ea,a),"POST",c)};.Zt.prototype.ea=function(a){a=a.target;eya(this);if(_.fn(a)){this.cK=0;if(this.wM)this.wC=!1,this.dispatchEvent("r"

                        Chrome Cache Entry: 157

                        Download File
                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                        File Type:ASCII text, with very long lines (522)
                        Category:downloaded
                        Size (bytes):5050
                        Entropy (8bit):5.289052544075544
                        Encrypted:false
                        SSDEEP:96:o4We0hP7OBFXYvB1sig3Fd8HkaXzLmUrv8Vh1WJlLQXT2v2gqw:655758Fd8HkaPZ0GmAD
                        MD5:26E26FD11772DFF5C7004BEA334289CC
                        SHA1:638DAAF541BDE31E95AEE4F8ADA677434D7051DB
                        SHA-256:ADFE3E4960982F5EF4C043052A9990D8683C5FC2B590E817B6B1A5774DDE2CE3
                        SHA-512:C31929EB6D1C60D6A84A2574FF60490394A6D6F9B354972F3328952F570D80B3F2AEC916B0E1B66DDB1AC056EB75BFAC477E7AF631D0AD1810EDBAF025465D66
                        Malicious:false
                        URL:"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEH54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZZ4WUe,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,iAskyc,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziXSP,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlFteMt5kl2HRMM5sgqzMrw2LMDjOg/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=wg1P6b"
                        Preview:"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi||{};(function(_){var window=this;.try{._.jNa=_.y("wg1P6b",[_.TA,_.Cn,_.Kn]);._.k("wg1P6b");.var Z5a;Z5a=_.mh(["aria-"]);._.uJ=function(a){_.X.call(this,a.Fa);this.Ka=this.wa=this.aa=this.viewportElement=this.Na=null;this.Hc=a.Ea.ff;this.ab=a.Ea.focus;this.Fc=a.Ea.Fc;this.ea=this.Pi();a=-1*parseInt(_.Co(this.Pi().el(),"marginTop")||"0",10);var b=parseInt(_.Co(this.Pi().el(),"marginBottom")||"0",10);this.Ta={top:a,right:0,bottom:b,left:0};a=_.cf(this.getData("isMenuDynamic"),!1);b=_.cf(this.getData("isMenuHoisted"),!1);this.Ga=a?1:b?2:0;this.ka=!1;this.Ca=1;this.Ga!==1&&(this.aa=this.Sa("U0exHf").children().Wc(0),_.ku(this,.$5a(this,this.aa.el())));_.kF(this.oa())&&(a=this.oa().el(),b=this.we.bind(this),a.__soy_skip_handler=b)};_.J(_.uJ,_.X);_.uJ.Ba=function(){return{Ea:{ff:_.ZE,focus:_.KE,Fc:_.ru}}};_.uJ.prototype.xF=function(a){var b=a.source;this.Na=b;var c;((c=a.data)==null?0:c.fz)?(a=a.data.fz,this.Ca=a==="MOUS

                        Chrome Cache Entry: 158

                        Download File
                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                        File Type:ASCII text, with no line terminators
                        Category:downloaded
                        Size (bytes):84
                        Entropy (8bit):4.875266466142591
                        Encrypted:false
                        SSDEEP:3:DZFJu0+WVTBCq2Bjdw2KsJJuYHSKnZ:lFJuuVTBudw29nu4SKZ
                        MD5:87B6333E98B7620EA1FF98D1A837A39E
                        SHA1:105DE6815B0885357DE1414BFC0D77FCC9E924EF
                        SHA-256:DCD3C133C5C40BECD4100BBE6EDAE84C9735E778E4234A5E8395C56FF8A733BA
                        SHA-512:867D7943D813685FAA76394E53199750C55817E836FD19C933F74D11E9657CE66719A6D6B2E39EE1DE62358BCE364E38A55F4E138DF92337DE6985DDCD5D0994
                        Malicious:false
                        URL:https://content-autofill.googleapis.com/v1/pages/ChVDaHJvbWUvMTE3LjAuNTkzOC4xMzQSHgmA6QC9dWevzxIFDRkBE_oSBQ3oIX6GEgUN05ioBw==?alt=proto
                        Preview:Cj0KBw0ZARP6GgAKKQ3oIX6GGgQISxgCKhwIClIYCg5AIS4jJF8qLSY/Ky8lLBABGP////8PCgcN05ioBxoA

                        Chrome Cache Entry: 159

                        Download File
                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                        File Type:ASCII text, with very long lines (468)
                        Category:downloaded
                        Size (bytes):1858
                        Entropy (8bit):5.298162049824456
                        Encrypted:false
                        SSDEEP:48:o7vGoolL3ALFKphnpiu7xOKAcfO/3d/rYh4vZorw:o/QLUFUL4KA+2y0Mw
                        MD5:CE055F881BDAB4EF6C1C8AA4B3890348
                        SHA1:2671741A70E9F5B608F690AAEEA4972003747654
                        SHA-256:9B91C23691D6032CDFE28863E369624B2EDB033E1487A1D1BB0977E3590E5462
                        SHA-512:8A22250628985C2E570E6FBADFC0D5CB6753F0735130F9E74962A409476C2859C5C81F8A0F5C427A9F13ED399C8E251FA43FF67AD5F16860640D45E7A538E857
                        Malicious:false
                        URL:"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEH54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZZ4WUe,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlFteMt5kl2HRMM5sgqzMrw2LMDjOg/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=iAskyc,ziXSP"
                        Preview:"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi||{};(function(_){var window=this;.try{._.k("iAskyc");._.QZ=function(a){_.W.call(this,a.Fa);this.window=a.Ea.window.get();this.Nc=a.Ea.Nc};_.J(_.QZ,_.W);_.QZ.Ba=function(){return{Ea:{window:_.qu,Nc:_.DE}}};_.QZ.prototype.Po=function(){};_.QZ.prototype.addEncryptionRecoveryMethod=function(){};_.RZ=function(a){return(a==null?void 0:a.Jo)||function(){}};_.SZ=function(a){return(a==null?void 0:a.m3)||function(){}};_.GPb=function(a){return(a==null?void 0:a.Op)||function(){}};._.HPb=function(a){return new Map(Array.from(a,function(b){var c=_.n(b);b=c.next().value;c=c.next().value;return[b,c.map(function(d){return{epoch:d.epoch,key:new Uint8Array(d.key)}})]}))};_.IPb=function(a){setTimeout(function(){throw a;},0)};_.QZ.prototype.kO=function(){return!0};_.nu(_.An,_.QZ);._.l();._.k("ziXSP");.var j_=function(a){_.QZ.call(this,a.Fa)};_.J(j_,_.QZ);j_.Ba=_.QZ.Ba;j_.prototype.Po=function(a,b,c){var d;if((d=this.window.chrome)==nu

                        Static File Info

                        General

                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Entropy (8bit):6.583317111592395
                        TrID:
                        • Win32 Executable (generic) a (10002005/4) 99.96%
                        • Generic Win/DOS Executable (2004/3) 0.02%
                        • DOS Executable Generic (2002/1) 0.02%
                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                        File name:file.exe
                        File size:919'040 bytes
                        MD5:8d3ee4b9b4f941932e71657e1bbc0aaa
                        SHA1:b789aa43c4a8f53eb8e6df61747c99e70634b22c
                        SHA256:35359f4b8af06d6b3b37992f7ae8f9c9bea7a975f51e697cc738b4ef65715a98
                        SHA512:aa5493f1baf3520799d581ffbd6e762b1dcb495f947a1ee558ca4f3bba963043aad3bd6746243a3b2ff6c5bd7a59dc353c19a5cdf9d0d318eccb98ae8a4c7e4f
                        SSDEEP:12288:5qDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgalT8:5qDEvCTbMWu7rQYlBQcBiT6rprG8aR8
                        TLSH:2C159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
                        File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

                        File Icon

                        Icon Hash:aaf3e3e3938382a0

                        Static PE Info

                        General

                        Entrypoint:0x420577
                        Entrypoint Section:.text
                        Digitally signed:false
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                        DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                        Time Stamp:0x66FE4190 [Thu Oct 3 07:02:40 2024 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:5
                        OS Version Minor:1
                        File Version Major:5
                        File Version Minor:1
                        Subsystem Version Major:5
                        Subsystem Version Minor:1
                        Import Hash:948cc502fe9226992dce9417f952fce3

                        Entrypoint Preview

                        Instruction
                        call 00007FDE3C61E053h
                        jmp 00007FDE3C61D95Fh
                        push ebp
                        mov ebp, esp
                        push esi
                        push dword ptr [ebp+08h]
                        mov esi, ecx
                        call 00007FDE3C61DB3Dh
                        mov dword ptr [esi], 0049FDF0h
                        mov eax, esi
                        pop esi
                        pop ebp
                        retn 0004h
                        and dword ptr [ecx+04h], 00000000h
                        mov eax, ecx
                        and dword ptr [ecx+08h], 00000000h
                        mov dword ptr [ecx+04h], 0049FDF8h
                        mov dword ptr [ecx], 0049FDF0h
                        ret
                        push ebp
                        mov ebp, esp
                        push esi
                        push dword ptr [ebp+08h]
                        mov esi, ecx
                        call 00007FDE3C61DB0Ah
                        mov dword ptr [esi], 0049FE0Ch
                        mov eax, esi
                        pop esi
                        pop ebp
                        retn 0004h
                        and dword ptr [ecx+04h], 00000000h
                        mov eax, ecx
                        and dword ptr [ecx+08h], 00000000h
                        mov dword ptr [ecx+04h], 0049FE14h
                        mov dword ptr [ecx], 0049FE0Ch
                        ret
                        push ebp
                        mov ebp, esp
                        push esi
                        mov esi, ecx
                        lea eax, dword ptr [esi+04h]
                        mov dword ptr [esi], 0049FDD0h
                        and dword ptr [eax], 00000000h
                        and dword ptr [eax+04h], 00000000h
                        push eax
                        mov eax, dword ptr [ebp+08h]
                        add eax, 04h
                        push eax
                        call 00007FDE3C6206FDh
                        pop ecx
                        pop ecx
                        mov eax, esi
                        pop esi
                        pop ebp
                        retn 0004h
                        lea eax, dword ptr [ecx+04h]
                        mov dword ptr [ecx], 0049FDD0h
                        push eax
                        call 00007FDE3C620748h
                        pop ecx
                        ret
                        push ebp
                        mov ebp, esp
                        push esi
                        mov esi, ecx
                        lea eax, dword ptr [esi+04h]
                        mov dword ptr [esi], 0049FDD0h
                        push eax
                        call 00007FDE3C620731h
                        test byte ptr [ebp+08h], 00000001h
                        pop ecx

                        Rich Headers

                        Programming Language:
                        • [ C ] VS2008 SP1 build 30729
                        • [IMP] VS2008 SP1 build 30729

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0xc8e640x17c.rdata
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xd40000x9a10.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xde0000x7594.reloc
                        IMAGE_DIRECTORY_ENTRY_DEBUG0xb0ff00x1c.rdata
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0xc34000x18.rdata
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb10100x40.rdata
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x9c0000x894.rdata
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        .text0x10000x9ab1d0x9ac000a1473f3064dcbc32ef93c5c8a90f3a6False0.565500681542811data6.668273581389308IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        .rdata0x9c0000x2fb820x2fc00c9cf2468b60bf4f80f136ed54b3989fbFalse0.35289185209424084data5.691811547483722IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .data0xcc0000x706c0x480053b9025d545d65e23295e30afdbd16d9False0.04356553819444445DOS executable (block device driver @\273\)0.5846666986982398IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .rsrc0xd40000x9a100x9c0007ce3cd31186a49d818f2cfd4e95e15fFalse0.30546374198717946data5.325166743236066IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .reloc0xde0000x75940x7600c68ee8931a32d45eb82dc450ee40efc3False0.7628111758474576data6.7972128181359786IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                        Resources

                        NameRVASizeTypeLanguageCountryZLIB Complexity
                        RT_ICON0xd45a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                        RT_ICON0xd46d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                        RT_ICON0xd47f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                        RT_ICON0xd49200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                        RT_ICON0xd4c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                        RT_ICON0xd4d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                        RT_ICON0xd5bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                        RT_ICON0xd64800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                        RT_ICON0xd69e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                        RT_ICON0xd8f900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                        RT_ICON0xda0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                        RT_MENU0xda4a00x50dataEnglishGreat Britain0.9
                        RT_STRING0xda4f00x594dataEnglishGreat Britain0.3333333333333333
                        RT_STRING0xdaa840x68adataEnglishGreat Britain0.2735961768219833
                        RT_STRING0xdb1100x490dataEnglishGreat Britain0.3715753424657534
                        RT_STRING0xdb5a00x5fcdataEnglishGreat Britain0.3087467362924282
                        RT_STRING0xdbb9c0x65cdataEnglishGreat Britain0.34336609336609336
                        RT_STRING0xdc1f80x466dataEnglishGreat Britain0.3605683836589698
                        RT_STRING0xdc6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                        RT_RCDATA0xdc7b80xcd8data1.003345498783455
                        RT_GROUP_ICON0xdd4900x76dataEnglishGreat Britain0.6610169491525424
                        RT_GROUP_ICON0xdd5080x14dataEnglishGreat Britain1.25
                        RT_GROUP_ICON0xdd51c0x14dataEnglishGreat Britain1.15
                        RT_GROUP_ICON0xdd5300x14dataEnglishGreat Britain1.25
                        RT_VERSION0xdd5440xdcdataEnglishGreat Britain0.6181818181818182
                        RT_MANIFEST0xdd6200x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                        Imports

                        DLLImport
                        WSOCK32.dllgethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
                        VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
                        WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                        COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                        MPR.dllWNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
                        WININET.dllHttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
                        PSAPI.DLLGetProcessMemoryInfo
                        IPHLPAPI.DLLIcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
                        USERENV.dllDestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
                        UxTheme.dllIsThemeActive
                        KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
                        USER32.dllGetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
                        GDI32.dllEndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
                        COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                        ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
                        SHELL32.dllDragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
                        ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
                        OLEAUT32.dllCreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

                        Possible Origin

                        Language of compilation systemCountry where language is spokenMap
                        EnglishGreat Britain

                        Network Behavior

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Oct 3, 2024 09:28:44.983391047 CEST49674443192.168.2.7104.98.116.138
                        Oct 3, 2024 09:28:44.998997927 CEST49675443192.168.2.7104.98.116.138
                        Oct 3, 2024 09:28:45.030256987 CEST49672443192.168.2.7104.98.116.138
                        Oct 3, 2024 09:28:45.999072075 CEST49671443192.168.2.7204.79.197.203
                        Oct 3, 2024 09:28:50.024663925 CEST49677443192.168.2.720.50.201.200
                        Oct 3, 2024 09:28:50.389848948 CEST49677443192.168.2.720.50.201.200
                        Oct 3, 2024 09:28:50.811522961 CEST49671443192.168.2.7204.79.197.203
                        Oct 3, 2024 09:28:51.139667988 CEST49677443192.168.2.720.50.201.200
                        Oct 3, 2024 09:28:52.640235901 CEST49677443192.168.2.720.50.201.200
                        Oct 3, 2024 09:28:53.406497955 CEST49700443192.168.2.7172.217.16.142
                        Oct 3, 2024 09:28:53.406560898 CEST44349700172.217.16.142192.168.2.7
                        Oct 3, 2024 09:28:53.406821966 CEST49700443192.168.2.7172.217.16.142
                        Oct 3, 2024 09:28:53.407042980 CEST49700443192.168.2.7172.217.16.142
                        Oct 3, 2024 09:28:53.407056093 CEST44349700172.217.16.142192.168.2.7
                        Oct 3, 2024 09:28:54.040326118 CEST44349700172.217.16.142192.168.2.7
                        Oct 3, 2024 09:28:54.072438002 CEST49700443192.168.2.7172.217.16.142
                        Oct 3, 2024 09:28:54.072468042 CEST44349700172.217.16.142192.168.2.7
                        Oct 3, 2024 09:28:54.072913885 CEST44349700172.217.16.142192.168.2.7
                        Oct 3, 2024 09:28:54.072982073 CEST49700443192.168.2.7172.217.16.142
                        Oct 3, 2024 09:28:54.074955940 CEST44349700172.217.16.142192.168.2.7
                        Oct 3, 2024 09:28:54.074996948 CEST49700443192.168.2.7172.217.16.142
                        Oct 3, 2024 09:28:54.100670099 CEST49700443192.168.2.7172.217.16.142
                        Oct 3, 2024 09:28:54.100728989 CEST44349700172.217.16.142192.168.2.7
                        Oct 3, 2024 09:28:54.101130009 CEST49700443192.168.2.7172.217.16.142
                        Oct 3, 2024 09:28:54.101136923 CEST44349700172.217.16.142192.168.2.7
                        Oct 3, 2024 09:28:54.155714989 CEST49700443192.168.2.7172.217.16.142
                        Oct 3, 2024 09:28:54.319235086 CEST44349700172.217.16.142192.168.2.7
                        Oct 3, 2024 09:28:54.319684029 CEST44349700172.217.16.142192.168.2.7
                        Oct 3, 2024 09:28:54.319777012 CEST49700443192.168.2.7172.217.16.142
                        Oct 3, 2024 09:28:54.358100891 CEST49700443192.168.2.7172.217.16.142
                        Oct 3, 2024 09:28:54.358110905 CEST44349700172.217.16.142192.168.2.7
                        Oct 3, 2024 09:28:54.373039007 CEST49705443192.168.2.7172.217.18.110
                        Oct 3, 2024 09:28:54.373075008 CEST44349705172.217.18.110192.168.2.7
                        Oct 3, 2024 09:28:54.373135090 CEST49705443192.168.2.7172.217.18.110
                        Oct 3, 2024 09:28:54.373986006 CEST49705443192.168.2.7172.217.18.110
                        Oct 3, 2024 09:28:54.374001980 CEST44349705172.217.18.110192.168.2.7
                        Oct 3, 2024 09:28:54.593238115 CEST49674443192.168.2.7104.98.116.138
                        Oct 3, 2024 09:28:54.608874083 CEST49675443192.168.2.7104.98.116.138
                        Oct 3, 2024 09:28:54.640124083 CEST49672443192.168.2.7104.98.116.138
                        Oct 3, 2024 09:28:55.005644083 CEST44349705172.217.18.110192.168.2.7
                        Oct 3, 2024 09:28:55.008733988 CEST49705443192.168.2.7172.217.18.110
                        Oct 3, 2024 09:28:55.008755922 CEST44349705172.217.18.110192.168.2.7
                        Oct 3, 2024 09:28:55.009183884 CEST44349705172.217.18.110192.168.2.7
                        Oct 3, 2024 09:28:55.009474039 CEST49705443192.168.2.7172.217.18.110
                        Oct 3, 2024 09:28:55.009906054 CEST44349705172.217.18.110192.168.2.7
                        Oct 3, 2024 09:28:55.009970903 CEST49705443192.168.2.7172.217.18.110
                        Oct 3, 2024 09:28:55.011157990 CEST49705443192.168.2.7172.217.18.110
                        Oct 3, 2024 09:28:55.011231899 CEST44349705172.217.18.110192.168.2.7
                        Oct 3, 2024 09:28:55.011410952 CEST49705443192.168.2.7172.217.18.110
                        Oct 3, 2024 09:28:55.011428118 CEST44349705172.217.18.110192.168.2.7
                        Oct 3, 2024 09:28:55.063225031 CEST49705443192.168.2.7172.217.18.110
                        Oct 3, 2024 09:28:55.320132971 CEST44349705172.217.18.110192.168.2.7
                        Oct 3, 2024 09:28:55.320159912 CEST44349705172.217.18.110192.168.2.7
                        Oct 3, 2024 09:28:55.320231915 CEST44349705172.217.18.110192.168.2.7
                        Oct 3, 2024 09:28:55.320280075 CEST49705443192.168.2.7172.217.18.110
                        Oct 3, 2024 09:28:55.320280075 CEST49705443192.168.2.7172.217.18.110
                        Oct 3, 2024 09:28:55.323955059 CEST49705443192.168.2.7172.217.18.110
                        Oct 3, 2024 09:28:55.323986053 CEST44349705172.217.18.110192.168.2.7
                        Oct 3, 2024 09:28:55.624480009 CEST49677443192.168.2.720.50.201.200
                        Oct 3, 2024 09:28:57.054471970 CEST44349698104.98.116.138192.168.2.7
                        Oct 3, 2024 09:28:57.054658890 CEST49698443192.168.2.7104.98.116.138
                        Oct 3, 2024 09:28:57.861850023 CEST49710443192.168.2.7142.250.186.36
                        Oct 3, 2024 09:28:57.861901045 CEST44349710142.250.186.36192.168.2.7
                        Oct 3, 2024 09:28:57.861979961 CEST49710443192.168.2.7142.250.186.36
                        Oct 3, 2024 09:28:57.862220049 CEST49710443192.168.2.7142.250.186.36
                        Oct 3, 2024 09:28:57.862232924 CEST44349710142.250.186.36192.168.2.7
                        Oct 3, 2024 09:28:58.049055099 CEST49712443192.168.2.7184.28.90.27
                        Oct 3, 2024 09:28:58.049154997 CEST44349712184.28.90.27192.168.2.7
                        Oct 3, 2024 09:28:58.049248934 CEST49712443192.168.2.7184.28.90.27
                        Oct 3, 2024 09:28:58.051084995 CEST49712443192.168.2.7184.28.90.27
                        Oct 3, 2024 09:28:58.051120043 CEST44349712184.28.90.27192.168.2.7
                        Oct 3, 2024 09:28:58.495291948 CEST44349710142.250.186.36192.168.2.7
                        Oct 3, 2024 09:28:58.500850916 CEST49710443192.168.2.7142.250.186.36
                        Oct 3, 2024 09:28:58.500859022 CEST44349710142.250.186.36192.168.2.7
                        Oct 3, 2024 09:28:58.502017975 CEST44349710142.250.186.36192.168.2.7
                        Oct 3, 2024 09:28:58.502079010 CEST49710443192.168.2.7142.250.186.36
                        Oct 3, 2024 09:28:58.523461103 CEST49710443192.168.2.7142.250.186.36
                        Oct 3, 2024 09:28:58.523597002 CEST44349710142.250.186.36192.168.2.7
                        Oct 3, 2024 09:28:58.576668978 CEST49710443192.168.2.7142.250.186.36
                        Oct 3, 2024 09:28:58.576683044 CEST44349710142.250.186.36192.168.2.7
                        Oct 3, 2024 09:28:58.623608112 CEST49710443192.168.2.7142.250.186.36
                        Oct 3, 2024 09:28:58.688617945 CEST44349712184.28.90.27192.168.2.7
                        Oct 3, 2024 09:28:58.688678026 CEST49712443192.168.2.7184.28.90.27
                        Oct 3, 2024 09:28:58.702536106 CEST49712443192.168.2.7184.28.90.27
                        Oct 3, 2024 09:28:58.702553988 CEST44349712184.28.90.27192.168.2.7
                        Oct 3, 2024 09:28:58.702879906 CEST44349712184.28.90.27192.168.2.7
                        Oct 3, 2024 09:28:58.748130083 CEST49712443192.168.2.7184.28.90.27
                        Oct 3, 2024 09:28:58.795572996 CEST49712443192.168.2.7184.28.90.27
                        Oct 3, 2024 09:28:58.843405962 CEST44349712184.28.90.27192.168.2.7
                        Oct 3, 2024 09:28:58.980514050 CEST44349712184.28.90.27192.168.2.7
                        Oct 3, 2024 09:28:58.980590105 CEST44349712184.28.90.27192.168.2.7
                        Oct 3, 2024 09:28:58.980640888 CEST49712443192.168.2.7184.28.90.27
                        Oct 3, 2024 09:28:58.980782032 CEST49712443192.168.2.7184.28.90.27
                        Oct 3, 2024 09:28:58.980802059 CEST44349712184.28.90.27192.168.2.7
                        Oct 3, 2024 09:28:58.980812073 CEST49712443192.168.2.7184.28.90.27
                        Oct 3, 2024 09:28:58.980818987 CEST44349712184.28.90.27192.168.2.7
                        Oct 3, 2024 09:28:59.022418976 CEST49714443192.168.2.7184.28.90.27
                        Oct 3, 2024 09:28:59.022456884 CEST44349714184.28.90.27192.168.2.7
                        Oct 3, 2024 09:28:59.022528887 CEST49714443192.168.2.7184.28.90.27
                        Oct 3, 2024 09:28:59.022844076 CEST49714443192.168.2.7184.28.90.27
                        Oct 3, 2024 09:28:59.022860050 CEST44349714184.28.90.27192.168.2.7
                        Oct 3, 2024 09:28:59.661391020 CEST44349714184.28.90.27192.168.2.7
                        Oct 3, 2024 09:28:59.661546946 CEST49714443192.168.2.7184.28.90.27
                        Oct 3, 2024 09:28:59.662817001 CEST49714443192.168.2.7184.28.90.27
                        Oct 3, 2024 09:28:59.662832975 CEST44349714184.28.90.27192.168.2.7
                        Oct 3, 2024 09:28:59.663113117 CEST44349714184.28.90.27192.168.2.7
                        Oct 3, 2024 09:28:59.664268970 CEST49714443192.168.2.7184.28.90.27
                        Oct 3, 2024 09:28:59.711404085 CEST44349714184.28.90.27192.168.2.7
                        Oct 3, 2024 09:28:59.938859940 CEST44349714184.28.90.27192.168.2.7
                        Oct 3, 2024 09:28:59.938946009 CEST44349714184.28.90.27192.168.2.7
                        Oct 3, 2024 09:28:59.942382097 CEST49714443192.168.2.7184.28.90.27
                        Oct 3, 2024 09:28:59.942382097 CEST49714443192.168.2.7184.28.90.27
                        Oct 3, 2024 09:28:59.942420006 CEST49714443192.168.2.7184.28.90.27
                        Oct 3, 2024 09:28:59.942439079 CEST44349714184.28.90.27192.168.2.7
                        Oct 3, 2024 09:29:00.425220013 CEST49671443192.168.2.7204.79.197.203
                        Oct 3, 2024 09:29:01.588644028 CEST49677443192.168.2.720.50.201.200
                        Oct 3, 2024 09:29:02.208425999 CEST49725443192.168.2.7172.217.16.206
                        Oct 3, 2024 09:29:02.208484888 CEST44349725172.217.16.206192.168.2.7
                        Oct 3, 2024 09:29:02.208564997 CEST49725443192.168.2.7172.217.16.206
                        Oct 3, 2024 09:29:02.208811045 CEST49725443192.168.2.7172.217.16.206
                        Oct 3, 2024 09:29:02.208823919 CEST44349725172.217.16.206192.168.2.7
                        Oct 3, 2024 09:29:02.842175007 CEST44349725172.217.16.206192.168.2.7
                        Oct 3, 2024 09:29:02.842546940 CEST49725443192.168.2.7172.217.16.206
                        Oct 3, 2024 09:29:02.842569113 CEST44349725172.217.16.206192.168.2.7
                        Oct 3, 2024 09:29:02.842961073 CEST44349725172.217.16.206192.168.2.7
                        Oct 3, 2024 09:29:02.843015909 CEST49725443192.168.2.7172.217.16.206
                        Oct 3, 2024 09:29:02.843692064 CEST44349725172.217.16.206192.168.2.7
                        Oct 3, 2024 09:29:02.843744993 CEST49725443192.168.2.7172.217.16.206
                        Oct 3, 2024 09:29:02.846229076 CEST49725443192.168.2.7172.217.16.206
                        Oct 3, 2024 09:29:02.846288919 CEST44349725172.217.16.206192.168.2.7
                        Oct 3, 2024 09:29:02.846501112 CEST49725443192.168.2.7172.217.16.206
                        Oct 3, 2024 09:29:02.846508026 CEST44349725172.217.16.206192.168.2.7
                        Oct 3, 2024 09:29:02.889811993 CEST49725443192.168.2.7172.217.16.206
                        Oct 3, 2024 09:29:03.158606052 CEST44349725172.217.16.206192.168.2.7
                        Oct 3, 2024 09:29:03.158740997 CEST44349725172.217.16.206192.168.2.7
                        Oct 3, 2024 09:29:03.158807039 CEST49725443192.168.2.7172.217.16.206
                        Oct 3, 2024 09:29:03.158823967 CEST44349725172.217.16.206192.168.2.7
                        Oct 3, 2024 09:29:03.158842087 CEST44349725172.217.16.206192.168.2.7
                        Oct 3, 2024 09:29:03.158868074 CEST49725443192.168.2.7172.217.16.206
                        Oct 3, 2024 09:29:03.158874035 CEST44349725172.217.16.206192.168.2.7
                        Oct 3, 2024 09:29:03.158915997 CEST49725443192.168.2.7172.217.16.206
                        Oct 3, 2024 09:29:03.164407015 CEST44349725172.217.16.206192.168.2.7
                        Oct 3, 2024 09:29:03.164494991 CEST49725443192.168.2.7172.217.16.206
                        Oct 3, 2024 09:29:03.170627117 CEST44349725172.217.16.206192.168.2.7
                        Oct 3, 2024 09:29:03.170706987 CEST49725443192.168.2.7172.217.16.206
                        Oct 3, 2024 09:29:03.170720100 CEST44349725172.217.16.206192.168.2.7
                        Oct 3, 2024 09:29:03.170773029 CEST49725443192.168.2.7172.217.16.206
                        Oct 3, 2024 09:29:03.176997900 CEST44349725172.217.16.206192.168.2.7
                        Oct 3, 2024 09:29:03.177084923 CEST49725443192.168.2.7172.217.16.206
                        Oct 3, 2024 09:29:03.183430910 CEST44349725172.217.16.206192.168.2.7
                        Oct 3, 2024 09:29:03.183525085 CEST44349725172.217.16.206192.168.2.7
                        Oct 3, 2024 09:29:03.183530092 CEST49725443192.168.2.7172.217.16.206
                        Oct 3, 2024 09:29:03.183553934 CEST44349725172.217.16.206192.168.2.7
                        Oct 3, 2024 09:29:03.183590889 CEST49725443192.168.2.7172.217.16.206
                        Oct 3, 2024 09:29:03.245393991 CEST44349725172.217.16.206192.168.2.7
                        Oct 3, 2024 09:29:03.245450974 CEST44349725172.217.16.206192.168.2.7
                        Oct 3, 2024 09:29:03.245532990 CEST49725443192.168.2.7172.217.16.206
                        Oct 3, 2024 09:29:03.245568037 CEST44349725172.217.16.206192.168.2.7
                        Oct 3, 2024 09:29:03.245609045 CEST49725443192.168.2.7172.217.16.206
                        Oct 3, 2024 09:29:03.247574091 CEST44349725172.217.16.206192.168.2.7
                        Oct 3, 2024 09:29:03.247657061 CEST49725443192.168.2.7172.217.16.206
                        Oct 3, 2024 09:29:03.253968000 CEST44349725172.217.16.206192.168.2.7
                        Oct 3, 2024 09:29:03.254054070 CEST49725443192.168.2.7172.217.16.206
                        Oct 3, 2024 09:29:03.254062891 CEST44349725172.217.16.206192.168.2.7
                        Oct 3, 2024 09:29:03.254089117 CEST44349725172.217.16.206192.168.2.7
                        Oct 3, 2024 09:29:03.254185915 CEST49725443192.168.2.7172.217.16.206
                        Oct 3, 2024 09:29:03.260210037 CEST44349725172.217.16.206192.168.2.7
                        Oct 3, 2024 09:29:03.260304928 CEST49725443192.168.2.7172.217.16.206
                        Oct 3, 2024 09:29:03.266603947 CEST44349725172.217.16.206192.168.2.7
                        Oct 3, 2024 09:29:03.266695023 CEST49725443192.168.2.7172.217.16.206
                        Oct 3, 2024 09:29:03.266712904 CEST44349725172.217.16.206192.168.2.7
                        Oct 3, 2024 09:29:03.272952080 CEST44349725172.217.16.206192.168.2.7
                        Oct 3, 2024 09:29:03.273049116 CEST49725443192.168.2.7172.217.16.206
                        Oct 3, 2024 09:29:03.273056984 CEST44349725172.217.16.206192.168.2.7
                        Oct 3, 2024 09:29:03.279342890 CEST44349725172.217.16.206192.168.2.7
                        Oct 3, 2024 09:29:03.279441118 CEST49725443192.168.2.7172.217.16.206
                        Oct 3, 2024 09:29:03.279474974 CEST44349725172.217.16.206192.168.2.7
                        Oct 3, 2024 09:29:03.279712915 CEST44349725172.217.16.206192.168.2.7
                        Oct 3, 2024 09:29:03.279777050 CEST49725443192.168.2.7172.217.16.206
                        Oct 3, 2024 09:29:03.317819118 CEST49725443192.168.2.7172.217.16.206
                        Oct 3, 2024 09:29:03.317873001 CEST44349725172.217.16.206192.168.2.7
                        Oct 3, 2024 09:29:05.189510107 CEST49736443192.168.2.720.114.59.183
                        Oct 3, 2024 09:29:05.189534903 CEST4434973620.114.59.183192.168.2.7
                        Oct 3, 2024 09:29:05.189599991 CEST49736443192.168.2.720.114.59.183
                        Oct 3, 2024 09:29:05.190593004 CEST49736443192.168.2.720.114.59.183
                        Oct 3, 2024 09:29:05.190608978 CEST4434973620.114.59.183192.168.2.7
                        Oct 3, 2024 09:29:05.490040064 CEST49698443192.168.2.7104.98.116.138
                        Oct 3, 2024 09:29:05.490464926 CEST49738443192.168.2.7104.98.116.138
                        Oct 3, 2024 09:29:05.490504980 CEST44349738104.98.116.138192.168.2.7
                        Oct 3, 2024 09:29:05.490550995 CEST49738443192.168.2.7104.98.116.138
                        Oct 3, 2024 09:29:05.492831945 CEST49738443192.168.2.7104.98.116.138
                        Oct 3, 2024 09:29:05.492852926 CEST44349738104.98.116.138192.168.2.7
                        Oct 3, 2024 09:29:05.495299101 CEST44349698104.98.116.138192.168.2.7
                        Oct 3, 2024 09:29:05.548670053 CEST49710443192.168.2.7142.250.186.36
                        Oct 3, 2024 09:29:05.591465950 CEST44349710142.250.186.36192.168.2.7
                        Oct 3, 2024 09:29:05.814888000 CEST44349710142.250.186.36192.168.2.7
                        Oct 3, 2024 09:29:05.815020084 CEST44349710142.250.186.36192.168.2.7
                        Oct 3, 2024 09:29:05.815088034 CEST49710443192.168.2.7142.250.186.36
                        Oct 3, 2024 09:29:05.815115929 CEST44349710142.250.186.36192.168.2.7
                        Oct 3, 2024 09:29:05.815198898 CEST44349710142.250.186.36192.168.2.7
                        Oct 3, 2024 09:29:05.815246105 CEST49710443192.168.2.7142.250.186.36
                        Oct 3, 2024 09:29:05.815253019 CEST44349710142.250.186.36192.168.2.7
                        Oct 3, 2024 09:29:05.815552950 CEST44349710142.250.186.36192.168.2.7
                        Oct 3, 2024 09:29:05.815617085 CEST49710443192.168.2.7142.250.186.36
                        Oct 3, 2024 09:29:05.816822052 CEST49710443192.168.2.7142.250.186.36
                        Oct 3, 2024 09:29:05.816838026 CEST44349710142.250.186.36192.168.2.7
                        Oct 3, 2024 09:29:05.987323999 CEST4434973620.114.59.183192.168.2.7
                        Oct 3, 2024 09:29:05.987457037 CEST49736443192.168.2.720.114.59.183
                        Oct 3, 2024 09:29:06.046062946 CEST49736443192.168.2.720.114.59.183
                        Oct 3, 2024 09:29:06.046092987 CEST4434973620.114.59.183192.168.2.7
                        Oct 3, 2024 09:29:06.047137022 CEST4434973620.114.59.183192.168.2.7
                        Oct 3, 2024 09:29:06.098016977 CEST49736443192.168.2.720.114.59.183
                        Oct 3, 2024 09:29:06.630928993 CEST49736443192.168.2.720.114.59.183
                        Oct 3, 2024 09:29:06.671408892 CEST4434973620.114.59.183192.168.2.7
                        Oct 3, 2024 09:29:06.890465975 CEST4434973620.114.59.183192.168.2.7
                        Oct 3, 2024 09:29:06.890532017 CEST4434973620.114.59.183192.168.2.7
                        Oct 3, 2024 09:29:06.890571117 CEST4434973620.114.59.183192.168.2.7
                        Oct 3, 2024 09:29:06.890592098 CEST49736443192.168.2.720.114.59.183
                        Oct 3, 2024 09:29:06.890611887 CEST4434973620.114.59.183192.168.2.7
                        Oct 3, 2024 09:29:06.890625954 CEST49736443192.168.2.720.114.59.183
                        Oct 3, 2024 09:29:06.890645981 CEST4434973620.114.59.183192.168.2.7
                        Oct 3, 2024 09:29:06.890661955 CEST49736443192.168.2.720.114.59.183
                        Oct 3, 2024 09:29:06.890664101 CEST4434973620.114.59.183192.168.2.7
                        Oct 3, 2024 09:29:06.890697002 CEST49736443192.168.2.720.114.59.183
                        Oct 3, 2024 09:29:06.890712976 CEST49736443192.168.2.720.114.59.183
                        Oct 3, 2024 09:29:06.890851974 CEST4434973620.114.59.183192.168.2.7
                        Oct 3, 2024 09:29:06.890913963 CEST49736443192.168.2.720.114.59.183
                        Oct 3, 2024 09:29:06.890928030 CEST4434973620.114.59.183192.168.2.7
                        Oct 3, 2024 09:29:06.891041040 CEST4434973620.114.59.183192.168.2.7
                        Oct 3, 2024 09:29:06.891088009 CEST49736443192.168.2.720.114.59.183
                        Oct 3, 2024 09:29:07.375530005 CEST49736443192.168.2.720.114.59.183
                        Oct 3, 2024 09:29:07.375560045 CEST4434973620.114.59.183192.168.2.7
                        Oct 3, 2024 09:29:07.375613928 CEST49736443192.168.2.720.114.59.183
                        Oct 3, 2024 09:29:07.375619888 CEST4434973620.114.59.183192.168.2.7
                        Oct 3, 2024 09:29:13.498666048 CEST49677443192.168.2.720.50.201.200
                        Oct 3, 2024 09:29:15.647891045 CEST6115353192.168.2.71.1.1.1
                        Oct 3, 2024 09:29:15.652785063 CEST53611531.1.1.1192.168.2.7
                        Oct 3, 2024 09:29:15.652864933 CEST6115353192.168.2.71.1.1.1
                        Oct 3, 2024 09:29:15.652956009 CEST6115353192.168.2.71.1.1.1
                        Oct 3, 2024 09:29:15.658037901 CEST53611531.1.1.1192.168.2.7
                        Oct 3, 2024 09:29:16.105273008 CEST53611531.1.1.1192.168.2.7
                        Oct 3, 2024 09:29:16.159924030 CEST6115353192.168.2.71.1.1.1
                        Oct 3, 2024 09:29:16.185318947 CEST6115353192.168.2.71.1.1.1
                        Oct 3, 2024 09:29:16.190521002 CEST53611531.1.1.1192.168.2.7
                        Oct 3, 2024 09:29:16.190577030 CEST6115353192.168.2.71.1.1.1
                        Oct 3, 2024 09:29:43.764470100 CEST61158443192.168.2.720.114.59.183
                        Oct 3, 2024 09:29:43.764509916 CEST4436115820.114.59.183192.168.2.7
                        Oct 3, 2024 09:29:43.764599085 CEST61158443192.168.2.720.114.59.183
                        Oct 3, 2024 09:29:43.765892029 CEST61158443192.168.2.720.114.59.183
                        Oct 3, 2024 09:29:43.765903950 CEST4436115820.114.59.183192.168.2.7
                        Oct 3, 2024 09:29:44.582904100 CEST4436115820.114.59.183192.168.2.7
                        Oct 3, 2024 09:29:44.583096027 CEST61158443192.168.2.720.114.59.183
                        Oct 3, 2024 09:29:44.586311102 CEST61158443192.168.2.720.114.59.183
                        Oct 3, 2024 09:29:44.586318016 CEST4436115820.114.59.183192.168.2.7
                        Oct 3, 2024 09:29:44.586641073 CEST4436115820.114.59.183192.168.2.7
                        Oct 3, 2024 09:29:44.592417955 CEST61158443192.168.2.720.114.59.183
                        Oct 3, 2024 09:29:44.635447025 CEST4436115820.114.59.183192.168.2.7
                        Oct 3, 2024 09:29:44.931292057 CEST4436115820.114.59.183192.168.2.7
                        Oct 3, 2024 09:29:44.931356907 CEST4436115820.114.59.183192.168.2.7
                        Oct 3, 2024 09:29:44.931436062 CEST4436115820.114.59.183192.168.2.7
                        Oct 3, 2024 09:29:44.931521893 CEST61158443192.168.2.720.114.59.183
                        Oct 3, 2024 09:29:44.931535959 CEST4436115820.114.59.183192.168.2.7
                        Oct 3, 2024 09:29:44.931549072 CEST61158443192.168.2.720.114.59.183
                        Oct 3, 2024 09:29:44.931598902 CEST61158443192.168.2.720.114.59.183
                        Oct 3, 2024 09:29:44.932436943 CEST4436115820.114.59.183192.168.2.7
                        Oct 3, 2024 09:29:44.932522058 CEST61158443192.168.2.720.114.59.183
                        Oct 3, 2024 09:29:44.932529926 CEST4436115820.114.59.183192.168.2.7
                        Oct 3, 2024 09:29:44.932591915 CEST61158443192.168.2.720.114.59.183
                        Oct 3, 2024 09:29:44.932596922 CEST4436115820.114.59.183192.168.2.7
                        Oct 3, 2024 09:29:44.932636976 CEST4436115820.114.59.183192.168.2.7
                        Oct 3, 2024 09:29:44.932647943 CEST61158443192.168.2.720.114.59.183
                        Oct 3, 2024 09:29:44.932841063 CEST61158443192.168.2.720.114.59.183
                        Oct 3, 2024 09:29:44.933845043 CEST61158443192.168.2.720.114.59.183
                        Oct 3, 2024 09:29:44.933866978 CEST4436115820.114.59.183192.168.2.7
                        Oct 3, 2024 09:29:44.933872938 CEST61158443192.168.2.720.114.59.183
                        Oct 3, 2024 09:29:44.933877945 CEST4436115820.114.59.183192.168.2.7
                        Oct 3, 2024 09:29:48.243118048 CEST44349738104.98.116.138192.168.2.7
                        Oct 3, 2024 09:29:48.243238926 CEST49738443192.168.2.7104.98.116.138
                        Oct 3, 2024 09:29:57.907326937 CEST61160443192.168.2.7142.250.186.36
                        Oct 3, 2024 09:29:57.907370090 CEST44361160142.250.186.36192.168.2.7
                        Oct 3, 2024 09:29:57.907437086 CEST61160443192.168.2.7142.250.186.36
                        Oct 3, 2024 09:29:57.907651901 CEST61160443192.168.2.7142.250.186.36
                        Oct 3, 2024 09:29:57.907665014 CEST44361160142.250.186.36192.168.2.7
                        Oct 3, 2024 09:29:58.577848911 CEST44361160142.250.186.36192.168.2.7
                        Oct 3, 2024 09:29:58.578254938 CEST61160443192.168.2.7142.250.186.36
                        Oct 3, 2024 09:29:58.578267097 CEST44361160142.250.186.36192.168.2.7
                        Oct 3, 2024 09:29:58.579370022 CEST44361160142.250.186.36192.168.2.7
                        Oct 3, 2024 09:29:58.579663038 CEST61160443192.168.2.7142.250.186.36
                        Oct 3, 2024 09:29:58.579840899 CEST44361160142.250.186.36192.168.2.7
                        Oct 3, 2024 09:29:58.624574900 CEST61160443192.168.2.7142.250.186.36
                        Oct 3, 2024 09:30:08.472001076 CEST44361160142.250.186.36192.168.2.7
                        Oct 3, 2024 09:30:08.472160101 CEST44361160142.250.186.36192.168.2.7
                        Oct 3, 2024 09:30:08.472250938 CEST61160443192.168.2.7142.250.186.36
                        Oct 3, 2024 09:30:35.408639908 CEST61160443192.168.2.7142.250.186.36
                        Oct 3, 2024 09:30:35.408725023 CEST44361160142.250.186.36192.168.2.7

                        UDP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Oct 3, 2024 09:28:53.270997047 CEST53498221.1.1.1192.168.2.7
                        Oct 3, 2024 09:28:53.398987055 CEST6029353192.168.2.71.1.1.1
                        Oct 3, 2024 09:28:53.399274111 CEST6456353192.168.2.71.1.1.1
                        Oct 3, 2024 09:28:53.405827999 CEST53602931.1.1.1192.168.2.7
                        Oct 3, 2024 09:28:53.405983925 CEST53645631.1.1.1192.168.2.7
                        Oct 3, 2024 09:28:53.421921015 CEST53638181.1.1.1192.168.2.7
                        Oct 3, 2024 09:28:54.364509106 CEST5770753192.168.2.71.1.1.1
                        Oct 3, 2024 09:28:54.364669085 CEST5701353192.168.2.71.1.1.1
                        Oct 3, 2024 09:28:54.372121096 CEST53577071.1.1.1192.168.2.7
                        Oct 3, 2024 09:28:54.372222900 CEST53570131.1.1.1192.168.2.7
                        Oct 3, 2024 09:28:54.430942059 CEST53546691.1.1.1192.168.2.7
                        Oct 3, 2024 09:28:56.266300917 CEST123123192.168.2.720.101.57.9
                        Oct 3, 2024 09:28:56.434859037 CEST12312320.101.57.9192.168.2.7
                        Oct 3, 2024 09:28:57.850992918 CEST5580253192.168.2.71.1.1.1
                        Oct 3, 2024 09:28:57.851171970 CEST6524153192.168.2.71.1.1.1
                        Oct 3, 2024 09:28:57.860878944 CEST53558021.1.1.1192.168.2.7
                        Oct 3, 2024 09:28:57.860894918 CEST53652411.1.1.1192.168.2.7
                        Oct 3, 2024 09:28:59.617270947 CEST53550101.1.1.1192.168.2.7
                        Oct 3, 2024 09:29:02.168725967 CEST5793353192.168.2.71.1.1.1
                        Oct 3, 2024 09:29:02.168812037 CEST5996553192.168.2.71.1.1.1
                        Oct 3, 2024 09:29:02.175692081 CEST53579331.1.1.1192.168.2.7
                        Oct 3, 2024 09:29:02.175718069 CEST53599651.1.1.1192.168.2.7
                        Oct 3, 2024 09:29:03.618099928 CEST4960853192.168.2.71.1.1.1
                        Oct 3, 2024 09:29:03.619787931 CEST5258153192.168.2.71.1.1.1
                        Oct 3, 2024 09:29:03.625215054 CEST53496081.1.1.1192.168.2.7
                        Oct 3, 2024 09:29:03.626904964 CEST53525811.1.1.1192.168.2.7
                        Oct 3, 2024 09:29:05.727469921 CEST53640341.1.1.1192.168.2.7
                        Oct 3, 2024 09:29:11.616040945 CEST53517391.1.1.1192.168.2.7
                        Oct 3, 2024 09:29:15.647459984 CEST53541771.1.1.1192.168.2.7
                        Oct 3, 2024 09:29:50.506612062 CEST138138192.168.2.7192.168.2.255
                        Oct 3, 2024 09:29:53.245443106 CEST53565391.1.1.1192.168.2.7
                        Oct 3, 2024 09:30:04.247833967 CEST53629741.1.1.1192.168.2.7
                        Oct 3, 2024 09:30:05.033771038 CEST5460053192.168.2.71.1.1.1
                        Oct 3, 2024 09:30:05.033960104 CEST6284253192.168.2.71.1.1.1
                        Oct 3, 2024 09:30:05.317967892 CEST53628421.1.1.1192.168.2.7
                        Oct 3, 2024 09:30:05.318161964 CEST53546001.1.1.1192.168.2.7

                        DNS Queries

                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                        Oct 3, 2024 09:28:53.398987055 CEST192.168.2.71.1.1.10x51b1Standard query (0)youtube.comA (IP address)IN (0x0001)false
                        Oct 3, 2024 09:28:53.399274111 CEST192.168.2.71.1.1.10xd81Standard query (0)youtube.com65IN (0x0001)false
                        Oct 3, 2024 09:28:54.364509106 CEST192.168.2.71.1.1.10x2100Standard query (0)www.youtube.comA (IP address)IN (0x0001)false
                        Oct 3, 2024 09:28:54.364669085 CEST192.168.2.71.1.1.10x7198Standard query (0)www.youtube.com65IN (0x0001)false
                        Oct 3, 2024 09:28:57.850992918 CEST192.168.2.71.1.1.10xe628Standard query (0)www.google.comA (IP address)IN (0x0001)false
                        Oct 3, 2024 09:28:57.851171970 CEST192.168.2.71.1.1.10x33efStandard query (0)www.google.com65IN (0x0001)false
                        Oct 3, 2024 09:29:02.168725967 CEST192.168.2.71.1.1.10xca25Standard query (0)accounts.youtube.comA (IP address)IN (0x0001)false
                        Oct 3, 2024 09:29:02.168812037 CEST192.168.2.71.1.1.10xc6c7Standard query (0)accounts.youtube.com65IN (0x0001)false
                        Oct 3, 2024 09:29:03.618099928 CEST192.168.2.71.1.1.10xa051Standard query (0)play.google.comA (IP address)IN (0x0001)false
                        Oct 3, 2024 09:29:03.619787931 CEST192.168.2.71.1.1.10x32c9Standard query (0)play.google.com65IN (0x0001)false
                        Oct 3, 2024 09:30:05.033771038 CEST192.168.2.71.1.1.10x5a7fStandard query (0)play.google.comA (IP address)IN (0x0001)false
                        Oct 3, 2024 09:30:05.033960104 CEST192.168.2.71.1.1.10x57baStandard query (0)play.google.com65IN (0x0001)false

                        DNS Answers

                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                        Oct 3, 2024 09:28:53.405827999 CEST1.1.1.1192.168.2.70x51b1No error (0)youtube.com172.217.16.142A (IP address)IN (0x0001)false
                        Oct 3, 2024 09:28:53.405983925 CEST1.1.1.1192.168.2.70xd81No error (0)youtube.com65IN (0x0001)false
                        Oct 3, 2024 09:28:54.372121096 CEST1.1.1.1192.168.2.70x2100No error (0)www.youtube.comyoutube-ui.l.google.comCNAME (Canonical name)IN (0x0001)false
                        Oct 3, 2024 09:28:54.372121096 CEST1.1.1.1192.168.2.70x2100No error (0)youtube-ui.l.google.com172.217.18.110A (IP address)IN (0x0001)false
                        Oct 3, 2024 09:28:54.372121096 CEST1.1.1.1192.168.2.70x2100No error (0)youtube-ui.l.google.com216.58.212.174A (IP address)IN (0x0001)false
                        Oct 3, 2024 09:28:54.372121096 CEST1.1.1.1192.168.2.70x2100No error (0)youtube-ui.l.google.com216.58.206.46A (IP address)IN (0x0001)false
                        Oct 3, 2024 09:28:54.372121096 CEST1.1.1.1192.168.2.70x2100No error (0)youtube-ui.l.google.com172.217.16.206A (IP address)IN (0x0001)false
                        Oct 3, 2024 09:28:54.372121096 CEST1.1.1.1192.168.2.70x2100No error (0)youtube-ui.l.google.com142.250.184.238A (IP address)IN (0x0001)false
                        Oct 3, 2024 09:28:54.372121096 CEST1.1.1.1192.168.2.70x2100No error (0)youtube-ui.l.google.com142.250.184.206A (IP address)IN (0x0001)false
                        Oct 3, 2024 09:28:54.372121096 CEST1.1.1.1192.168.2.70x2100No error (0)youtube-ui.l.google.com142.250.186.46A (IP address)IN (0x0001)false
                        Oct 3, 2024 09:28:54.372121096 CEST1.1.1.1192.168.2.70x2100No error (0)youtube-ui.l.google.com142.250.74.206A (IP address)IN (0x0001)false
                        Oct 3, 2024 09:28:54.372121096 CEST1.1.1.1192.168.2.70x2100No error (0)youtube-ui.l.google.com172.217.16.142A (IP address)IN (0x0001)false
                        Oct 3, 2024 09:28:54.372121096 CEST1.1.1.1192.168.2.70x2100No error (0)youtube-ui.l.google.com172.217.18.14A (IP address)IN (0x0001)false
                        Oct 3, 2024 09:28:54.372121096 CEST1.1.1.1192.168.2.70x2100No error (0)youtube-ui.l.google.com142.250.181.238A (IP address)IN (0x0001)false
                        Oct 3, 2024 09:28:54.372121096 CEST1.1.1.1192.168.2.70x2100No error (0)youtube-ui.l.google.com142.250.186.142A (IP address)IN (0x0001)false
                        Oct 3, 2024 09:28:54.372121096 CEST1.1.1.1192.168.2.70x2100No error (0)youtube-ui.l.google.com142.250.186.78A (IP address)IN (0x0001)false
                        Oct 3, 2024 09:28:54.372121096 CEST1.1.1.1192.168.2.70x2100No error (0)youtube-ui.l.google.com142.250.186.110A (IP address)IN (0x0001)false
                        Oct 3, 2024 09:28:54.372121096 CEST1.1.1.1192.168.2.70x2100No error (0)youtube-ui.l.google.com142.250.186.174A (IP address)IN (0x0001)false
                        Oct 3, 2024 09:28:54.372121096 CEST1.1.1.1192.168.2.70x2100No error (0)youtube-ui.l.google.com216.58.206.78A (IP address)IN (0x0001)false
                        Oct 3, 2024 09:28:54.372222900 CEST1.1.1.1192.168.2.70x7198No error (0)www.youtube.comyoutube-ui.l.google.comCNAME (Canonical name)IN (0x0001)false
                        Oct 3, 2024 09:28:54.372222900 CEST1.1.1.1192.168.2.70x7198No error (0)youtube-ui.l.google.com65IN (0x0001)false
                        Oct 3, 2024 09:28:57.860878944 CEST1.1.1.1192.168.2.70xe628No error (0)www.google.com142.250.186.36A (IP address)IN (0x0001)false
                        Oct 3, 2024 09:28:57.860894918 CEST1.1.1.1192.168.2.70x33efNo error (0)www.google.com65IN (0x0001)false
                        Oct 3, 2024 09:29:02.175692081 CEST1.1.1.1192.168.2.70xca25No error (0)accounts.youtube.comwww3.l.google.comCNAME (Canonical name)IN (0x0001)false
                        Oct 3, 2024 09:29:02.175692081 CEST1.1.1.1192.168.2.70xca25No error (0)www3.l.google.com172.217.16.206A (IP address)IN (0x0001)false
                        Oct 3, 2024 09:29:02.175718069 CEST1.1.1.1192.168.2.70xc6c7No error (0)accounts.youtube.comwww3.l.google.comCNAME (Canonical name)IN (0x0001)false
                        Oct 3, 2024 09:29:03.625215054 CEST1.1.1.1192.168.2.70xa051No error (0)play.google.com142.250.185.142A (IP address)IN (0x0001)false
                        Oct 3, 2024 09:30:05.318161964 CEST1.1.1.1192.168.2.70x5a7fNo error (0)play.google.com142.250.185.142A (IP address)IN (0x0001)false

                        HTTP Request Dependency Graph

                        • youtube.com
                        • www.youtube.com
                        • fs.microsoft.com
                        • https:
                          • accounts.youtube.com
                          • www.google.com
                        • slscr.update.microsoft.com

                        HTTPS Proxied Packets

                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        0192.168.2.749700172.217.16.1424437528C:\Program Files\Google\Chrome\Application\chrome.exe
                        TimestampBytes transferredDirectionData
                        2024-10-03 07:28:54 UTC847OUTGET /account?=https://accounts.google.com/v3/signin/challenge/pwd HTTP/1.1
                        Host: youtube.com
                        Connection: keep-alive
                        sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                        sec-ch-ua-mobile: ?0
                        sec-ch-ua-platform: "Windows"
                        Upgrade-Insecure-Requests: 1
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                        X-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIlaHLAQiFoM0BCNy9zQEIj8rNAQi5ys0BCKLRzQEIitPNAQik1s0BCPTWzQEIp9jNAQj5wNQVGPXJzQEY642lFw==
                        Sec-Fetch-Site: none
                        Sec-Fetch-Mode: navigate
                        Sec-Fetch-User: ?1
                        Sec-Fetch-Dest: document
                        Accept-Encoding: gzip, deflate, br
                        Accept-Language: en-US,en;q=0.9
                        2024-10-03 07:28:54 UTC1704INHTTP/1.1 301 Moved Permanently
                        Content-Type: application/binary
                        X-Content-Type-Options: nosniff
                        Expires: Thu, 03 Oct 2024 07:28:54 GMT
                        Date: Thu, 03 Oct 2024 07:28:54 GMT
                        Cache-Control: private, max-age=31536000
                        Location: https://www.youtube.com/account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd
                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                        X-Frame-Options: SAMEORIGIN
                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                        Vary: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                        Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="youtube_main"
                        Report-To: {"group":"youtube_main","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/youtube_main"}]}
                        Origin-Trial: AmhMBR6zCLzDDxpW+HfpP67BqwIknWnyMOXOQGfzYswFmJe+fgaI6XZgAzcxOrzNtP7hEDsOo1jdjFnVr2IdxQ4AAAB4eyJvcmlnaW4iOiJodHRwczovL3lvdXR1YmUuY29tOjQ0MyIsImZlYXR1cmUiOiJXZWJWaWV3WFJlcXVlc3RlZFdpdGhEZXByZWNhdGlvbiIsImV4cGlyeSI6MTc1ODA2NzE5OSwiaXNTdWJkb21haW4iOnRydWV9
                        Content-Security-Policy: require-trusted-types-for 'script'
                        Server: ESF
                        Content-Length: 0
                        X-XSS-Protection: 0
                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                        Connection: close


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        1192.168.2.749705172.217.18.1104437528C:\Program Files\Google\Chrome\Application\chrome.exe
                        TimestampBytes transferredDirectionData
                        2024-10-03 07:28:55 UTC865OUTGET /account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd HTTP/1.1
                        Host: www.youtube.com
                        Connection: keep-alive
                        Upgrade-Insecure-Requests: 1
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                        X-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIlaHLAQiFoM0BCNy9zQEIj8rNAQi5ys0BCKLRzQEIitPNAQik1s0BCPTWzQEIp9jNAQj5wNQVGPXJzQEY642lFw==
                        Sec-Fetch-Site: none
                        Sec-Fetch-Mode: navigate
                        Sec-Fetch-User: ?1
                        Sec-Fetch-Dest: document
                        sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                        sec-ch-ua-mobile: ?0
                        sec-ch-ua-platform: "Windows"
                        Accept-Encoding: gzip, deflate, br
                        Accept-Language: en-US,en;q=0.9
                        2024-10-03 07:28:55 UTC2634INHTTP/1.1 303 See Other
                        Content-Type: application/binary
                        X-Content-Type-Options: nosniff
                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                        Pragma: no-cache
                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                        Date: Thu, 03 Oct 2024 07:28:55 GMT
                        Location: https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%253F%253Dhttps%25253A%25252F%25252Faccounts.google.com%25252Fv3%25252Fsignin%25252Fchallenge%25252Fpwd%26feature%3Dredirect_login&hl=en
                        X-Frame-Options: SAMEORIGIN
                        Strict-Transport-Security: max-age=31536000
                        Origin-Trial: AmhMBR6zCLzDDxpW+HfpP67BqwIknWnyMOXOQGfzYswFmJe+fgaI6XZgAzcxOrzNtP7hEDsOo1jdjFnVr2IdxQ4AAAB4eyJvcmlnaW4iOiJodHRwczovL3lvdXR1YmUuY29tOjQ0MyIsImZlYXR1cmUiOiJXZWJWaWV3WFJlcXVlc3RlZFdpdGhEZXByZWNhdGlvbiIsImV4cGlyeSI6MTc1ODA2NzE5OSwiaXNTdWJkb21haW4iOnRydWV9
                        Content-Security-Policy: require-trusted-types-for 'script'
                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                        Vary: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                        Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="youtube_main"
                        Report-To: {"group":"youtube_main","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/youtube_main"}]}
                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                        P3P: CP="This is not a P3P policy! See http://support.google.com/accounts/answer/151657?hl=en for more info."
                        Server: ESF
                        Content-Length: 0
                        X-XSS-Protection: 0
                        Set-Cookie: GPS=1; Domain=.youtube.com; Expires=Thu, 03-Oct-2024 07:58:55 GMT; Path=/; Secure; HttpOnly
                        Set-Cookie: YSC=grE3wxp0E4w; Domain=.youtube.com; Path=/; Secure; HttpOnly; SameSite=none; Partitioned
                        Set-Cookie: VISITOR_INFO1_LIVE=OAMXm8hPjW8; Domain=.youtube.com; Expires=Tue, 01-Apr-2025 07:28:55 GMT; Path=/; Secure; HttpOnly; SameSite=none; Partitioned
                        Set-Cookie: VISITOR_PRIVACY_METADATA=CgJVUxIEGgAgMg%3D%3D; Domain=.youtube.com; Expires=Tue, 01-Apr-2025 07:28:55 GMT; Path=/; Secure; HttpOnly; SameSite=none; Partitioned
                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                        Connection: close


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        2192.168.2.749712184.28.90.27443
                        TimestampBytes transferredDirectionData
                        2024-10-03 07:28:58 UTC161OUTHEAD /fs/windows/config.json HTTP/1.1
                        Connection: Keep-Alive
                        Accept: */*
                        Accept-Encoding: identity
                        User-Agent: Microsoft BITS/7.8
                        Host: fs.microsoft.com
                        2024-10-03 07:28:58 UTC466INHTTP/1.1 200 OK
                        Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json
                        Content-Type: application/octet-stream
                        ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7"
                        Last-Modified: Tue, 16 May 2017 22:58:00 GMT
                        Server: ECAcc (lpl/EF06)
                        X-CID: 11
                        X-Ms-ApiVersion: Distribute 1.2
                        X-Ms-Region: prod-neu-z1
                        Cache-Control: public, max-age=33412
                        Date: Thu, 03 Oct 2024 07:28:58 GMT
                        Connection: close
                        X-CID: 2


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        3192.168.2.749714184.28.90.27443
                        TimestampBytes transferredDirectionData
                        2024-10-03 07:28:59 UTC239OUTGET /fs/windows/config.json HTTP/1.1
                        Connection: Keep-Alive
                        Accept: */*
                        Accept-Encoding: identity
                        If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT
                        Range: bytes=0-2147483646
                        User-Agent: Microsoft BITS/7.8
                        Host: fs.microsoft.com
                        2024-10-03 07:28:59 UTC514INHTTP/1.1 200 OK
                        ApiVersion: Distribute 1.1
                        Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json
                        Content-Type: application/octet-stream
                        ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7"
                        Last-Modified: Tue, 16 May 2017 22:58:00 GMT
                        Server: ECAcc (lpl/EF06)
                        X-CID: 11
                        X-Ms-ApiVersion: Distribute 1.2
                        X-Ms-Region: prod-weu-z1
                        Cache-Control: public, max-age=33355
                        Date: Thu, 03 Oct 2024 07:28:59 GMT
                        Content-Length: 55
                        Connection: close
                        X-CID: 2
                        2024-10-03 07:28:59 UTC55INData Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d
                        Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        4192.168.2.749725172.217.16.2064437528C:\Program Files\Google\Chrome\Application\chrome.exe
                        TimestampBytes transferredDirectionData
                        2024-10-03 07:29:02 UTC1232OUTGET /accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=1416443987&timestamp=1727940541297 HTTP/1.1
                        Host: accounts.youtube.com
                        Connection: keep-alive
                        sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                        sec-ch-ua-mobile: ?0
                        sec-ch-ua-full-version: "117.0.5938.134"
                        sec-ch-ua-arch: "x86"
                        sec-ch-ua-platform: "Windows"
                        sec-ch-ua-platform-version: "10.0.0"
                        sec-ch-ua-model: ""
                        sec-ch-ua-bitness: "64"
                        sec-ch-ua-wow64: ?0
                        sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134"
                        Upgrade-Insecure-Requests: 1
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                        X-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIlaHLAQiFoM0BCNy9zQEIj8rNAQi5ys0BCKLRzQEIitPNAQik1s0BCPTWzQEIp9jNAQj5wNQVGPXJzQEY642lFw==
                        Sec-Fetch-Site: cross-site
                        Sec-Fetch-Mode: navigate
                        Sec-Fetch-User: ?1
                        Sec-Fetch-Dest: iframe
                        Referer: https://accounts.google.com/
                        Accept-Encoding: gzip, deflate, br
                        Accept-Language: en-US,en;q=0.9
                        2024-10-03 07:29:03 UTC1967INHTTP/1.1 200 OK
                        Content-Type: text/html; charset=utf-8
                        X-Frame-Options: ALLOW-FROM https://accounts.google.com
                        Content-Security-Policy: frame-ancestors https://accounts.google.com
                        Content-Security-Policy: script-src 'report-sample' 'nonce-Ez7JaBdLRNQGZDwkSp0jhQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/AccountsDomainCookiesCheckConnectionHttp/cspreport;worker-src 'self'
                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/AccountsDomainCookiesCheckConnectionHttp/cspreport/allowlist
                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/AccountsDomainCookiesCheckConnectionHttp/cspreport
                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                        Pragma: no-cache
                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                        Date: Thu, 03 Oct 2024 07:29:03 GMT
                        Cross-Origin-Opener-Policy: same-origin
                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                        Cross-Origin-Resource-Policy: cross-origin
                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                        reporting-endpoints: default="/_/AccountsDomainCookiesCheckConnectionHttp/web-reports?context=eJzjstDikmJw0pBikPj6kkkDiJ3SZ7AGAXHSv_OsRUB8ufsS63UgVu25xGoKxEUSV1ibgFiIm2N__8_tbAINB28LKekl5RfGZ6ak5pVkllSm5OcmZuYl5-dnZ6YWF6cWlaUWxRsZGJkYWBoZ6RlYxBcYAACfeCzU"
                        Server: ESF
                        X-XSS-Protection: 0
                        X-Content-Type-Options: nosniff
                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                        Accept-Ranges: none
                        Vary: Accept-Encoding
                        Connection: close
                        Transfer-Encoding: chunked
                        2024-10-03 07:29:03 UTC1967INData Raw: 37 36 31 39 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 20 6e 6f 6e 63 65 3d 22 45 7a 37 4a 61 42 64 4c 52 4e 51 47 5a 44 77 6b 53 70 30 6a 68 51 22 3e 22 75 73 65 20 73 74 72 69 63 74 22 3b 74 68 69 73 2e 64 65 66 61 75 6c 74 5f 41 63 63 6f 75 6e 74 73 44 6f 6d 61 69 6e 63 6f 6f 6b 69 65 73 43 68 65 63 6b 63 6f 6e 6e 65 63 74 69 6f 6e 4a 73 3d 74 68 69 73 2e 64 65 66 61 75 6c 74 5f 41 63 63 6f 75 6e 74 73 44 6f 6d 61 69 6e 63 6f 6f 6b 69 65 73 43 68 65 63 6b 63 6f 6e 6e 65 63 74 69 6f 6e 4a 73 7c 7c 7b 7d 3b 28 66 75 6e 63 74 69 6f 6e 28 5f 29 7b 76 61 72 20 77 69 6e 64 6f 77 3d 74 68 69 73 3b 0a 74 72 79 7b 0a 5f 2e 5f 46 5f 74 6f 67 67 6c 65 73 5f 69 6e 69 74 69 61 6c 69 7a 65 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 28 74 79 70 65 6f
                        Data Ascii: 7619<html><head><script nonce="Ez7JaBdLRNQGZDwkSp0jhQ">"use strict";this.default_AccountsDomaincookiesCheckconnectionJs=this.default_AccountsDomaincookiesCheckconnectionJs||{};(function(_){var window=this;try{_._F_toggles_initialize=function(a){(typeo
                        2024-10-03 07:29:03 UTC1967INData Raw: 3d 2f 54 72 69 64 65 6e 74 5c 2f 28 5c 64 2e 5c 64 29 2f 2e 65 78 65 63 28 62 29 2c 0a 63 5b 31 5d 3d 3d 22 37 2e 30 22 29 69 66 28 62 26 26 62 5b 31 5d 29 73 77 69 74 63 68 28 62 5b 31 5d 29 7b 63 61 73 65 20 22 34 2e 30 22 3a 61 3d 22 38 2e 30 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 35 2e 30 22 3a 61 3d 22 39 2e 30 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 36 2e 30 22 3a 61 3d 22 31 30 2e 30 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 37 2e 30 22 3a 61 3d 22 31 31 2e 30 22 7d 65 6c 73 65 20 61 3d 22 37 2e 30 22 3b 65 6c 73 65 20 61 3d 63 5b 31 5d 3b 62 3d 61 7d 65 6c 73 65 20 62 3d 22 22 3b 72 65 74 75 72 6e 20 62 7d 76 61 72 20 64 3d 52 65 67 45 78 70 28 22 28 5b 41 2d 5a 5d 5b 5c 5c 77 20 5d 2b 29 2f 28 5b 5e 5c 5c 73 5d 2b 29 5c 5c 73 2a 28 3f 3a 5c
                        Data Ascii: =/Trident\/(\d.\d)/.exec(b),c[1]=="7.0")if(b&&b[1])switch(b[1]){case "4.0":a="8.0";break;case "5.0":a="9.0";break;case "6.0":a="10.0";break;case "7.0":a="11.0"}else a="7.0";else a=c[1];b=a}else b="";return b}var d=RegExp("([A-Z][\\w ]+)/([^\\s]+)\\s*(?:\
                        2024-10-03 07:29:03 UTC1967INData Raw: 7b 73 77 69 74 63 68 28 74 79 70 65 6f 66 20 61 29 7b 63 61 73 65 20 22 6e 75 6d 62 65 72 22 3a 72 65 74 75 72 6e 20 69 73 46 69 6e 69 74 65 28 61 29 3f 61 3a 53 74 72 69 6e 67 28 61 29 3b 63 61 73 65 20 22 62 69 67 69 6e 74 22 3a 72 65 74 75 72 6e 28 41 61 3f 0a 61 3e 3d 42 61 26 26 61 3c 3d 43 61 3a 61 5b 30 5d 3d 3d 3d 22 2d 22 3f 75 61 28 61 2c 44 61 29 3a 75 61 28 61 2c 45 61 29 29 3f 4e 75 6d 62 65 72 28 61 29 3a 53 74 72 69 6e 67 28 61 29 3b 63 61 73 65 20 22 62 6f 6f 6c 65 61 6e 22 3a 72 65 74 75 72 6e 20 61 3f 31 3a 30 3b 63 61 73 65 20 22 6f 62 6a 65 63 74 22 3a 69 66 28 61 29 69 66 28 41 72 72 61 79 2e 69 73 41 72 72 61 79 28 61 29 29 7b 69 66 28 43 28 61 29 29 72 65 74 75 72 6e 7d 65 6c 73 65 20 69 66 28 46 61 26 26 61 21 3d 6e 75 6c 6c 26 26
                        Data Ascii: {switch(typeof a){case "number":return isFinite(a)?a:String(a);case "bigint":return(Aa?a>=Ba&&a<=Ca:a[0]==="-"?ua(a,Da):ua(a,Ea))?Number(a):String(a);case "boolean":return a?1:0;case "object":if(a)if(Array.isArray(a)){if(C(a))return}else if(Fa&&a!=null&&
                        2024-10-03 07:29:03 UTC1967INData Raw: 69 6f 6e 28 61 29 7b 76 61 72 20 62 3b 69 66 28 61 26 26 28 62 3d 51 61 29 21 3d 6e 75 6c 6c 26 26 62 2e 68 61 73 28 61 29 26 26 28 62 3d 61 2e 43 29 29 66 6f 72 28 76 61 72 20 63 3d 30 3b 63 3c 62 2e 6c 65 6e 67 74 68 3b 63 2b 2b 29 7b 76 61 72 20 64 3d 62 5b 63 5d 3b 69 66 28 63 3d 3d 3d 62 2e 6c 65 6e 67 74 68 2d 31 26 26 41 28 64 29 29 66 6f 72 28 76 61 72 20 65 20 69 6e 20 64 29 7b 76 61 72 20 66 3d 64 5b 65 5d 3b 41 72 72 61 79 2e 69 73 41 72 72 61 79 28 66 29 26 26 0a 52 61 28 66 2c 61 29 7d 65 6c 73 65 20 41 72 72 61 79 2e 69 73 41 72 72 61 79 28 64 29 26 26 52 61 28 64 2c 61 29 7d 61 3d 45 3f 61 2e 43 3a 4d 61 28 61 2e 43 2c 50 61 2c 76 6f 69 64 20 30 2c 76 6f 69 64 20 30 2c 21 31 29 3b 65 3d 21 45 3b 69 66 28 62 3d 61 2e 6c 65 6e 67 74 68 29 7b
                        Data Ascii: ion(a){var b;if(a&&(b=Qa)!=null&&b.has(a)&&(b=a.C))for(var c=0;c<b.length;c++){var d=b[c];if(c===b.length-1&&A(d))for(var e in d){var f=d[e];Array.isArray(f)&&Ra(f,a)}else Array.isArray(d)&&Ra(d,a)}a=E?a.C:Ma(a.C,Pa,void 0,void 0,!1);e=!E;if(b=a.length){
                        2024-10-03 07:29:03 UTC1967INData Raw: 0a 47 28 22 53 79 6d 62 6f 6c 2e 69 74 65 72 61 74 6f 72 22 2c 66 75 6e 63 74 69 6f 6e 28 61 29 7b 69 66 28 61 29 72 65 74 75 72 6e 20 61 3b 61 3d 53 79 6d 62 6f 6c 28 22 63 22 29 3b 66 6f 72 28 76 61 72 20 62 3d 22 41 72 72 61 79 20 49 6e 74 38 41 72 72 61 79 20 55 69 6e 74 38 41 72 72 61 79 20 55 69 6e 74 38 43 6c 61 6d 70 65 64 41 72 72 61 79 20 49 6e 74 31 36 41 72 72 61 79 20 55 69 6e 74 31 36 41 72 72 61 79 20 49 6e 74 33 32 41 72 72 61 79 20 55 69 6e 74 33 32 41 72 72 61 79 20 46 6c 6f 61 74 33 32 41 72 72 61 79 20 46 6c 6f 61 74 36 34 41 72 72 61 79 22 2e 73 70 6c 69 74 28 22 20 22 29 2c 63 3d 30 3b 63 3c 62 2e 6c 65 6e 67 74 68 3b 63 2b 2b 29 7b 76 61 72 20 64 3d 57 61 5b 62 5b 63 5d 5d 3b 74 79 70 65 6f 66 20 64 3d 3d 3d 22 66 75 6e 63 74 69 6f
                        Data Ascii: G("Symbol.iterator",function(a){if(a)return a;a=Symbol("c");for(var b="Array Int8Array Uint8Array Uint8ClampedArray Int16Array Uint16Array Int32Array Uint32Array Float32Array Float64Array".split(" "),c=0;c<b.length;c++){var d=Wa[b[c]];typeof d==="functio
                        2024-10-03 07:29:03 UTC1967INData Raw: 74 68 2e 72 61 6e 64 6f 6d 28 29 3b 65 28 22 66 72 65 65 7a 65 22 29 3b 65 28 22 70 72 65 76 65 6e 74 45 78 74 65 6e 73 69 6f 6e 73 22 29 3b 65 28 22 73 65 61 6c 22 29 3b 76 61 72 20 68 3d 30 2c 67 3d 66 75 6e 63 74 69 6f 6e 28 6b 29 7b 74 68 69 73 2e 67 3d 28 68 2b 3d 4d 61 74 68 2e 72 61 6e 64 6f 6d 28 29 2b 31 29 2e 74 6f 53 74 72 69 6e 67 28 29 3b 69 66 28 6b 29 7b 6b 3d 48 28 6b 29 3b 66 6f 72 28 76 61 72 20 6c 3b 21 28 6c 3d 6b 2e 6e 65 78 74 28 29 29 2e 64 6f 6e 65 3b 29 6c 3d 6c 2e 76 61 6c 75 65 2c 74 68 69 73 2e 73 65 74 28 6c 5b 30 5d 2c 6c 5b 31 5d 29 7d 7d 3b 67 2e 70 72 6f 74 6f 74 79 70 65 2e 73 65 74 3d 66 75 6e 63 74 69 6f 6e 28 6b 2c 6c 29 7b 69 66 28 21 63 28 6b 29 29 74 68 72 6f 77 20 45 72 72 6f 72 28 22 69 22 29 3b 64 28 6b 29 3b 69
                        Data Ascii: th.random();e("freeze");e("preventExtensions");e("seal");var h=0,g=function(k){this.g=(h+=Math.random()+1).toString();if(k){k=H(k);for(var l;!(l=k.next()).done;)l=l.value,this.set(l[0],l[1])}};g.prototype.set=function(k,l){if(!c(k))throw Error("i");d(k);i
                        2024-10-03 07:29:03 UTC1967INData Raw: 63 74 69 6f 6e 28 67 29 7b 72 65 74 75 72 6e 20 67 2e 76 61 6c 75 65 7d 29 7d 3b 63 2e 70 72 6f 74 6f 74 79 70 65 2e 66 6f 72 45 61 63 68 3d 66 75 6e 63 74 69 6f 6e 28 67 2c 6b 29 7b 66 6f 72 28 76 61 72 20 6c 3d 74 68 69 73 2e 65 6e 74 72 69 65 73 28 29 2c 6d 3b 21 28 6d 3d 6c 2e 6e 65 78 74 28 29 29 2e 64 6f 6e 65 3b 29 6d 3d 0a 6d 2e 76 61 6c 75 65 2c 67 2e 63 61 6c 6c 28 6b 2c 6d 5b 31 5d 2c 6d 5b 30 5d 2c 74 68 69 73 29 7d 3b 63 2e 70 72 6f 74 6f 74 79 70 65 5b 53 79 6d 62 6f 6c 2e 69 74 65 72 61 74 6f 72 5d 3d 63 2e 70 72 6f 74 6f 74 79 70 65 2e 65 6e 74 72 69 65 73 3b 76 61 72 20 64 3d 66 75 6e 63 74 69 6f 6e 28 67 2c 6b 29 7b 76 61 72 20 6c 3d 6b 26 26 74 79 70 65 6f 66 20 6b 3b 6c 3d 3d 22 6f 62 6a 65 63 74 22 7c 7c 6c 3d 3d 22 66 75 6e 63 74 69
                        Data Ascii: ction(g){return g.value})};c.prototype.forEach=function(g,k){for(var l=this.entries(),m;!(m=l.next()).done;)m=m.value,g.call(k,m[1],m[0],this)};c.prototype[Symbol.iterator]=c.prototype.entries;var d=function(g,k){var l=k&&typeof k;l=="object"||l=="functi
                        2024-10-03 07:29:03 UTC1967INData Raw: 2e 69 73 4e 61 4e 22 2c 66 75 6e 63 74 69 6f 6e 28 61 29 7b 72 65 74 75 72 6e 20 61 3f 61 3a 66 75 6e 63 74 69 6f 6e 28 62 29 7b 72 65 74 75 72 6e 20 74 79 70 65 6f 66 20 62 3d 3d 3d 22 6e 75 6d 62 65 72 22 26 26 69 73 4e 61 4e 28 62 29 7d 7d 29 3b 76 61 72 20 66 62 3d 66 62 7c 7c 7b 7d 2c 71 3d 74 68 69 73 7c 7c 73 65 6c 66 2c 67 62 3d 71 2e 5f 46 5f 74 6f 67 67 6c 65 73 7c 7c 5b 5d 2c 68 62 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 61 3d 61 2e 73 70 6c 69 74 28 22 2e 22 29 3b 66 6f 72 28 76 61 72 20 62 3d 71 2c 63 3d 30 3b 63 3c 61 2e 6c 65 6e 67 74 68 3b 63 2b 2b 29 69 66 28 62 3d 62 5b 61 5b 63 5d 5d 2c 62 3d 3d 6e 75 6c 6c 29 72 65 74 75 72 6e 20 6e 75 6c 6c 3b 72 65 74 75 72 6e 20 62 7d 2c 69 62 3d 22 63 6c 6f 73 75 72 65 5f 75 69 64 5f 22 2b 28 4d 61
                        Data Ascii: .isNaN",function(a){return a?a:function(b){return typeof b==="number"&&isNaN(b)}});var fb=fb||{},q=this||self,gb=q._F_toggles||[],hb=function(a){a=a.split(".");for(var b=q,c=0;c<a.length;c++)if(b=b[a[c]],b==null)return null;return b},ib="closure_uid_"+(Ma
                        2024-10-03 07:29:03 UTC1967INData Raw: 73 75 72 65 5f 5f 65 72 72 6f 72 5f 5f 63 6f 6e 74 65 78 74 5f 5f 39 38 34 33 38 32 3d 7b 7d 29 3b 61 2e 5f 5f 63 6c 6f 73 75 72 65 5f 5f 65 72 72 6f 72 5f 5f 63 6f 6e 74 65 78 74 5f 5f 39 38 34 33 38 32 2e 73 65 76 65 72 69 74 79 3d 62 7d 3b 76 61 72 20 71 62 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 29 7b 63 3d 63 7c 7c 71 3b 76 61 72 20 64 3d 63 2e 6f 6e 65 72 72 6f 72 2c 65 3d 21 21 62 3b 63 2e 6f 6e 65 72 72 6f 72 3d 66 75 6e 63 74 69 6f 6e 28 66 2c 68 2c 67 2c 6b 2c 6c 29 7b 64 26 26 64 28 66 2c 68 2c 67 2c 6b 2c 6c 29 3b 61 28 7b 6d 65 73 73 61 67 65 3a 66 2c 66 69 6c 65 4e 61 6d 65 3a 68 2c 6c 69 6e 65 3a 67 2c 6c 69 6e 65 4e 75 6d 62 65 72 3a 67 2c 63 61 3a 6b 2c 65 72 72 6f 72 3a 6c 7d 29 3b 72 65 74 75 72 6e 20 65 7d 7d 2c 74 62 3d 66 75 6e
                        Data Ascii: sure__error__context__984382={});a.__closure__error__context__984382.severity=b};var qb=function(a,b,c){c=c||q;var d=c.onerror,e=!!b;c.onerror=function(f,h,g,k,l){d&&d(f,h,g,k,l);a({message:f,fileName:h,line:g,lineNumber:g,ca:k,error:l});return e}},tb=fun
                        2024-10-03 07:29:03 UTC1967INData Raw: 74 72 69 6e 67 22 3a 62 72 65 61 6b 3b 63 61 73 65 20 22 6e 75 6d 62 65 72 22 3a 66 3d 53 74 72 69 6e 67 28 66 29 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 62 6f 6f 6c 65 61 6e 22 3a 66 3d 66 3f 22 74 72 75 65 22 3a 22 66 61 6c 73 65 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 66 75 6e 63 74 69 6f 6e 22 3a 66 3d 28 66 3d 73 62 28 66 29 29 3f 66 3a 22 5b 66 6e 5d 22 3b 62 72 65 61 6b 3b 64 65 66 61 75 6c 74 3a 66 3d 0a 74 79 70 65 6f 66 20 66 7d 66 2e 6c 65 6e 67 74 68 3e 34 30 26 26 28 66 3d 66 2e 73 6c 69 63 65 28 30 2c 34 30 29 2b 22 2e 2e 2e 22 29 3b 63 2e 70 75 73 68 28 66 29 7d 62 2e 70 75 73 68 28 61 29 3b 63 2e 70 75 73 68 28 22 29 5c 6e 22 29 3b 74 72 79 7b 63 2e 70 75 73 68 28 77 62 28 61 2e 63 61 6c 6c 65 72 2c 62 29 29 7d 63 61 74 63 68 28 68 29 7b
                        Data Ascii: tring":break;case "number":f=String(f);break;case "boolean":f=f?"true":"false";break;case "function":f=(f=sb(f))?f:"[fn]";break;default:f=typeof f}f.length>40&&(f=f.slice(0,40)+"...");c.push(f)}b.push(a);c.push(")\n");try{c.push(wb(a.caller,b))}catch(h){


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        5192.168.2.749710142.250.186.364437528C:\Program Files\Google\Chrome\Application\chrome.exe
                        TimestampBytes transferredDirectionData
                        2024-10-03 07:29:05 UTC1209OUTGET /favicon.ico HTTP/1.1
                        Host: www.google.com
                        Connection: keep-alive
                        sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                        sec-ch-ua-mobile: ?0
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                        sec-ch-ua-arch: "x86"
                        sec-ch-ua-full-version: "117.0.5938.134"
                        sec-ch-ua-platform-version: "10.0.0"
                        sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134"
                        sec-ch-ua-bitness: "64"
                        sec-ch-ua-model: ""
                        sec-ch-ua-wow64: ?0
                        sec-ch-ua-platform: "Windows"
                        Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
                        X-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIlaHLAQiFoM0BCNy9zQEIj8rNAQi5ys0BCKLRzQEIitPNAQik1s0BCPTWzQEIp9jNAQj5wNQVGPXJzQEY642lFw==
                        Sec-Fetch-Site: same-site
                        Sec-Fetch-Mode: no-cors
                        Sec-Fetch-Dest: image
                        Referer: https://accounts.google.com/
                        Accept-Encoding: gzip, deflate, br
                        Accept-Language: en-US,en;q=0.9
                        Cookie: NID=518=CleEhyKrsCecyKn-8vP45eNzb1S_iqL1kssAnrR6gg-yjy6PcAcWGTs1vvTKsVv4vBpwA8oA7JeQeTMWjVVHachQjjk2IqXAokGPbv2SOSo-KmnXLP7a_TD3saZotVaZERZfv6gyiNBgkvEf0HKJLTHfIZWxGBOlH9ewvvZ48kZM0bpD7A
                        2024-10-03 07:29:05 UTC705INHTTP/1.1 200 OK
                        Accept-Ranges: bytes
                        Cross-Origin-Resource-Policy: cross-origin
                        Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="static-on-bigtable"
                        Report-To: {"group":"static-on-bigtable","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/static-on-bigtable"}]}
                        Content-Length: 5430
                        X-Content-Type-Options: nosniff
                        Server: sffe
                        X-XSS-Protection: 0
                        Date: Thu, 03 Oct 2024 06:54:51 GMT
                        Expires: Fri, 11 Oct 2024 06:54:51 GMT
                        Cache-Control: public, max-age=691200
                        Last-Modified: Tue, 22 Oct 2019 18:30:00 GMT
                        Content-Type: image/x-icon
                        Vary: Accept-Encoding
                        Age: 2054
                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                        Connection: close
                        2024-10-03 07:29:05 UTC685INData Raw: 00 00 01 00 02 00 10 10 00 00 01 00 20 00 68 04 00 00 26 00 00 00 20 20 00 00 01 00 20 00 a8 10 00 00 8e 04 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 20 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 30 fd fd fd 96 fd fd fd d8 fd fd fd f9 fd fd fd f9 fd fd fd d7 fd fd fd 94 fe fe fe 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 09 fd fd fd 99 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 95 ff ff ff 08 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 09 fd fd fd c1 ff ff ff ff fa fd f9 ff b4 d9 a7 ff 76 ba 5d ff 58 ab 3a ff 58 aa 3a ff 72 b8 59 ff ac d5 9d ff f8 fb f6 ff ff
                        Data Ascii: h& ( 0.v]X:X:rY
                        2024-10-03 07:29:05 UTC1390INData Raw: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d8 fd fd fd 99 ff ff ff ff 92 cf fb ff 37 52 ec ff 38 46 ea ff d0 d4 fa ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 96 fe fe fe 32 ff ff ff ff f9 f9 fe ff 56 62 ed ff 35 43 ea ff 3b 49 eb ff 95 9c f4 ff cf d2 fa ff d1 d4 fa ff 96 9d f4 ff 52 5e ed ff e1 e3 fc ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 30 00 00 00 00 fd fd fd 9d ff ff ff ff e8 ea fd ff 58 63 ee ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 6c 76 f0 ff ff ff ff ff ff ff ff ff fd fd fd 98 00 00 00 00 00 00 00 00 ff ff ff 0a fd fd fd c3 ff ff ff ff f9 f9 fe ff a5 ac f6 ff 5d 69 ee ff 3c 4a
                        Data Ascii: 7R8F2Vb5C;IR^0Xc5C5C5C5C5C5Clv]i<J
                        2024-10-03 07:29:05 UTC1390INData Raw: ff ff ff ff ff ff ff ff ff ff ff fd fd fd d0 ff ff ff 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fd fd fd 8b ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff b1 d8 a3 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 60 a5 35 ff ca 8e 3e ff f9 c1 9f ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 87 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 25 fd fd fd fb ff ff ff ff ff ff ff ff ff ff ff ff c2 e0 b7 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 6e b6 54 ff 9f ce 8d ff b7 da aa ff b8 db ab ff a5 d2 95 ff 7b bc 64 ff 54 a8 35 ff 53 a8 34 ff 77 a0 37 ff e3 89 41 ff f4 85 42 ff f4 85 42 ff
                        Data Ascii: S4S4S4S4S4S4S4S4S4S4S4S4S4S4`5>%S4S4S4S4S4S4nT{dT5S4w7ABB
                        2024-10-03 07:29:05 UTC1390INData Raw: ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff fb d5 bf ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd ea fd fd fd cb ff ff ff ff ff ff ff ff ff ff ff ff 46 cd fc ff 05 bc fb ff 05 bc fb ff 05 bc fb ff 21 ae f9 ff fb fb ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd c8 fd fd fd 9c ff ff ff ff ff ff ff ff ff ff ff ff 86 df fd ff 05 bc fb ff 05 bc fb ff 15 93 f5 ff 34 49 eb ff b3 b8 f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                        Data Ascii: BBBBBBF!4I
                        2024-10-03 07:29:05 UTC575INData Raw: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d2 fe fe fe 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 0a fd fd fd 8d fd fd fd fc ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd fb fd fd fd 8b fe fe fe 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 27 fd fd fd 9f fd fd fd f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                        Data Ascii: $'


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        6192.168.2.74973620.114.59.183443
                        TimestampBytes transferredDirectionData
                        2024-10-03 07:29:06 UTC306OUTGET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=r5e8dGmzzNT5xWy&MD=vbmEhW9l HTTP/1.1
                        Connection: Keep-Alive
                        Accept: */*
                        User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33
                        Host: slscr.update.microsoft.com
                        2024-10-03 07:29:06 UTC560INHTTP/1.1 200 OK
                        Cache-Control: no-cache
                        Pragma: no-cache
                        Content-Type: application/octet-stream
                        Expires: -1
                        Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT
                        ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880"
                        MS-CorrelationId: 2296ea20-5539-4ec8-ae58-98c89cd9d74f
                        MS-RequestId: c30b142e-6bc3-4fdd-9161-eb99bb68cc5d
                        MS-CV: mGFxL3g3vUGE55C6.0
                        X-Microsoft-SLSClientCache: 2880
                        Content-Disposition: attachment; filename=environment.cab
                        X-Content-Type-Options: nosniff
                        Date: Thu, 03 Oct 2024 07:29:05 GMT
                        Connection: close
                        Content-Length: 24490
                        2024-10-03 07:29:06 UTC15824INData Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58
                        Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
                        2024-10-03 07:29:06 UTC8666INData Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31
                        Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        7192.168.2.76115820.114.59.183443
                        TimestampBytes transferredDirectionData
                        2024-10-03 07:29:44 UTC306OUTGET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=r5e8dGmzzNT5xWy&MD=vbmEhW9l HTTP/1.1
                        Connection: Keep-Alive
                        Accept: */*
                        User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33
                        Host: slscr.update.microsoft.com
                        2024-10-03 07:29:44 UTC560INHTTP/1.1 200 OK
                        Cache-Control: no-cache
                        Pragma: no-cache
                        Content-Type: application/octet-stream
                        Expires: -1
                        Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT
                        ETag: "vic+p1MiJJ+/WMnK08jaWnCBGDfvkGRzPk9f8ZadQHg=_1440"
                        MS-CorrelationId: fcb023a2-2b16-48e8-b599-936fdabfd9ee
                        MS-RequestId: 3d95ba79-2b02-4f1e-a4de-4e402b0ea1cb
                        MS-CV: oK+ZRoHnC0mlaSB6.0
                        X-Microsoft-SLSClientCache: 1440
                        Content-Disposition: attachment; filename=environment.cab
                        X-Content-Type-Options: nosniff
                        Date: Thu, 03 Oct 2024 07:29:44 GMT
                        Connection: close
                        Content-Length: 30005
                        2024-10-03 07:29:44 UTC15824INData Raw: 4d 53 43 46 00 00 00 00 8d 2b 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 5b 49 00 00 14 00 00 00 00 00 10 00 8d 2b 00 00 a8 49 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 72 4d 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 fe f6 51 be 21 2b 72 4d 43 4b ed 7c 05 58 54 eb da f6 14 43 49 37 0a 02 d2 b9 86 0e 41 52 a4 1b 24 a5 bb 43 24 44 18 94 90 92 52 41 3a 05 09 95 ee 54 b0 00 91 2e e9 12 10 04 11 c9 6f 10 b7 a2 67 9f bd cf 3e ff b7 ff b3 bf 73 ed e1 9a 99 f5 c6 7a d7 bb de f5 3e cf fd 3c f7 dc 17 4a 1a 52 e7 41 a8 97 1e 14 f4 e5 25 7d f4 05 82 82 c1 20 30 08 06 ba c3 05 02 11 7f a9 c1 ff d2 87 5c 1e f4 ed 65 8e 7a 1f f6 0a 40 03 1d 7b f9 83 2c 1c 2f db b8 3a 39 3a 58 38 ba 73 5e
                        Data Ascii: MSCF+D[I+IdrMenvironment.cabQ!+rMCK|XTCI7AR$C$DRA:T.og>sz><JRA%} 0\ez@{,/:9:X8s^
                        2024-10-03 07:29:44 UTC14181INData Raw: 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 26 30 24 06 03 55 04 03 13 1d 4d 69 63 72 6f 73 6f 66 74 20 54 69 6d 65 2d 53 74 61 6d 70 20 50 43 41 20 32 30 31 30 30 1e 17 0d 32 33 31 30 31 32 31 39 30 37 32 35 5a 17 0d 32 35 30 31 31 30 31 39 30 37 32 35 5a 30 81 d2 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 2d 30 2b 06 03 55 04 0b 13 24 4d 69 63 72 6f
                        Data Ascii: UUS10UWashington10URedmond10UMicrosoft Corporation1&0$UMicrosoft Time-Stamp PCA 20100231012190725Z250110190725Z010UUS10UWashington10URedmond10UMicrosoft Corporation1-0+U$Micro


                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        Click to dive into process behavior distribution

                        Behavior

                        Click to jump to process

                        System Behavior

                        General

                        Target ID:0
                        Start time:03:28:48
                        Start date:03/10/2024
                        Path:C:\Users\user\Desktop\file.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\Desktop\file.exe"
                        Imagebase:0xa80000
                        File size:919'040 bytes
                        MD5 hash:8D3EE4B9B4F941932E71657E1BBC0AAA
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:low
                        Has exited:true

                        General

                        Target ID:1
                        Start time:03:28:48
                        Start date:03/10/2024
                        Path:C:\Windows\SysWOW64\taskkill.exe
                        Wow64 process (32bit):true
                        Commandline:taskkill /F /IM chrome.exe /T
                        Imagebase:0x3e0000
                        File size:74'240 bytes
                        MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:moderate
                        Has exited:true

                        General

                        Target ID:2
                        Start time:03:28:48
                        Start date:03/10/2024
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff75da10000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:4
                        Start time:03:28:49
                        Start date:03/10/2024
                        Path:C:\Windows\SysWOW64\taskkill.exe
                        Wow64 process (32bit):true
                        Commandline:taskkill /F /IM msedge.exe /T
                        Imagebase:0x3e0000
                        File size:74'240 bytes
                        MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:moderate
                        Has exited:true

                        General

                        Target ID:5
                        Start time:03:28:49
                        Start date:03/10/2024
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff75da10000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:7
                        Start time:03:28:49
                        Start date:03/10/2024
                        Path:C:\Windows\SysWOW64\taskkill.exe
                        Wow64 process (32bit):true
                        Commandline:taskkill /F /IM firefox.exe /T
                        Imagebase:0x7ff75da10000
                        File size:74'240 bytes
                        MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:moderate
                        Has exited:true

                        General

                        Target ID:8
                        Start time:03:28:49
                        Start date:03/10/2024
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff75da10000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:10
                        Start time:03:28:49
                        Start date:03/10/2024
                        Path:C:\Windows\SysWOW64\taskkill.exe
                        Wow64 process (32bit):true
                        Commandline:taskkill /F /IM opera.exe /T
                        Imagebase:0x3e0000
                        File size:74'240 bytes
                        MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:moderate
                        Has exited:true

                        General

                        Target ID:11
                        Start time:03:28:49
                        Start date:03/10/2024
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff75da10000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:14
                        Start time:03:28:49
                        Start date:03/10/2024
                        Path:C:\Windows\SysWOW64\taskkill.exe
                        Wow64 process (32bit):true
                        Commandline:taskkill /F /IM brave.exe /T
                        Imagebase:0x3e0000
                        File size:74'240 bytes
                        MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:moderate
                        Has exited:true

                        General

                        Target ID:15
                        Start time:03:28:49
                        Start date:03/10/2024
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff75da10000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:18
                        Start time:03:28:51
                        Start date:03/10/2024
                        Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-infobars
                        Imagebase:0x7ff6c4390000
                        File size:3'242'272 bytes
                        MD5 hash:5BBFA6CBDF4C254EB368D534F9E23C92
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:false

                        General

                        Target ID:20
                        Start time:03:28:51
                        Start date:03/10/2024
                        Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 --field-trial-handle=1840,i,11361579010988229476,10119946490956885098,262144 /prefetch:8
                        Imagebase:0x7ff6c4390000
                        File size:3'242'272 bytes
                        MD5 hash:5BBFA6CBDF4C254EB368D534F9E23C92
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:false

                        General

                        Target ID:22
                        Start time:03:29:02
                        Start date:03/10/2024
                        Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5340 --field-trial-handle=1840,i,11361579010988229476,10119946490956885098,262144 /prefetch:8
                        Imagebase:0x7ff6c4390000
                        File size:3'242'272 bytes
                        MD5 hash:5BBFA6CBDF4C254EB368D534F9E23C92
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Has exited:false

                        General

                        Target ID:23
                        Start time:03:29:02
                        Start date:03/10/2024
                        Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 --field-trial-handle=1840,i,11361579010988229476,10119946490956885098,262144 /prefetch:8
                        Imagebase:0x7ff6c4390000
                        File size:3'242'272 bytes
                        MD5 hash:5BBFA6CBDF4C254EB368D534F9E23C92
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Disassembly

                        Reset < >

                          Execution Graph

                          Execution Coverage:2.2%
                          Dynamic/Decrypted Code Coverage:0%
                          Signature Coverage:4.5%
                          Total number of Nodes:1636
                          Total number of Limit Nodes:50
                          execution_graph 95681 a81cad SystemParametersInfoW 95682 ab8402 95687 ab81be 95682->95687 95686 ab842a 95692 ab81ef try_get_first_available_module 95687->95692 95689 ab83ee 95706 ab27ec 26 API calls __fread_nolock 95689->95706 95691 ab8343 95691->95686 95699 ac0984 95691->95699 95698 ab8338 95692->95698 95702 aa8e0b 40 API calls 2 library calls 95692->95702 95694 ab838c 95694->95698 95703 aa8e0b 40 API calls 2 library calls 95694->95703 95696 ab83ab 95696->95698 95704 aa8e0b 40 API calls 2 library calls 95696->95704 95698->95691 95705 aaf2d9 20 API calls __dosmaperr 95698->95705 95707 ac0081 95699->95707 95701 ac099f 95701->95686 95702->95694 95703->95696 95704->95698 95705->95689 95706->95691 95708 ac008d ___DestructExceptionObject 95707->95708 95709 ac009b 95708->95709 95712 ac00d4 95708->95712 95765 aaf2d9 20 API calls __dosmaperr 95709->95765 95711 ac00a0 95766 ab27ec 26 API calls __fread_nolock 95711->95766 95718 ac065b 95712->95718 95717 ac00aa __fread_nolock 95717->95701 95768 ac042f 95718->95768 95721 ac068d 95800 aaf2c6 20 API calls __dosmaperr 95721->95800 95722 ac06a6 95786 ab5221 95722->95786 95725 ac06ab 95726 ac06cb 95725->95726 95727 ac06b4 95725->95727 95799 ac039a CreateFileW 95726->95799 95802 aaf2c6 20 API calls __dosmaperr 95727->95802 95728 ac0692 95801 aaf2d9 20 API calls __dosmaperr 95728->95801 95732 ac06b9 95803 aaf2d9 20 API calls __dosmaperr 95732->95803 95733 ac00f8 95767 ac0121 LeaveCriticalSection __wsopen_s 95733->95767 95735 ac0781 GetFileType 95736 ac078c GetLastError 95735->95736 95737 ac07d3 95735->95737 95806 aaf2a3 20 API calls __dosmaperr 95736->95806 95808 ab516a 21 API calls 2 library calls 95737->95808 95738 ac0756 GetLastError 95805 aaf2a3 20 API calls __dosmaperr 95738->95805 95741 ac0704 95741->95735 95741->95738 95804 ac039a CreateFileW 95741->95804 95742 ac079a CloseHandle 95742->95728 95744 ac07c3 95742->95744 95807 aaf2d9 20 API calls __dosmaperr 95744->95807 95746 ac0749 95746->95735 95746->95738 95748 ac07f4 95749 ac0840 95748->95749 95809 ac05ab 72 API calls 3 library calls 95748->95809 95754 ac086d 95749->95754 95810 ac014d 72 API calls 4 library calls 95749->95810 95750 ac07c8 95750->95728 95753 ac0866 95753->95754 95755 ac087e 95753->95755 95811 ab86ae 95754->95811 95755->95733 95757 ac08fc CloseHandle 95755->95757 95826 ac039a CreateFileW 95757->95826 95759 ac0927 95760 ac0931 GetLastError 95759->95760 95761 ac095d 95759->95761 95827 aaf2a3 20 API calls __dosmaperr 95760->95827 95761->95733 95763 ac093d 95828 ab5333 21 API calls 2 library calls 95763->95828 95765->95711 95766->95717 95767->95717 95769 ac046a 95768->95769 95770 ac0450 95768->95770 95829 ac03bf 95769->95829 95770->95769 95836 aaf2d9 20 API calls __dosmaperr 95770->95836 95773 ac045f 95837 ab27ec 26 API calls __fread_nolock 95773->95837 95775 ac04a2 95776 ac04d1 95775->95776 95838 aaf2d9 20 API calls __dosmaperr 95775->95838 95784 ac0524 95776->95784 95840 aad70d 26 API calls 2 library calls 95776->95840 95779 ac051f 95781 ac059e 95779->95781 95779->95784 95780 ac04c6 95839 ab27ec 26 API calls __fread_nolock 95780->95839 95841 ab27fc 11 API calls _abort 95781->95841 95784->95721 95784->95722 95785 ac05aa 95787 ab522d ___DestructExceptionObject 95786->95787 95844 ab2f5e EnterCriticalSection 95787->95844 95789 ab5234 95790 ab5259 95789->95790 95795 ab52c7 EnterCriticalSection 95789->95795 95796 ab527b 95789->95796 95848 ab5000 95790->95848 95793 ab52a4 __fread_nolock 95793->95725 95795->95796 95797 ab52d4 LeaveCriticalSection 95795->95797 95845 ab532a 95796->95845 95797->95789 95799->95741 95800->95728 95801->95733 95802->95732 95803->95728 95804->95746 95805->95728 95806->95742 95807->95750 95808->95748 95809->95749 95810->95753 95874 ab53c4 95811->95874 95813 ab86c4 95887 ab5333 21 API calls 2 library calls 95813->95887 95815 ab86be 95815->95813 95816 ab86f6 95815->95816 95819 ab53c4 __wsopen_s 26 API calls 95815->95819 95816->95813 95817 ab53c4 __wsopen_s 26 API calls 95816->95817 95820 ab8702 CloseHandle 95817->95820 95818 ab871c 95821 ab873e 95818->95821 95888 aaf2a3 20 API calls __dosmaperr 95818->95888 95822 ab86ed 95819->95822 95820->95813 95823 ab870e GetLastError 95820->95823 95821->95733 95825 ab53c4 __wsopen_s 26 API calls 95822->95825 95823->95813 95825->95816 95826->95759 95827->95763 95828->95761 95831 ac03d7 95829->95831 95830 ac03f2 95830->95775 95831->95830 95842 aaf2d9 20 API calls __dosmaperr 95831->95842 95833 ac0416 95843 ab27ec 26 API calls __fread_nolock 95833->95843 95835 ac0421 95835->95775 95836->95773 95837->95769 95838->95780 95839->95776 95840->95779 95841->95785 95842->95833 95843->95835 95844->95789 95856 ab2fa6 LeaveCriticalSection 95845->95856 95847 ab5331 95847->95793 95857 ab4c7d 95848->95857 95850 ab501f 95865 ab29c8 95850->95865 95853 ab5071 95853->95796 95855 ab5147 EnterCriticalSection 95853->95855 95854 ab5012 95854->95850 95864 ab3405 11 API calls 2 library calls 95854->95864 95855->95796 95856->95847 95862 ab4c8a __dosmaperr 95857->95862 95858 ab4cca 95872 aaf2d9 20 API calls __dosmaperr 95858->95872 95859 ab4cb5 RtlAllocateHeap 95860 ab4cc8 95859->95860 95859->95862 95860->95854 95862->95858 95862->95859 95871 aa4ead 7 API calls 2 library calls 95862->95871 95864->95854 95866 ab29d3 RtlFreeHeap 95865->95866 95867 ab29fc __dosmaperr 95865->95867 95866->95867 95868 ab29e8 95866->95868 95867->95853 95873 aaf2d9 20 API calls __dosmaperr 95868->95873 95870 ab29ee GetLastError 95870->95867 95871->95862 95872->95860 95873->95870 95875 ab53d1 95874->95875 95877 ab53e6 95874->95877 95889 aaf2c6 20 API calls __dosmaperr 95875->95889 95880 ab540b 95877->95880 95891 aaf2c6 20 API calls __dosmaperr 95877->95891 95879 ab53d6 95890 aaf2d9 20 API calls __dosmaperr 95879->95890 95880->95815 95881 ab5416 95892 aaf2d9 20 API calls __dosmaperr 95881->95892 95883 ab53de 95883->95815 95885 ab541e 95893 ab27ec 26 API calls __fread_nolock 95885->95893 95887->95818 95888->95821 95889->95879 95890->95883 95891->95881 95892->95885 95893->95883 95894 ac2ba5 95895 ac2baf 95894->95895 95896 a82b25 95894->95896 95940 a83a5a 95895->95940 95922 a82b83 7 API calls 95896->95922 95900 ac2bb8 95947 a89cb3 95900->95947 95903 a82b2f 95910 a82b44 95903->95910 95926 a83837 95903->95926 95904 ac2bc6 95905 ac2bce 95904->95905 95906 ac2bf5 95904->95906 95953 a833c6 95905->95953 95907 a833c6 22 API calls 95906->95907 95921 ac2bf1 GetForegroundWindow ShellExecuteW 95907->95921 95913 a82b5f 95910->95913 95936 a830f2 95910->95936 95918 a82b66 SetCurrentDirectoryW 95913->95918 95915 ac2c26 95915->95913 95920 a82b7a 95918->95920 95919 a833c6 22 API calls 95919->95921 95921->95915 95971 a82cd4 7 API calls 95922->95971 95924 a82b2a 95925 a82c63 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 95924->95925 95925->95903 95927 a83862 ___scrt_fastfail 95926->95927 95972 a84212 95927->95972 95931 ac3386 Shell_NotifyIconW 95932 a83906 Shell_NotifyIconW 95976 a83923 95932->95976 95933 a838e8 95933->95931 95933->95932 95935 a8391c 95935->95910 95937 a83154 95936->95937 95938 a83104 ___scrt_fastfail 95936->95938 95937->95913 95939 a83123 Shell_NotifyIconW 95938->95939 95939->95937 96063 ac1f50 95940->96063 95943 a89cb3 22 API calls 95944 a83a8d 95943->95944 96065 a83aa2 95944->96065 95946 a83a97 95946->95900 95948 a89cc2 _wcslen 95947->95948 95949 a9fe0b 22 API calls 95948->95949 95950 a89cea __fread_nolock 95949->95950 95951 a9fddb 22 API calls 95950->95951 95952 a89d00 95951->95952 95952->95904 95954 a833dd 95953->95954 95955 ac30bb 95953->95955 96085 a833ee 95954->96085 95957 a9fddb 22 API calls 95955->95957 95959 ac30c5 _wcslen 95957->95959 95958 a833e8 95962 a86350 95958->95962 95960 a9fe0b 22 API calls 95959->95960 95961 ac30fe __fread_nolock 95960->95961 95963 a86362 95962->95963 95964 ac4a51 95962->95964 96100 a86373 95963->96100 96110 a84a88 22 API calls __fread_nolock 95964->96110 95967 a8636e 95967->95919 95968 ac4a5b 95969 ac4a67 95968->95969 96111 a8a8c7 22 API calls __fread_nolock 95968->96111 95971->95924 95973 ac35a4 95972->95973 95974 a838b7 95972->95974 95973->95974 95975 ac35ad DestroyIcon 95973->95975 95974->95933 95998 aec874 42 API calls _strftime 95974->95998 95975->95974 95977 a8393f 95976->95977 95978 a83a13 95976->95978 95999 a86270 95977->95999 95978->95935 95981 a8395a 96004 a86b57 95981->96004 95982 ac3393 LoadStringW 95984 ac33ad 95982->95984 95992 a83994 ___scrt_fastfail 95984->95992 96016 a8a8c7 22 API calls __fread_nolock 95984->96016 95985 a8396f 95986 a8397c 95985->95986 95987 ac33c9 95985->95987 95986->95984 95989 a83986 95986->95989 95990 a86350 22 API calls 95987->95990 95991 a86350 22 API calls 95989->95991 95993 ac33d7 95990->95993 95991->95992 95995 a839f9 Shell_NotifyIconW 95992->95995 95993->95992 95994 a833c6 22 API calls 95993->95994 95996 ac33f9 95994->95996 95995->95978 95997 a833c6 22 API calls 95996->95997 95997->95992 95998->95933 96017 a9fe0b 95999->96017 96001 a86295 96027 a9fddb 96001->96027 96003 a8394d 96003->95981 96003->95982 96005 ac4ba1 96004->96005 96006 a86b67 _wcslen 96004->96006 96053 a893b2 96005->96053 96009 a86b7d 96006->96009 96010 a86ba2 96006->96010 96008 ac4baa 96008->96008 96052 a86f34 22 API calls 96009->96052 96012 a9fddb 22 API calls 96010->96012 96014 a86bae 96012->96014 96013 a86b85 __fread_nolock 96013->95985 96015 a9fe0b 22 API calls 96014->96015 96015->96013 96016->95992 96019 a9fddb 96017->96019 96020 a9fdfa 96019->96020 96022 a9fdfc 96019->96022 96037 aaea0c 96019->96037 96044 aa4ead 7 API calls 2 library calls 96019->96044 96020->96001 96023 aa066d 96022->96023 96045 aa32a4 RaiseException 96022->96045 96046 aa32a4 RaiseException 96023->96046 96025 aa068a 96025->96001 96030 a9fde0 96027->96030 96028 aaea0c ___std_exception_copy 21 API calls 96028->96030 96029 a9fdfa 96029->96003 96030->96028 96030->96029 96032 a9fdfc 96030->96032 96049 aa4ead 7 API calls 2 library calls 96030->96049 96036 aa066d 96032->96036 96050 aa32a4 RaiseException 96032->96050 96034 aa068a 96034->96003 96051 aa32a4 RaiseException 96036->96051 96039 ab3820 __dosmaperr 96037->96039 96038 ab385e 96048 aaf2d9 20 API calls __dosmaperr 96038->96048 96039->96038 96040 ab3849 RtlAllocateHeap 96039->96040 96047 aa4ead 7 API calls 2 library calls 96039->96047 96040->96039 96042 ab385c 96040->96042 96042->96019 96044->96019 96045->96023 96046->96025 96047->96039 96048->96042 96049->96030 96050->96036 96051->96034 96052->96013 96054 a893c0 96053->96054 96056 a893c9 __fread_nolock 96053->96056 96054->96056 96057 a8aec9 96054->96057 96056->96008 96058 a8aedc 96057->96058 96062 a8aed9 __fread_nolock 96057->96062 96059 a9fddb 22 API calls 96058->96059 96060 a8aee7 96059->96060 96061 a9fe0b 22 API calls 96060->96061 96061->96062 96062->96056 96064 a83a67 GetModuleFileNameW 96063->96064 96064->95943 96066 ac1f50 __wsopen_s 96065->96066 96067 a83aaf GetFullPathNameW 96066->96067 96068 a83ae9 96067->96068 96069 a83ace 96067->96069 96079 a8a6c3 96068->96079 96070 a86b57 22 API calls 96069->96070 96072 a83ada 96070->96072 96075 a837a0 96072->96075 96076 a837ae 96075->96076 96077 a893b2 22 API calls 96076->96077 96078 a837c2 96077->96078 96078->95946 96080 a8a6dd 96079->96080 96081 a8a6d0 96079->96081 96082 a9fddb 22 API calls 96080->96082 96081->96072 96083 a8a6e7 96082->96083 96084 a9fe0b 22 API calls 96083->96084 96084->96081 96086 a833fe _wcslen 96085->96086 96087 ac311d 96086->96087 96088 a83411 96086->96088 96090 a9fddb 22 API calls 96087->96090 96095 a8a587 96088->96095 96092 ac3127 96090->96092 96091 a8341e __fread_nolock 96091->95958 96093 a9fe0b 22 API calls 96092->96093 96094 ac3157 __fread_nolock 96093->96094 96097 a8a59d 96095->96097 96099 a8a598 __fread_nolock 96095->96099 96096 acf80f 96097->96096 96098 a9fe0b 22 API calls 96097->96098 96098->96099 96099->96091 96101 a863b6 __fread_nolock 96100->96101 96102 a86382 96100->96102 96101->95967 96102->96101 96103 ac4a82 96102->96103 96104 a863a9 96102->96104 96106 a9fddb 22 API calls 96103->96106 96105 a8a587 22 API calls 96104->96105 96105->96101 96107 ac4a91 96106->96107 96108 a9fe0b 22 API calls 96107->96108 96109 ac4ac5 __fread_nolock 96108->96109 96110->95968 96111->95969 96112 a82de3 96113 a82df0 __wsopen_s 96112->96113 96114 a82e09 96113->96114 96115 ac2c2b ___scrt_fastfail 96113->96115 96116 a83aa2 23 API calls 96114->96116 96117 ac2c47 GetOpenFileNameW 96115->96117 96118 a82e12 96116->96118 96119 ac2c96 96117->96119 96128 a82da5 96118->96128 96121 a86b57 22 API calls 96119->96121 96123 ac2cab 96121->96123 96123->96123 96125 a82e27 96146 a844a8 96125->96146 96129 ac1f50 __wsopen_s 96128->96129 96130 a82db2 GetLongPathNameW 96129->96130 96131 a86b57 22 API calls 96130->96131 96132 a82dda 96131->96132 96133 a83598 96132->96133 96175 a8a961 96133->96175 96136 a83aa2 23 API calls 96137 a835b5 96136->96137 96138 a835c0 96137->96138 96142 ac32eb 96137->96142 96180 a8515f 96138->96180 96144 ac330d 96142->96144 96192 a9ce60 41 API calls 96142->96192 96145 a835df 96145->96125 96193 a84ecb 96146->96193 96149 ac3833 96215 af2cf9 96149->96215 96150 a84ecb 94 API calls 96152 a844e1 96150->96152 96152->96149 96154 a844e9 96152->96154 96153 ac3848 96155 ac384c 96153->96155 96156 ac3869 96153->96156 96158 ac3854 96154->96158 96159 a844f5 96154->96159 96242 a84f39 96155->96242 96157 a9fe0b 22 API calls 96156->96157 96174 ac38ae 96157->96174 96248 aeda5a 82 API calls 96158->96248 96241 a8940c 136 API calls 2 library calls 96159->96241 96163 ac3862 96163->96156 96164 a82e31 96165 a84f39 68 API calls 96168 ac3a5f 96165->96168 96168->96165 96254 ae989b 82 API calls __wsopen_s 96168->96254 96171 a89cb3 22 API calls 96171->96174 96174->96168 96174->96171 96249 ae967e 22 API calls __fread_nolock 96174->96249 96250 ae95ad 42 API calls _wcslen 96174->96250 96251 af0b5a 22 API calls 96174->96251 96252 a8a4a1 22 API calls __fread_nolock 96174->96252 96253 a83ff7 22 API calls 96174->96253 96176 a9fe0b 22 API calls 96175->96176 96177 a8a976 96176->96177 96178 a9fddb 22 API calls 96177->96178 96179 a835aa 96178->96179 96179->96136 96181 a8516e 96180->96181 96185 a8518f __fread_nolock 96180->96185 96184 a9fe0b 22 API calls 96181->96184 96182 a9fddb 22 API calls 96183 a835cc 96182->96183 96186 a835f3 96183->96186 96184->96185 96185->96182 96187 a83605 96186->96187 96191 a83624 __fread_nolock 96186->96191 96189 a9fe0b 22 API calls 96187->96189 96188 a9fddb 22 API calls 96190 a8363b 96188->96190 96189->96191 96190->96145 96191->96188 96192->96142 96255 a84e90 LoadLibraryA 96193->96255 96198 ac3ccf 96200 a84f39 68 API calls 96198->96200 96199 a84ef6 LoadLibraryExW 96263 a84e59 LoadLibraryA 96199->96263 96202 ac3cd6 96200->96202 96204 a84e59 3 API calls 96202->96204 96206 ac3cde 96204->96206 96285 a850f5 96206->96285 96207 a84f20 96207->96206 96208 a84f2c 96207->96208 96209 a84f39 68 API calls 96208->96209 96211 a844cd 96209->96211 96211->96149 96211->96150 96214 ac3d05 96216 af2d15 96215->96216 96217 a8511f 64 API calls 96216->96217 96218 af2d29 96217->96218 96419 af2e66 96218->96419 96221 af2d3f 96221->96153 96222 a850f5 40 API calls 96223 af2d56 96222->96223 96224 a850f5 40 API calls 96223->96224 96225 af2d66 96224->96225 96226 a850f5 40 API calls 96225->96226 96227 af2d81 96226->96227 96228 a850f5 40 API calls 96227->96228 96229 af2d9c 96228->96229 96230 a8511f 64 API calls 96229->96230 96231 af2db3 96230->96231 96232 aaea0c ___std_exception_copy 21 API calls 96231->96232 96233 af2dba 96232->96233 96234 aaea0c ___std_exception_copy 21 API calls 96233->96234 96235 af2dc4 96234->96235 96236 a850f5 40 API calls 96235->96236 96237 af2dd8 96236->96237 96238 af28fe 27 API calls 96237->96238 96239 af2dee 96238->96239 96239->96221 96425 af22ce 79 API calls 96239->96425 96241->96164 96243 a84f43 96242->96243 96245 a84f4a 96242->96245 96426 aae678 96243->96426 96246 a84f59 96245->96246 96247 a84f6a FreeLibrary 96245->96247 96246->96158 96247->96246 96248->96163 96249->96174 96250->96174 96251->96174 96252->96174 96253->96174 96254->96168 96256 a84ea8 GetProcAddress 96255->96256 96257 a84ec6 96255->96257 96258 a84eb8 96256->96258 96260 aae5eb 96257->96260 96258->96257 96259 a84ebf FreeLibrary 96258->96259 96259->96257 96293 aae52a 96260->96293 96262 a84eea 96262->96198 96262->96199 96264 a84e8d 96263->96264 96265 a84e6e GetProcAddress 96263->96265 96268 a84f80 96264->96268 96266 a84e7e 96265->96266 96266->96264 96267 a84e86 FreeLibrary 96266->96267 96267->96264 96269 a9fe0b 22 API calls 96268->96269 96270 a84f95 96269->96270 96345 a85722 96270->96345 96272 a84fa1 __fread_nolock 96273 ac3d1d 96272->96273 96274 a850a5 96272->96274 96284 a84fdc 96272->96284 96359 af304d 74 API calls 96273->96359 96348 a842a2 CreateStreamOnHGlobal 96274->96348 96277 ac3d22 96279 a8511f 64 API calls 96277->96279 96278 a850f5 40 API calls 96278->96284 96280 ac3d45 96279->96280 96281 a850f5 40 API calls 96280->96281 96282 a8506e messages 96281->96282 96282->96207 96284->96277 96284->96278 96284->96282 96354 a8511f 96284->96354 96286 ac3d70 96285->96286 96287 a85107 96285->96287 96381 aae8c4 96287->96381 96290 af28fe 96402 af274e 96290->96402 96292 af2919 96292->96214 96295 aae536 ___DestructExceptionObject 96293->96295 96294 aae544 96318 aaf2d9 20 API calls __dosmaperr 96294->96318 96295->96294 96297 aae574 96295->96297 96299 aae579 96297->96299 96300 aae586 96297->96300 96298 aae549 96319 ab27ec 26 API calls __fread_nolock 96298->96319 96320 aaf2d9 20 API calls __dosmaperr 96299->96320 96310 ab8061 96300->96310 96304 aae58f 96305 aae5a2 96304->96305 96306 aae595 96304->96306 96322 aae5d4 LeaveCriticalSection __fread_nolock 96305->96322 96321 aaf2d9 20 API calls __dosmaperr 96306->96321 96307 aae554 __fread_nolock 96307->96262 96311 ab806d ___DestructExceptionObject 96310->96311 96323 ab2f5e EnterCriticalSection 96311->96323 96313 ab807b 96324 ab80fb 96313->96324 96317 ab80ac __fread_nolock 96317->96304 96318->96298 96319->96307 96320->96307 96321->96307 96322->96307 96323->96313 96331 ab811e 96324->96331 96325 ab8177 96326 ab4c7d __dosmaperr 20 API calls 96325->96326 96327 ab8180 96326->96327 96329 ab29c8 _free 20 API calls 96327->96329 96330 ab8189 96329->96330 96333 ab8088 96330->96333 96342 ab3405 11 API calls 2 library calls 96330->96342 96331->96325 96331->96331 96331->96333 96340 aa918d EnterCriticalSection 96331->96340 96341 aa91a1 LeaveCriticalSection 96331->96341 96337 ab80b7 96333->96337 96334 ab81a8 96343 aa918d EnterCriticalSection 96334->96343 96344 ab2fa6 LeaveCriticalSection 96337->96344 96339 ab80be 96339->96317 96340->96331 96341->96331 96342->96334 96343->96333 96344->96339 96346 a9fddb 22 API calls 96345->96346 96347 a85734 96346->96347 96347->96272 96349 a842bc FindResourceExW 96348->96349 96353 a842d9 96348->96353 96350 ac35ba LoadResource 96349->96350 96349->96353 96351 ac35cf SizeofResource 96350->96351 96350->96353 96352 ac35e3 LockResource 96351->96352 96351->96353 96352->96353 96353->96284 96355 a8512e 96354->96355 96356 ac3d90 96354->96356 96360 aaece3 96355->96360 96359->96277 96363 aaeaaa 96360->96363 96362 a8513c 96362->96284 96367 aaeab6 ___DestructExceptionObject 96363->96367 96364 aaeac2 96376 aaf2d9 20 API calls __dosmaperr 96364->96376 96366 aaeae8 96378 aa918d EnterCriticalSection 96366->96378 96367->96364 96367->96366 96368 aaeac7 96377 ab27ec 26 API calls __fread_nolock 96368->96377 96371 aaeaf4 96379 aaec0a 62 API calls 2 library calls 96371->96379 96373 aaeb08 96380 aaeb27 LeaveCriticalSection __fread_nolock 96373->96380 96375 aaead2 __fread_nolock 96375->96362 96376->96368 96377->96375 96378->96371 96379->96373 96380->96375 96384 aae8e1 96381->96384 96383 a85118 96383->96290 96385 aae8ed ___DestructExceptionObject 96384->96385 96386 aae92d 96385->96386 96387 aae900 ___scrt_fastfail 96385->96387 96388 aae925 __fread_nolock 96385->96388 96399 aa918d EnterCriticalSection 96386->96399 96397 aaf2d9 20 API calls __dosmaperr 96387->96397 96388->96383 96391 aae937 96400 aae6f8 38 API calls 3 library calls 96391->96400 96392 aae91a 96398 ab27ec 26 API calls __fread_nolock 96392->96398 96395 aae94e 96401 aae96c LeaveCriticalSection __fread_nolock 96395->96401 96397->96392 96398->96388 96399->96391 96400->96395 96401->96388 96405 aae4e8 96402->96405 96404 af275d 96404->96292 96408 aae469 96405->96408 96407 aae505 96407->96404 96409 aae478 96408->96409 96410 aae48c 96408->96410 96416 aaf2d9 20 API calls __dosmaperr 96409->96416 96414 aae488 __alldvrm 96410->96414 96418 ab333f 11 API calls 2 library calls 96410->96418 96413 aae47d 96417 ab27ec 26 API calls __fread_nolock 96413->96417 96414->96407 96416->96413 96417->96414 96418->96414 96423 af2e7a 96419->96423 96420 af2d3b 96420->96221 96420->96222 96421 a850f5 40 API calls 96421->96423 96422 af28fe 27 API calls 96422->96423 96423->96420 96423->96421 96423->96422 96424 a8511f 64 API calls 96423->96424 96424->96423 96425->96221 96427 aae684 ___DestructExceptionObject 96426->96427 96428 aae6aa 96427->96428 96429 aae695 96427->96429 96438 aae6a5 __fread_nolock 96428->96438 96441 aa918d EnterCriticalSection 96428->96441 96439 aaf2d9 20 API calls __dosmaperr 96429->96439 96431 aae69a 96440 ab27ec 26 API calls __fread_nolock 96431->96440 96434 aae6c6 96442 aae602 96434->96442 96436 aae6d1 96458 aae6ee LeaveCriticalSection __fread_nolock 96436->96458 96438->96245 96439->96431 96440->96438 96441->96434 96443 aae60f 96442->96443 96444 aae624 96442->96444 96459 aaf2d9 20 API calls __dosmaperr 96443->96459 96448 aae61f 96444->96448 96461 aadc0b 96444->96461 96447 aae614 96460 ab27ec 26 API calls __fread_nolock 96447->96460 96448->96436 96454 aae646 96478 ab862f 96454->96478 96457 ab29c8 _free 20 API calls 96457->96448 96458->96438 96459->96447 96460->96448 96462 aadc1f 96461->96462 96463 aadc23 96461->96463 96467 ab4d7a 96462->96467 96463->96462 96464 aad955 __fread_nolock 26 API calls 96463->96464 96465 aadc43 96464->96465 96493 ab59be 62 API calls 4 library calls 96465->96493 96468 ab4d90 96467->96468 96469 aae640 96467->96469 96468->96469 96470 ab29c8 _free 20 API calls 96468->96470 96471 aad955 96469->96471 96470->96469 96472 aad961 96471->96472 96473 aad976 96471->96473 96494 aaf2d9 20 API calls __dosmaperr 96472->96494 96473->96454 96475 aad966 96495 ab27ec 26 API calls __fread_nolock 96475->96495 96477 aad971 96477->96454 96479 ab863e 96478->96479 96480 ab8653 96478->96480 96496 aaf2c6 20 API calls __dosmaperr 96479->96496 96481 ab868e 96480->96481 96485 ab867a 96480->96485 96501 aaf2c6 20 API calls __dosmaperr 96481->96501 96484 ab8643 96497 aaf2d9 20 API calls __dosmaperr 96484->96497 96498 ab8607 96485->96498 96486 ab8693 96502 aaf2d9 20 API calls __dosmaperr 96486->96502 96490 aae64c 96490->96448 96490->96457 96491 ab869b 96503 ab27ec 26 API calls __fread_nolock 96491->96503 96493->96462 96494->96475 96495->96477 96496->96484 96497->96490 96504 ab8585 96498->96504 96500 ab862b 96500->96490 96501->96486 96502->96491 96503->96490 96505 ab8591 ___DestructExceptionObject 96504->96505 96515 ab5147 EnterCriticalSection 96505->96515 96507 ab859f 96508 ab85d1 96507->96508 96509 ab85c6 96507->96509 96516 aaf2d9 20 API calls __dosmaperr 96508->96516 96511 ab86ae __wsopen_s 29 API calls 96509->96511 96512 ab85cc 96511->96512 96517 ab85fb LeaveCriticalSection __wsopen_s 96512->96517 96514 ab85ee __fread_nolock 96514->96500 96515->96507 96516->96512 96517->96514 96518 a81044 96523 a810f3 96518->96523 96520 a8104a 96559 aa00a3 29 API calls __onexit 96520->96559 96522 a81054 96560 a81398 96523->96560 96527 a8116a 96528 a8a961 22 API calls 96527->96528 96529 a81174 96528->96529 96530 a8a961 22 API calls 96529->96530 96531 a8117e 96530->96531 96532 a8a961 22 API calls 96531->96532 96533 a81188 96532->96533 96534 a8a961 22 API calls 96533->96534 96535 a811c6 96534->96535 96536 a8a961 22 API calls 96535->96536 96537 a81292 96536->96537 96570 a8171c 96537->96570 96541 a812c4 96542 a8a961 22 API calls 96541->96542 96543 a812ce 96542->96543 96591 a91940 96543->96591 96545 a812f9 96601 a81aab 96545->96601 96547 a81315 96548 a81325 GetStdHandle 96547->96548 96549 a8137a 96548->96549 96550 ac2485 96548->96550 96554 a81387 OleInitialize 96549->96554 96550->96549 96551 ac248e 96550->96551 96552 a9fddb 22 API calls 96551->96552 96553 ac2495 96552->96553 96608 af011d InitializeCriticalSectionAndSpinCount InterlockedExchange GetCurrentProcess GetCurrentProcess DuplicateHandle 96553->96608 96554->96520 96556 ac249e 96609 af0944 CreateThread 96556->96609 96558 ac24aa CloseHandle 96558->96549 96559->96522 96610 a813f1 96560->96610 96563 a813f1 22 API calls 96564 a813d0 96563->96564 96565 a8a961 22 API calls 96564->96565 96566 a813dc 96565->96566 96567 a86b57 22 API calls 96566->96567 96568 a81129 96567->96568 96569 a81bc3 6 API calls 96568->96569 96569->96527 96571 a8a961 22 API calls 96570->96571 96572 a8172c 96571->96572 96573 a8a961 22 API calls 96572->96573 96574 a81734 96573->96574 96575 a8a961 22 API calls 96574->96575 96576 a8174f 96575->96576 96577 a9fddb 22 API calls 96576->96577 96578 a8129c 96577->96578 96579 a81b4a 96578->96579 96580 a81b58 96579->96580 96581 a8a961 22 API calls 96580->96581 96582 a81b63 96581->96582 96583 a8a961 22 API calls 96582->96583 96584 a81b6e 96583->96584 96585 a8a961 22 API calls 96584->96585 96586 a81b79 96585->96586 96587 a8a961 22 API calls 96586->96587 96588 a81b84 96587->96588 96589 a9fddb 22 API calls 96588->96589 96590 a81b96 RegisterWindowMessageW 96589->96590 96590->96541 96592 a91981 96591->96592 96598 a9195d 96591->96598 96617 aa0242 5 API calls __Init_thread_wait 96592->96617 96594 a9198b 96594->96598 96618 aa01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96594->96618 96596 a98727 96600 a9196e 96596->96600 96620 aa01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96596->96620 96598->96600 96619 aa0242 5 API calls __Init_thread_wait 96598->96619 96600->96545 96602 ac272d 96601->96602 96603 a81abb 96601->96603 96621 af3209 23 API calls 96602->96621 96604 a9fddb 22 API calls 96603->96604 96606 a81ac3 96604->96606 96606->96547 96607 ac2738 96608->96556 96609->96558 96622 af092a 28 API calls 96609->96622 96611 a8a961 22 API calls 96610->96611 96612 a813fc 96611->96612 96613 a8a961 22 API calls 96612->96613 96614 a81404 96613->96614 96615 a8a961 22 API calls 96614->96615 96616 a813c6 96615->96616 96616->96563 96617->96594 96618->96598 96619->96596 96620->96600 96621->96607 96623 ad2a00 96639 a8d7b0 messages 96623->96639 96624 a8db11 PeekMessageW 96624->96639 96625 a8d807 GetInputState 96625->96624 96625->96639 96626 ad1cbe TranslateAcceleratorW 96626->96639 96628 a8db8f PeekMessageW 96628->96639 96629 a8da04 timeGetTime 96629->96639 96630 a8db73 TranslateMessage DispatchMessageW 96630->96628 96631 a8dbaf Sleep 96631->96639 96632 ad2b74 Sleep 96645 ad2a51 96632->96645 96635 ad1dda timeGetTime 96781 a9e300 23 API calls 96635->96781 96638 ad2c0b GetExitCodeProcess 96643 ad2c37 CloseHandle 96638->96643 96644 ad2c21 WaitForSingleObject 96638->96644 96639->96624 96639->96625 96639->96626 96639->96628 96639->96629 96639->96630 96639->96631 96639->96632 96639->96635 96641 a8d9d5 96639->96641 96639->96645 96655 a8dd50 96639->96655 96662 a91310 96639->96662 96716 a8bf40 96639->96716 96774 a9edf6 96639->96774 96779 a8dfd0 348 API calls 3 library calls 96639->96779 96780 a9e551 timeGetTime 96639->96780 96782 af3a2a 23 API calls 96639->96782 96783 a8ec40 96639->96783 96807 af359c 82 API calls __wsopen_s 96639->96807 96640 b129bf GetForegroundWindow 96640->96645 96643->96645 96644->96639 96644->96643 96645->96638 96645->96639 96645->96640 96645->96641 96646 ad2ca9 Sleep 96645->96646 96808 b05658 23 API calls 96645->96808 96809 aee97b QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 96645->96809 96810 a9e551 timeGetTime 96645->96810 96811 aed4dc 47 API calls 96645->96811 96646->96639 96656 a8dd6f 96655->96656 96657 a8dd83 96655->96657 96812 a8d260 96656->96812 96844 af359c 82 API calls __wsopen_s 96657->96844 96659 a8dd7a 96659->96639 96661 ad2f75 96661->96661 96663 a917b0 96662->96663 96664 a91376 96662->96664 96893 aa0242 5 API calls __Init_thread_wait 96663->96893 96666 a91390 96664->96666 96667 ad6331 96664->96667 96671 a91940 9 API calls 96666->96671 96668 ad633d 96667->96668 96898 b0709c 348 API calls 96667->96898 96668->96639 96670 a917ba 96672 a917fb 96670->96672 96674 a89cb3 22 API calls 96670->96674 96673 a913a0 96671->96673 96678 ad6346 96672->96678 96679 a9182c 96672->96679 96675 a91940 9 API calls 96673->96675 96683 a917d4 96674->96683 96676 a913b6 96675->96676 96676->96672 96677 a913ec 96676->96677 96677->96678 96703 a91408 __fread_nolock 96677->96703 96899 af359c 82 API calls __wsopen_s 96678->96899 96895 a8aceb 23 API calls messages 96679->96895 96682 a91839 96896 a9d217 348 API calls 96682->96896 96894 aa01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96683->96894 96686 ad636e 96900 af359c 82 API calls __wsopen_s 96686->96900 96687 a9152f 96689 a9153c 96687->96689 96690 ad63d1 96687->96690 96692 a91940 9 API calls 96689->96692 96902 b05745 54 API calls _wcslen 96690->96902 96694 a91549 96692->96694 96693 a9fddb 22 API calls 96693->96703 96697 a91940 9 API calls 96694->96697 96709 a915c7 messages 96694->96709 96695 a91872 96897 a9faeb 23 API calls 96695->96897 96696 a9fe0b 22 API calls 96696->96703 96704 a91563 96697->96704 96698 a9171d 96698->96639 96701 a8ec40 348 API calls 96701->96703 96702 a9167b messages 96702->96698 96892 a9ce17 22 API calls messages 96702->96892 96703->96682 96703->96686 96703->96687 96703->96693 96703->96696 96703->96701 96705 ad63b2 96703->96705 96703->96709 96704->96709 96903 a8a8c7 22 API calls __fread_nolock 96704->96903 96901 af359c 82 API calls __wsopen_s 96705->96901 96707 a91940 9 API calls 96707->96709 96709->96695 96709->96702 96709->96707 96852 af5c5a 96709->96852 96857 a9f645 96709->96857 96864 b0a67c CreateToolhelp32Snapshot Process32FirstW 96709->96864 96884 b0ab67 96709->96884 96887 b0abf7 96709->96887 96904 af359c 82 API calls __wsopen_s 96709->96904 97143 a8adf0 96716->97143 96718 a8bf9d 96719 a8bfa9 96718->96719 96720 ad04b6 96718->96720 96722 ad04c6 96719->96722 96723 a8c01e 96719->96723 97162 af359c 82 API calls __wsopen_s 96720->97162 97163 af359c 82 API calls __wsopen_s 96722->97163 97148 a8ac91 96723->97148 96727 a8c7da 96730 a9fe0b 22 API calls 96727->96730 96736 a8c808 __fread_nolock 96730->96736 96732 ad04f5 96737 ad055a 96732->96737 97164 a9d217 348 API calls 96732->97164 96735 a8af8a 22 API calls 96757 a8c039 __fread_nolock messages 96735->96757 96738 a9fe0b 22 API calls 96736->96738 96773 a8c603 96737->96773 97165 af359c 82 API calls __wsopen_s 96737->97165 96760 a8c350 __fread_nolock messages 96738->96760 96739 ae7120 22 API calls 96739->96757 96740 ad091a 97175 af3209 23 API calls 96740->97175 96743 a8ec40 348 API calls 96743->96757 96744 ad08a5 96745 a8ec40 348 API calls 96744->96745 96746 ad08cf 96745->96746 96746->96773 97173 a8a81b 41 API calls 96746->97173 96748 ad0591 97166 af359c 82 API calls __wsopen_s 96748->97166 96752 ad08f6 97174 af359c 82 API calls __wsopen_s 96752->97174 96754 a8c3ac 96754->96639 96756 a8c237 96758 a8c253 96756->96758 97176 a8a8c7 22 API calls __fread_nolock 96756->97176 96757->96727 96757->96732 96757->96735 96757->96736 96757->96737 96757->96739 96757->96740 96757->96743 96757->96744 96757->96748 96757->96752 96757->96756 96759 a9fe0b 22 API calls 96757->96759 96764 ad09bf 96757->96764 96767 a9fddb 22 API calls 96757->96767 96770 a8bbe0 40 API calls 96757->96770 96757->96773 97152 a8ad81 96757->97152 97167 ae7099 22 API calls __fread_nolock 96757->97167 97168 b05745 54 API calls _wcslen 96757->97168 97169 a9aa42 22 API calls messages 96757->97169 97170 aef05c 40 API calls 96757->97170 97171 a8a993 41 API calls 96757->97171 97172 a8aceb 23 API calls messages 96757->97172 96762 a8c297 messages 96758->96762 96763 ad0976 96758->96763 96759->96757 96760->96754 97161 a9ce17 22 API calls messages 96760->97161 96762->96764 97159 a8aceb 23 API calls messages 96762->97159 97177 a8aceb 23 API calls messages 96763->97177 96764->96773 97178 af359c 82 API calls __wsopen_s 96764->97178 96767->96757 96769 a8c335 96769->96764 96771 a8c342 96769->96771 96770->96757 97160 a8a704 22 API calls messages 96771->97160 96773->96639 96775 a9ee09 96774->96775 96776 a9ee12 96774->96776 96775->96639 96776->96775 96777 a9ee36 IsDialogMessageW 96776->96777 96778 adefaf GetClassLongW 96776->96778 96777->96775 96777->96776 96778->96776 96778->96777 96779->96639 96780->96639 96781->96639 96782->96639 96785 a8ec76 messages 96783->96785 96784 aa00a3 29 API calls pre_c_initialization 96784->96785 96785->96784 96786 a8fef7 96785->96786 96788 a9fddb 22 API calls 96785->96788 96790 ad4600 96785->96790 96791 ad4b0b 96785->96791 96792 a8a8c7 22 API calls 96785->96792 96798 aa0242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 96785->96798 96799 a8fbe3 96785->96799 96800 a8a961 22 API calls 96785->96800 96801 a8ed9d messages 96785->96801 96804 ad4beb 96785->96804 96805 aa01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 96785->96805 96806 a8f3ae messages 96785->96806 97188 a901e0 348 API calls 2 library calls 96785->97188 97189 a906a0 41 API calls messages 96785->97189 96786->96801 97191 a8a8c7 22 API calls __fread_nolock 96786->97191 96788->96785 96790->96801 97190 a8a8c7 22 API calls __fread_nolock 96790->97190 97193 af359c 82 API calls __wsopen_s 96791->97193 96792->96785 96798->96785 96799->96801 96802 ad4bdc 96799->96802 96799->96806 96800->96785 96801->96639 97194 af359c 82 API calls __wsopen_s 96802->97194 97195 af359c 82 API calls __wsopen_s 96804->97195 96805->96785 96806->96801 97192 af359c 82 API calls __wsopen_s 96806->97192 96807->96639 96808->96645 96809->96645 96810->96645 96811->96645 96813 a8ec40 348 API calls 96812->96813 96817 a8d29d 96813->96817 96814 ad1bc4 96851 af359c 82 API calls __wsopen_s 96814->96851 96816 a8d30b messages 96816->96659 96817->96814 96817->96816 96818 a8d3c3 96817->96818 96820 a8d6d5 96817->96820 96825 a8d4b8 96817->96825 96833 a9fddb 22 API calls 96817->96833 96839 a8d429 __fread_nolock messages 96817->96839 96818->96820 96821 a8d3ce 96818->96821 96819 a8d5ff 96823 ad1bb5 96819->96823 96824 a8d614 96819->96824 96820->96816 96829 a9fe0b 22 API calls 96820->96829 96822 a9fddb 22 API calls 96821->96822 96826 a8d3d5 __fread_nolock 96822->96826 96850 b05705 23 API calls 96823->96850 96828 a9fddb 22 API calls 96824->96828 96830 a9fe0b 22 API calls 96825->96830 96831 a8d3f6 96826->96831 96832 a9fddb 22 API calls 96826->96832 96837 a8d46a 96828->96837 96829->96826 96830->96839 96831->96839 96845 a8bec0 348 API calls 96831->96845 96832->96831 96833->96817 96835 ad1ba4 96849 af359c 82 API calls __wsopen_s 96835->96849 96837->96659 96839->96819 96839->96835 96839->96837 96840 ad1b7f 96839->96840 96842 ad1b5d 96839->96842 96846 a81f6f 348 API calls 96839->96846 96848 af359c 82 API calls __wsopen_s 96840->96848 96847 af359c 82 API calls __wsopen_s 96842->96847 96844->96661 96845->96839 96846->96839 96847->96837 96848->96837 96849->96837 96850->96814 96851->96816 96905 a87510 96852->96905 96856 af5c77 96856->96709 96937 a8b567 96857->96937 96859 a9f659 96860 adf2dc Sleep 96859->96860 96861 a9f661 timeGetTime 96859->96861 96862 a8b567 39 API calls 96861->96862 96863 a9f677 96862->96863 96863->96709 96872 b0a6c3 96864->96872 96865 a8a961 22 API calls 96865->96872 96866 a89cb3 22 API calls 96866->96872 96868 a86350 22 API calls 96868->96872 96869 a87510 53 API calls 96869->96872 96872->96865 96872->96866 96872->96868 96872->96869 96873 b0a796 Process32NextW 96872->96873 96943 a8525f 96872->96943 96991 a9ce60 41 API calls 96872->96991 96992 b0b574 22 API calls __fread_nolock 96872->96992 96873->96872 96874 b0a7aa CloseHandle 96873->96874 96985 a863eb 96874->96985 96878 b0a7cd 96994 a904f0 22 API calls 96878->96994 96880 a904f0 22 API calls 96883 b0a7d9 96880->96883 96881 b0a87d 96881->96709 96883->96880 96883->96881 96995 a862b5 22 API calls 96883->96995 97020 b0aff9 96884->97020 96888 b0aff9 217 API calls 96887->96888 96890 b0ac0c 96888->96890 96889 b0ac54 96889->96709 96890->96889 97142 a8aceb 23 API calls messages 96890->97142 96892->96702 96893->96670 96894->96672 96895->96682 96896->96695 96897->96695 96898->96668 96899->96709 96900->96709 96901->96709 96902->96704 96903->96709 96904->96709 96906 a87525 96905->96906 96922 a87522 96905->96922 96907 a8755b 96906->96907 96908 a8752d 96906->96908 96910 a8756d 96907->96910 96917 ac50f6 96907->96917 96919 ac500f 96907->96919 96933 aa51c6 26 API calls 96908->96933 96934 a9fb21 51 API calls 96910->96934 96911 a8753d 96916 a9fddb 22 API calls 96911->96916 96914 ac510e 96914->96914 96918 a87547 96916->96918 96936 aa5183 26 API calls 96917->96936 96920 a89cb3 22 API calls 96918->96920 96921 a9fe0b 22 API calls 96919->96921 96927 ac5088 96919->96927 96920->96922 96924 ac5058 96921->96924 96928 aedbbe lstrlenW 96922->96928 96923 a9fddb 22 API calls 96925 ac507f 96923->96925 96924->96923 96926 a89cb3 22 API calls 96925->96926 96926->96927 96935 a9fb21 51 API calls 96927->96935 96929 aedbdc GetFileAttributesW 96928->96929 96930 aedc06 96928->96930 96929->96930 96931 aedbe8 FindFirstFileW 96929->96931 96930->96856 96931->96930 96932 aedbf9 FindClose 96931->96932 96932->96930 96933->96911 96934->96911 96935->96917 96936->96914 96938 a8b578 96937->96938 96939 a8b57f 96937->96939 96938->96939 96942 aa62d1 39 API calls _strftime 96938->96942 96939->96859 96941 a8b5c2 96941->96859 96942->96941 96944 a8a961 22 API calls 96943->96944 96945 a85275 96944->96945 96946 a8a961 22 API calls 96945->96946 96947 a8527d 96946->96947 96948 a8a961 22 API calls 96947->96948 96949 a85285 96948->96949 96950 a8a961 22 API calls 96949->96950 96951 a8528d 96950->96951 96952 ac3df5 96951->96952 96953 a852c1 96951->96953 97014 a8a8c7 22 API calls __fread_nolock 96952->97014 96955 a86d25 22 API calls 96953->96955 96957 a852cf 96955->96957 96956 ac3dfe 96958 a8a6c3 22 API calls 96956->96958 96959 a893b2 22 API calls 96957->96959 96963 a85304 96958->96963 96960 a852d9 96959->96960 96961 a86d25 22 API calls 96960->96961 96960->96963 96964 a852fa 96961->96964 96962 a85349 96996 a86d25 96962->96996 96963->96962 96965 a85325 96963->96965 96980 ac3e20 96963->96980 96968 a893b2 22 API calls 96964->96968 96965->96962 97009 a84c6d 96965->97009 96967 a8535a 96969 a85370 96967->96969 97012 a8a8c7 22 API calls __fread_nolock 96967->97012 96968->96963 96971 a85384 96969->96971 97013 a8a8c7 22 API calls __fread_nolock 96969->97013 96975 a8538f 96971->96975 97016 a8a8c7 22 API calls __fread_nolock 96971->97016 96973 a86b57 22 API calls 96982 ac3ee0 96973->96982 96983 a8539a 96975->96983 97017 a8a8c7 22 API calls __fread_nolock 96975->97017 96977 a86d25 22 API calls 96977->96962 96980->96973 96981 a84c6d 22 API calls 96981->96982 96982->96962 96982->96981 97015 a849bd 22 API calls __fread_nolock 96982->97015 96983->96872 96986 a863f3 96985->96986 96987 a9fddb 22 API calls 96986->96987 96988 a86401 96987->96988 97019 a86a26 22 API calls 96988->97019 96990 a86409 96993 a86a50 22 API calls 96990->96993 96991->96872 96992->96872 96993->96878 96994->96883 96995->96883 96997 a86d91 96996->96997 96998 a86d34 96996->96998 96999 a893b2 22 API calls 96997->96999 96998->96997 97000 a86d3f 96998->97000 97005 a86d62 __fread_nolock 96999->97005 97001 ac4c9d 97000->97001 97002 a86d5a 97000->97002 97004 a9fddb 22 API calls 97001->97004 97018 a86f34 22 API calls 97002->97018 97006 ac4ca7 97004->97006 97005->96967 97007 a9fe0b 22 API calls 97006->97007 97008 ac4cda 97007->97008 97010 a8aec9 22 API calls 97009->97010 97011 a84c78 97010->97011 97011->96962 97011->96977 97012->96969 97013->96971 97014->96956 97015->96982 97016->96975 97017->96983 97018->97005 97019->96990 97021 b0b01d ___scrt_fastfail 97020->97021 97022 b0b094 97021->97022 97023 b0b058 97021->97023 97026 a8b567 39 API calls 97022->97026 97028 b0b08b 97022->97028 97024 a8b567 39 API calls 97023->97024 97027 b0b063 97024->97027 97025 b0b0ed 97029 a87510 53 API calls 97025->97029 97030 b0b0a5 97026->97030 97027->97028 97031 a8b567 39 API calls 97027->97031 97028->97025 97032 a8b567 39 API calls 97028->97032 97033 b0b10b 97029->97033 97034 a8b567 39 API calls 97030->97034 97035 b0b078 97031->97035 97032->97025 97111 a87620 97033->97111 97034->97028 97037 a8b567 39 API calls 97035->97037 97037->97028 97038 b0b115 97039 b0b1d8 97038->97039 97040 b0b11f 97038->97040 97041 b0b20a GetCurrentDirectoryW 97039->97041 97043 a87510 53 API calls 97039->97043 97042 a87510 53 API calls 97040->97042 97044 a9fe0b 22 API calls 97041->97044 97045 b0b130 97042->97045 97046 b0b1ef 97043->97046 97047 b0b22f GetCurrentDirectoryW 97044->97047 97048 a87620 22 API calls 97045->97048 97049 a87620 22 API calls 97046->97049 97050 b0b23c 97047->97050 97051 b0b13a 97048->97051 97053 b0b1f9 _wcslen 97049->97053 97054 b0b275 97050->97054 97118 a89c6e 22 API calls 97050->97118 97052 a87510 53 API calls 97051->97052 97055 b0b14b 97052->97055 97053->97041 97053->97054 97062 b0b287 97054->97062 97063 b0b28b 97054->97063 97057 a87620 22 API calls 97055->97057 97059 b0b155 97057->97059 97058 b0b255 97119 a89c6e 22 API calls 97058->97119 97061 a87510 53 API calls 97059->97061 97065 b0b166 97061->97065 97067 b0b2f8 97062->97067 97068 b0b39a CreateProcessW 97062->97068 97121 af07c0 10 API calls 97063->97121 97064 b0b265 97120 a89c6e 22 API calls 97064->97120 97070 a87620 22 API calls 97065->97070 97124 ae11c8 39 API calls 97067->97124 97110 b0b32f _wcslen 97068->97110 97073 b0b170 97070->97073 97071 b0b294 97122 af06e6 10 API calls 97071->97122 97076 b0b1a6 GetSystemDirectoryW 97073->97076 97082 a87510 53 API calls 97073->97082 97075 b0b2fd 97080 b0b323 97075->97080 97081 b0b32a 97075->97081 97079 a9fe0b 22 API calls 97076->97079 97077 b0b2aa 97123 af05a7 8 API calls 97077->97123 97084 b0b1cb GetSystemDirectoryW 97079->97084 97125 ae1201 128 API calls 2 library calls 97080->97125 97126 ae14ce 6 API calls 97081->97126 97086 b0b187 97082->97086 97083 b0b2d0 97083->97062 97084->97050 97089 a87620 22 API calls 97086->97089 97088 b0b328 97088->97110 97092 b0b191 _wcslen 97089->97092 97090 b0b3d6 GetLastError 97102 b0b41a 97090->97102 97091 b0b42f CloseHandle 97093 b0b43f 97091->97093 97103 b0b49a 97091->97103 97092->97050 97092->97076 97094 b0b451 97093->97094 97095 b0b446 CloseHandle 97093->97095 97097 b0b463 97094->97097 97098 b0b458 CloseHandle 97094->97098 97095->97094 97100 b0b475 97097->97100 97101 b0b46a CloseHandle 97097->97101 97098->97097 97099 b0b4a6 97099->97102 97127 af09d9 34 API calls 97100->97127 97101->97100 97115 af0175 97102->97115 97103->97099 97106 b0b4d2 CloseHandle 97103->97106 97106->97102 97108 b0b486 97128 b0b536 25 API calls 97108->97128 97110->97090 97110->97091 97112 a8762a _wcslen 97111->97112 97113 a9fe0b 22 API calls 97112->97113 97114 a8763f 97113->97114 97114->97038 97129 af030f 97115->97129 97118->97058 97119->97064 97120->97054 97121->97071 97122->97077 97123->97083 97124->97075 97125->97088 97126->97110 97127->97108 97128->97103 97130 af0329 97129->97130 97131 af0321 CloseHandle 97129->97131 97132 af032e CloseHandle 97130->97132 97133 af0336 97130->97133 97131->97130 97132->97133 97134 af033b CloseHandle 97133->97134 97135 af0343 97133->97135 97134->97135 97136 af0348 CloseHandle 97135->97136 97137 af0350 97135->97137 97136->97137 97138 af035d 97137->97138 97139 af0355 CloseHandle 97137->97139 97140 af017d 97138->97140 97141 af0362 CloseHandle 97138->97141 97139->97138 97140->96709 97141->97140 97142->96889 97144 a8ae01 97143->97144 97147 a8ae1c messages 97143->97147 97145 a8aec9 22 API calls 97144->97145 97146 a8ae09 CharUpperBuffW 97145->97146 97146->97147 97147->96718 97149 a8acae 97148->97149 97150 a8acd1 97149->97150 97179 af359c 82 API calls __wsopen_s 97149->97179 97150->96757 97153 acfadb 97152->97153 97154 a8ad92 97152->97154 97155 a9fddb 22 API calls 97154->97155 97156 a8ad99 97155->97156 97180 a8adcd 97156->97180 97159->96769 97160->96760 97161->96760 97162->96722 97163->96773 97164->96737 97165->96773 97166->96773 97167->96757 97168->96757 97169->96757 97170->96757 97171->96757 97172->96757 97173->96752 97174->96773 97175->96756 97176->96758 97177->96764 97178->96773 97179->97150 97184 a8addd 97180->97184 97181 a8adb6 97181->96757 97182 a9fddb 22 API calls 97182->97184 97183 a8a961 22 API calls 97183->97184 97184->97181 97184->97182 97184->97183 97186 a8adcd 22 API calls 97184->97186 97187 a8a8c7 22 API calls __fread_nolock 97184->97187 97186->97184 97187->97184 97188->96785 97189->96785 97190->96801 97191->96801 97192->96801 97193->96801 97194->96804 97195->96801 97196 ac2402 97199 a81410 97196->97199 97200 ac24b8 DestroyWindow 97199->97200 97201 a8144f mciSendStringW 97199->97201 97213 ac24c4 97200->97213 97202 a8146b 97201->97202 97203 a816c6 97201->97203 97204 a81479 97202->97204 97202->97213 97203->97202 97205 a816d5 UnregisterHotKey 97203->97205 97232 a8182e 97204->97232 97205->97203 97207 ac24d8 97207->97213 97238 a86246 CloseHandle 97207->97238 97208 ac24e2 FindClose 97208->97213 97210 ac2509 97214 ac252d 97210->97214 97215 ac251c FreeLibrary 97210->97215 97212 a8148e 97212->97214 97222 a8149c 97212->97222 97213->97207 97213->97208 97213->97210 97216 ac2541 VirtualFree 97214->97216 97223 a81509 97214->97223 97215->97210 97216->97214 97217 a814f8 CoUninitialize 97217->97223 97218 ac2589 97225 ac2598 messages 97218->97225 97239 af32eb 6 API calls messages 97218->97239 97219 a81514 97220 a81524 97219->97220 97236 a81944 VirtualFreeEx CloseHandle 97220->97236 97222->97217 97223->97218 97223->97219 97228 ac2627 97225->97228 97240 ae64d4 22 API calls messages 97225->97240 97227 a8153a 97227->97225 97229 a8161f 97227->97229 97228->97228 97229->97228 97237 a81876 CloseHandle InternetCloseHandle InternetCloseHandle WaitForSingleObject 97229->97237 97231 a816c1 97233 a8183b 97232->97233 97234 a81480 97233->97234 97241 ae702a 22 API calls 97233->97241 97234->97210 97234->97212 97236->97227 97237->97231 97238->97207 97239->97218 97240->97225 97241->97233 97242 a81098 97247 a842de 97242->97247 97246 a810a7 97248 a8a961 22 API calls 97247->97248 97249 a842f5 GetVersionExW 97248->97249 97250 a86b57 22 API calls 97249->97250 97251 a84342 97250->97251 97252 a893b2 22 API calls 97251->97252 97259 a84378 97251->97259 97253 a8436c 97252->97253 97254 a837a0 22 API calls 97253->97254 97254->97259 97255 a8441b GetCurrentProcess IsWow64Process 97256 a84437 97255->97256 97257 a8444f LoadLibraryA 97256->97257 97258 ac3824 GetSystemInfo 97256->97258 97260 a8449c GetSystemInfo 97257->97260 97261 a84460 GetProcAddress 97257->97261 97259->97255 97263 ac37df 97259->97263 97262 a84476 97260->97262 97261->97260 97264 a84470 GetNativeSystemInfo 97261->97264 97265 a8447a FreeLibrary 97262->97265 97266 a8109d 97262->97266 97264->97262 97265->97266 97267 aa00a3 29 API calls __onexit 97266->97267 97267->97246 97268 aa03fb 97269 aa0407 ___DestructExceptionObject 97268->97269 97297 a9feb1 97269->97297 97271 aa040e 97272 aa0561 97271->97272 97275 aa0438 97271->97275 97327 aa083f IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 97272->97327 97274 aa0568 97320 aa4e52 97274->97320 97284 aa0477 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 97275->97284 97308 ab247d 97275->97308 97282 aa0457 97288 aa04d8 97284->97288 97323 aa4e1a 38 API calls 2 library calls 97284->97323 97286 aa04de 97289 aa04f3 97286->97289 97316 aa0959 97288->97316 97324 aa0992 GetModuleHandleW 97289->97324 97291 aa04fa 97291->97274 97292 aa04fe 97291->97292 97293 aa0507 97292->97293 97325 aa4df5 28 API calls _abort 97292->97325 97326 aa0040 13 API calls 2 library calls 97293->97326 97296 aa050f 97296->97282 97298 a9feba 97297->97298 97329 aa0698 IsProcessorFeaturePresent 97298->97329 97300 a9fec6 97330 aa2c94 10 API calls 3 library calls 97300->97330 97302 a9fecb 97307 a9fecf 97302->97307 97331 ab2317 97302->97331 97305 a9fee6 97305->97271 97307->97271 97309 ab2494 97308->97309 97310 aa0a8c __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 97309->97310 97311 aa0451 97310->97311 97311->97282 97312 ab2421 97311->97312 97314 ab2450 97312->97314 97313 aa0a8c __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 97315 ab2479 97313->97315 97314->97313 97315->97284 97382 aa2340 97316->97382 97319 aa097f 97319->97286 97384 aa4bcf 97320->97384 97323->97288 97324->97291 97325->97293 97326->97296 97327->97274 97329->97300 97330->97302 97335 abd1f6 97331->97335 97334 aa2cbd 8 API calls 3 library calls 97334->97307 97337 abd20f 97335->97337 97339 abd213 97335->97339 97353 aa0a8c 97337->97353 97338 a9fed8 97338->97305 97338->97334 97339->97337 97341 ab4bfb 97339->97341 97342 ab4c07 ___DestructExceptionObject 97341->97342 97360 ab2f5e EnterCriticalSection 97342->97360 97344 ab4c0e 97361 ab50af 97344->97361 97346 ab4c1d 97347 ab4c2c 97346->97347 97374 ab4a8f 29 API calls 97346->97374 97376 ab4c48 LeaveCriticalSection _abort 97347->97376 97350 ab4c27 97375 ab4b45 GetStdHandle GetFileType 97350->97375 97352 ab4c3d __fread_nolock 97352->97339 97354 aa0a97 IsProcessorFeaturePresent 97353->97354 97355 aa0a95 97353->97355 97357 aa0c5d 97354->97357 97355->97338 97381 aa0c21 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 97357->97381 97359 aa0d40 97359->97338 97360->97344 97362 ab50bb ___DestructExceptionObject 97361->97362 97363 ab50c8 97362->97363 97364 ab50df 97362->97364 97378 aaf2d9 20 API calls __dosmaperr 97363->97378 97377 ab2f5e EnterCriticalSection 97364->97377 97367 ab50cd 97379 ab27ec 26 API calls __fread_nolock 97367->97379 97369 ab5117 97380 ab513e LeaveCriticalSection _abort 97369->97380 97370 ab50d7 __fread_nolock 97370->97346 97371 ab50eb 97371->97369 97373 ab5000 __wsopen_s 21 API calls 97371->97373 97373->97371 97374->97350 97375->97347 97376->97352 97377->97371 97378->97367 97379->97370 97380->97370 97381->97359 97383 aa096c GetStartupInfoW 97382->97383 97383->97319 97385 aa4bdb _abort 97384->97385 97386 aa4be2 97385->97386 97387 aa4bf4 97385->97387 97423 aa4d29 GetModuleHandleW 97386->97423 97408 ab2f5e EnterCriticalSection 97387->97408 97390 aa4be7 97390->97387 97424 aa4d6d GetModuleHandleExW 97390->97424 97391 aa4c99 97412 aa4cd9 97391->97412 97394 aa4c70 97399 aa4c88 97394->97399 97403 ab2421 _abort 5 API calls 97394->97403 97397 aa4ce2 97432 ac1d29 5 API calls __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 97397->97432 97398 aa4cb6 97415 aa4ce8 97398->97415 97404 ab2421 _abort 5 API calls 97399->97404 97403->97399 97404->97391 97405 aa4bfb 97405->97391 97405->97394 97409 ab21a8 97405->97409 97408->97405 97433 ab1ee1 97409->97433 97452 ab2fa6 LeaveCriticalSection 97412->97452 97414 aa4cb2 97414->97397 97414->97398 97453 ab360c 97415->97453 97418 aa4d16 97421 aa4d6d _abort 8 API calls 97418->97421 97419 aa4cf6 GetPEB 97419->97418 97420 aa4d06 GetCurrentProcess TerminateProcess 97419->97420 97420->97418 97422 aa4d1e ExitProcess 97421->97422 97423->97390 97425 aa4dba 97424->97425 97426 aa4d97 GetProcAddress 97424->97426 97428 aa4dc9 97425->97428 97429 aa4dc0 FreeLibrary 97425->97429 97427 aa4dac 97426->97427 97427->97425 97430 aa0a8c __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 97428->97430 97429->97428 97431 aa4bf3 97430->97431 97431->97387 97436 ab1e90 97433->97436 97435 ab1f05 97435->97394 97437 ab1e9c ___DestructExceptionObject 97436->97437 97444 ab2f5e EnterCriticalSection 97437->97444 97439 ab1eaa 97445 ab1f31 97439->97445 97443 ab1ec8 __fread_nolock 97443->97435 97444->97439 97448 ab1f51 97445->97448 97449 ab1f59 97445->97449 97446 aa0a8c __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 97447 ab1eb7 97446->97447 97451 ab1ed5 LeaveCriticalSection _abort 97447->97451 97448->97446 97449->97448 97450 ab29c8 _free 20 API calls 97449->97450 97450->97448 97451->97443 97452->97414 97454 ab3631 97453->97454 97455 ab3627 97453->97455 97460 ab2fd7 5 API calls 2 library calls 97454->97460 97457 aa0a8c __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 97455->97457 97458 aa4cf2 97457->97458 97458->97418 97458->97419 97459 ab3648 97459->97455 97460->97459 97461 a8105b 97466 a8344d 97461->97466 97463 a8106a 97497 aa00a3 29 API calls __onexit 97463->97497 97465 a81074 97467 a8345d __wsopen_s 97466->97467 97468 a8a961 22 API calls 97467->97468 97469 a83513 97468->97469 97470 a83a5a 24 API calls 97469->97470 97471 a8351c 97470->97471 97498 a83357 97471->97498 97474 a833c6 22 API calls 97475 a83535 97474->97475 97476 a8515f 22 API calls 97475->97476 97477 a83544 97476->97477 97478 a8a961 22 API calls 97477->97478 97479 a8354d 97478->97479 97480 a8a6c3 22 API calls 97479->97480 97481 a83556 RegOpenKeyExW 97480->97481 97482 ac3176 RegQueryValueExW 97481->97482 97487 a83578 97481->97487 97483 ac320c RegCloseKey 97482->97483 97484 ac3193 97482->97484 97483->97487 97493 ac321e _wcslen 97483->97493 97485 a9fe0b 22 API calls 97484->97485 97486 ac31ac 97485->97486 97488 a85722 22 API calls 97486->97488 97487->97463 97489 ac31b7 RegQueryValueExW 97488->97489 97490 ac31d4 97489->97490 97492 ac31ee messages 97489->97492 97491 a86b57 22 API calls 97490->97491 97491->97492 97492->97483 97493->97487 97494 a89cb3 22 API calls 97493->97494 97495 a8515f 22 API calls 97493->97495 97496 a84c6d 22 API calls 97493->97496 97494->97493 97495->97493 97496->97493 97497->97465 97499 ac1f50 __wsopen_s 97498->97499 97500 a83364 GetFullPathNameW 97499->97500 97501 a83386 97500->97501 97502 a86b57 22 API calls 97501->97502 97503 a833a4 97502->97503 97503->97474 97504 a8dddc 97507 a8b710 97504->97507 97508 a8b72b 97507->97508 97509 ad00f8 97508->97509 97510 ad0146 97508->97510 97536 a8b750 97508->97536 97513 ad0102 97509->97513 97516 ad010f 97509->97516 97509->97536 97549 b058a2 348 API calls 2 library calls 97510->97549 97547 b05d33 348 API calls 97513->97547 97533 a8ba20 97516->97533 97548 b061d0 348 API calls 2 library calls 97516->97548 97519 ad03d9 97519->97519 97522 a9d336 40 API calls 97522->97536 97524 a8ba4e 97525 ad0322 97553 b05c0c 82 API calls 97525->97553 97532 a8bbe0 40 API calls 97532->97536 97533->97524 97554 af359c 82 API calls __wsopen_s 97533->97554 97534 a8ec40 348 API calls 97534->97536 97536->97522 97536->97524 97536->97525 97536->97532 97536->97533 97536->97534 97538 a8a81b 41 API calls 97536->97538 97539 a9d2f0 40 API calls 97536->97539 97540 a9a01b 348 API calls 97536->97540 97541 aa0242 5 API calls __Init_thread_wait 97536->97541 97542 a9edcd 22 API calls 97536->97542 97543 aa00a3 29 API calls __onexit 97536->97543 97544 aa01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 97536->97544 97545 a9ee53 82 API calls 97536->97545 97546 a9e5ca 348 API calls 97536->97546 97550 a8aceb 23 API calls messages 97536->97550 97551 adf6bf 23 API calls 97536->97551 97552 a8a8c7 22 API calls __fread_nolock 97536->97552 97538->97536 97539->97536 97540->97536 97541->97536 97542->97536 97543->97536 97544->97536 97545->97536 97546->97536 97547->97516 97548->97533 97549->97536 97550->97536 97551->97536 97552->97536 97553->97533 97554->97519 97555 a8f7bf 97556 a8f7d3 97555->97556 97557 a8fcb6 97555->97557 97558 a8fcc2 97556->97558 97560 a9fddb 22 API calls 97556->97560 97592 a8aceb 23 API calls messages 97557->97592 97593 a8aceb 23 API calls messages 97558->97593 97562 a8f7e5 97560->97562 97562->97558 97563 a8f83e 97562->97563 97564 a8fd3d 97562->97564 97566 a91310 348 API calls 97563->97566 97580 a8ed9d messages 97563->97580 97594 af1155 22 API calls 97564->97594 97588 a8ec76 messages 97566->97588 97567 a8fef7 97567->97580 97596 a8a8c7 22 API calls __fread_nolock 97567->97596 97570 ad4600 97570->97580 97595 a8a8c7 22 API calls __fread_nolock 97570->97595 97571 ad4b0b 97598 af359c 82 API calls __wsopen_s 97571->97598 97572 a8a8c7 22 API calls 97572->97588 97578 a8fbe3 97578->97580 97581 ad4bdc 97578->97581 97589 a8f3ae messages 97578->97589 97579 a8a961 22 API calls 97579->97588 97599 af359c 82 API calls __wsopen_s 97581->97599 97583 aa0242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 97583->97588 97584 ad4beb 97600 af359c 82 API calls __wsopen_s 97584->97600 97585 aa01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 97585->97588 97586 aa00a3 29 API calls pre_c_initialization 97586->97588 97587 a9fddb 22 API calls 97587->97588 97588->97567 97588->97570 97588->97571 97588->97572 97588->97578 97588->97579 97588->97580 97588->97583 97588->97584 97588->97585 97588->97586 97588->97587 97588->97589 97590 a901e0 348 API calls 2 library calls 97588->97590 97591 a906a0 41 API calls messages 97588->97591 97589->97580 97597 af359c 82 API calls __wsopen_s 97589->97597 97590->97588 97591->97588 97592->97558 97593->97564 97594->97580 97595->97580 97596->97580 97597->97580 97598->97580 97599->97584 97600->97580 97601 ad3f75 97612 a9ceb1 97601->97612 97603 ad3f8b 97611 ad4006 97603->97611 97621 a9e300 23 API calls 97603->97621 97605 a8bf40 348 API calls 97606 ad4052 97605->97606 97608 ad4a88 97606->97608 97623 af359c 82 API calls __wsopen_s 97606->97623 97609 ad3fe6 97609->97606 97622 af1abf 22 API calls 97609->97622 97611->97605 97613 a9cebf 97612->97613 97614 a9ced2 97612->97614 97624 a8aceb 23 API calls messages 97613->97624 97616 a9cf05 97614->97616 97617 a9ced7 97614->97617 97625 a8aceb 23 API calls messages 97616->97625 97619 a9fddb 22 API calls 97617->97619 97620 a9cec9 97619->97620 97620->97603 97621->97609 97622->97611 97623->97608 97624->97620 97625->97620 97626 a81033 97631 a84c91 97626->97631 97630 a81042 97632 a8a961 22 API calls 97631->97632 97633 a84cff 97632->97633 97640 a83af0 97633->97640 97635 ac3cb6 97637 a84d9c 97637->97635 97638 a81038 97637->97638 97643 a851f7 22 API calls __fread_nolock 97637->97643 97639 aa00a3 29 API calls __onexit 97638->97639 97639->97630 97644 a83b1c 97640->97644 97643->97637 97645 a83b0f 97644->97645 97646 a83b29 97644->97646 97645->97637 97646->97645 97647 a83b30 RegOpenKeyExW 97646->97647 97647->97645 97648 a83b4a RegQueryValueExW 97647->97648 97649 a83b80 RegCloseKey 97648->97649 97650 a83b6b 97648->97650 97649->97645 97650->97649 97651 a83156 97654 a83170 97651->97654 97655 a83187 97654->97655 97656 a831e9 97655->97656 97657 a831eb 97655->97657 97658 a8318c 97655->97658 97659 a831d0 DefWindowProcW 97656->97659 97660 ac2dfb 97657->97660 97661 a831f1 97657->97661 97662 a83199 97658->97662 97663 a83265 PostQuitMessage 97658->97663 97666 a8316a 97659->97666 97709 a818e2 10 API calls 97660->97709 97667 a831f8 97661->97667 97668 a8321d SetTimer RegisterWindowMessageW 97661->97668 97664 ac2e7c 97662->97664 97665 a831a4 97662->97665 97663->97666 97712 aebf30 34 API calls ___scrt_fastfail 97664->97712 97671 ac2e68 97665->97671 97672 a831ae 97665->97672 97675 ac2d9c 97667->97675 97676 a83201 KillTimer 97667->97676 97668->97666 97673 a83246 CreatePopupMenu 97668->97673 97670 ac2e1c 97710 a9e499 42 API calls 97670->97710 97699 aec161 97671->97699 97678 ac2e4d 97672->97678 97679 a831b9 97672->97679 97673->97666 97681 ac2dd7 MoveWindow 97675->97681 97682 ac2da1 97675->97682 97683 a830f2 Shell_NotifyIconW 97676->97683 97678->97659 97711 ae0ad7 22 API calls 97678->97711 97685 a831c4 97679->97685 97686 a83253 97679->97686 97680 ac2e8e 97680->97659 97680->97666 97681->97666 97687 ac2dc6 SetFocus 97682->97687 97688 ac2da7 97682->97688 97689 a83214 97683->97689 97685->97659 97696 a830f2 Shell_NotifyIconW 97685->97696 97707 a8326f 44 API calls ___scrt_fastfail 97686->97707 97687->97666 97688->97685 97691 ac2db0 97688->97691 97706 a83c50 DeleteObject DestroyWindow 97689->97706 97708 a818e2 10 API calls 97691->97708 97694 a83263 97694->97666 97697 ac2e41 97696->97697 97698 a83837 49 API calls 97697->97698 97698->97656 97700 aec179 ___scrt_fastfail 97699->97700 97701 aec276 97699->97701 97702 a83923 24 API calls 97700->97702 97701->97666 97704 aec1a0 97702->97704 97703 aec25f KillTimer SetTimer 97703->97701 97704->97703 97705 aec251 Shell_NotifyIconW 97704->97705 97705->97703 97706->97666 97707->97694 97708->97666 97709->97670 97710->97685 97711->97656 97712->97680 97713 a82e37 97714 a8a961 22 API calls 97713->97714 97715 a82e4d 97714->97715 97792 a84ae3 97715->97792 97717 a82e6b 97718 a83a5a 24 API calls 97717->97718 97719 a82e7f 97718->97719 97720 a89cb3 22 API calls 97719->97720 97721 a82e8c 97720->97721 97722 a84ecb 94 API calls 97721->97722 97723 a82ea5 97722->97723 97724 a82ead 97723->97724 97725 ac2cb0 97723->97725 97806 a8a8c7 22 API calls __fread_nolock 97724->97806 97726 af2cf9 80 API calls 97725->97726 97727 ac2cc3 97726->97727 97728 ac2ccf 97727->97728 97731 a84f39 68 API calls 97727->97731 97734 a84f39 68 API calls 97728->97734 97730 a82ec3 97807 a86f88 22 API calls 97730->97807 97731->97728 97733 a82ecf 97735 a89cb3 22 API calls 97733->97735 97736 ac2ce5 97734->97736 97737 a82edc 97735->97737 97823 a83084 22 API calls 97736->97823 97808 a8a81b 41 API calls 97737->97808 97740 a82eec 97742 a89cb3 22 API calls 97740->97742 97741 ac2d02 97824 a83084 22 API calls 97741->97824 97744 a82f12 97742->97744 97809 a8a81b 41 API calls 97744->97809 97745 ac2d1e 97747 a83a5a 24 API calls 97745->97747 97748 ac2d44 97747->97748 97825 a83084 22 API calls 97748->97825 97749 a82f21 97751 a8a961 22 API calls 97749->97751 97753 a82f3f 97751->97753 97752 ac2d50 97826 a8a8c7 22 API calls __fread_nolock 97752->97826 97810 a83084 22 API calls 97753->97810 97756 ac2d5e 97827 a83084 22 API calls 97756->97827 97757 a82f4b 97811 aa4a28 40 API calls 3 library calls 97757->97811 97759 ac2d6d 97828 a8a8c7 22 API calls __fread_nolock 97759->97828 97761 a82f59 97761->97736 97762 a82f63 97761->97762 97812 aa4a28 40 API calls 3 library calls 97762->97812 97765 ac2d83 97829 a83084 22 API calls 97765->97829 97766 a82f6e 97766->97741 97768 a82f78 97766->97768 97813 aa4a28 40 API calls 3 library calls 97768->97813 97769 ac2d90 97771 a82f83 97771->97745 97772 a82f8d 97771->97772 97814 aa4a28 40 API calls 3 library calls 97772->97814 97774 a82fdc 97774->97759 97776 a82fe8 97774->97776 97775 a82f98 97775->97774 97815 a83084 22 API calls 97775->97815 97776->97769 97779 a863eb 22 API calls 97776->97779 97778 a82fbf 97816 a8a8c7 22 API calls __fread_nolock 97778->97816 97781 a82ff8 97779->97781 97818 a86a50 22 API calls 97781->97818 97782 a82fcd 97817 a83084 22 API calls 97782->97817 97785 a83006 97819 a870b0 23 API calls 97785->97819 97789 a83021 97790 a83065 97789->97790 97820 a86f88 22 API calls 97789->97820 97821 a870b0 23 API calls 97789->97821 97822 a83084 22 API calls 97789->97822 97793 a84af0 __wsopen_s 97792->97793 97794 a86b57 22 API calls 97793->97794 97795 a84b22 97793->97795 97794->97795 97796 a84c6d 22 API calls 97795->97796 97805 a84b58 97795->97805 97796->97795 97797 a89cb3 22 API calls 97799 a84c52 97797->97799 97798 a89cb3 22 API calls 97798->97805 97801 a8515f 22 API calls 97799->97801 97800 a84c6d 22 API calls 97800->97805 97803 a84c5e 97801->97803 97802 a8515f 22 API calls 97802->97805 97803->97717 97804 a84c29 97804->97797 97804->97803 97805->97798 97805->97800 97805->97802 97805->97804 97806->97730 97807->97733 97808->97740 97809->97749 97810->97757 97811->97761 97812->97766 97813->97771 97814->97775 97815->97778 97816->97782 97817->97774 97818->97785 97819->97789 97820->97789 97821->97789 97822->97789 97823->97741 97824->97745 97825->97752 97826->97756 97827->97759 97828->97765 97829->97769

                          Executed Functions

                          Function 00A842DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235libraryloaderCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 389 a842de-a8434d call a8a961 GetVersionExW call a86b57 394 ac3617-ac362a 389->394 395 a84353 389->395 396 ac362b-ac362f 394->396 397 a84355-a84357 395->397 398 ac3631 396->398 399 ac3632-ac363e 396->399 400 a8435d-a843bc call a893b2 call a837a0 397->400 401 ac3656 397->401 398->399 399->396 402 ac3640-ac3642 399->402 417 ac37df-ac37e6 400->417 418 a843c2-a843c4 400->418 405 ac365d-ac3660 401->405 402->397 404 ac3648-ac364f 402->404 404->394 408 ac3651 404->408 409 a8441b-a84435 GetCurrentProcess IsWow64Process 405->409 410 ac3666-ac36a8 405->410 408->401 412 a84494-a8449a 409->412 413 a84437 409->413 410->409 414 ac36ae-ac36b1 410->414 419 a8443d-a84449 412->419 413->419 415 ac36db-ac36e5 414->415 416 ac36b3-ac36bd 414->416 423 ac36f8-ac3702 415->423 424 ac36e7-ac36f3 415->424 420 ac36bf-ac36c5 416->420 421 ac36ca-ac36d6 416->421 425 ac37e8 417->425 426 ac3806-ac3809 417->426 418->405 422 a843ca-a843dd 418->422 427 a8444f-a8445e LoadLibraryA 419->427 428 ac3824-ac3828 GetSystemInfo 419->428 420->409 421->409 429 ac3726-ac372f 422->429 430 a843e3-a843e5 422->430 432 ac3704-ac3710 423->432 433 ac3715-ac3721 423->433 424->409 431 ac37ee 425->431 434 ac380b-ac381a 426->434 435 ac37f4-ac37fc 426->435 436 a8449c-a844a6 GetSystemInfo 427->436 437 a84460-a8446e GetProcAddress 427->437 441 ac373c-ac3748 429->441 442 ac3731-ac3737 429->442 439 ac374d-ac3762 430->439 440 a843eb-a843ee 430->440 431->435 432->409 433->409 434->431 443 ac381c-ac3822 434->443 435->426 438 a84476-a84478 436->438 437->436 444 a84470-a84474 GetNativeSystemInfo 437->444 449 a8447a-a8447b FreeLibrary 438->449 450 a84481-a84493 438->450 447 ac376f-ac377b 439->447 448 ac3764-ac376a 439->448 445 a843f4-a8440f 440->445 446 ac3791-ac3794 440->446 441->409 442->409 443->435 444->438 452 ac3780-ac378c 445->452 453 a84415 445->453 446->409 451 ac379a-ac37c1 446->451 447->409 448->409 449->450 454 ac37ce-ac37da 451->454 455 ac37c3-ac37c9 451->455 452->409 453->409 454->409 455->409
                          APIs
                          • GetVersionExW.KERNEL32(?), ref: 00A8430D
                            • Part of subcall function 00A86B57: _wcslen.LIBCMT ref: 00A86B6A
                          • GetCurrentProcess.KERNEL32(?,00B1CB64,00000000,?,?), ref: 00A84422
                          • IsWow64Process.KERNEL32(00000000,?,?), ref: 00A84429
                          • LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00A84454
                          • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00A84466
                          • GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00A84474
                          • FreeLibrary.KERNEL32(00000000,?,?), ref: 00A8447B
                          • GetSystemInfo.KERNEL32(?,?,?), ref: 00A844A0
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
                          • String ID: GetNativeSystemInfo$kernel32.dll$|O
                          • API String ID: 3290436268-3101561225
                          • Opcode ID: 2daba40f0f0c45baea59a0b80a4b7fa19e3ffb0d23ab8f6025bdc8844bd563d3
                          • Instruction ID: a12c3e87b76067585a16437cf56908e7bcbcdc7b61620875501a7d32c3e0d904
                          • Opcode Fuzzy Hash: 2daba40f0f0c45baea59a0b80a4b7fa19e3ffb0d23ab8f6025bdc8844bd563d3
                          • Instruction Fuzzy Hash: B1A1A17294A3C0FFDB11D76DBC657957FE46F3A346B088CEDD08197A22DA204908CB29
                          Function 00A842A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 793 a842a2-a842ba CreateStreamOnHGlobal 794 a842da-a842dd 793->794 795 a842bc-a842d3 FindResourceExW 793->795 796 a842d9 795->796 797 ac35ba-ac35c9 LoadResource 795->797 796->794 797->796 798 ac35cf-ac35dd SizeofResource 797->798 798->796 799 ac35e3-ac35ee LockResource 798->799 799->796 800 ac35f4-ac3612 799->800 800->796
                          APIs
                          • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00A850AA,?,?,00000000,00000000), ref: 00A842B2
                          • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00A850AA,?,?,00000000,00000000), ref: 00A842C9
                          • LoadResource.KERNEL32(?,00000000,?,?,00A850AA,?,?,00000000,00000000,?,?,?,?,?,?,00A84F20), ref: 00AC35BE
                          • SizeofResource.KERNEL32(?,00000000,?,?,00A850AA,?,?,00000000,00000000,?,?,?,?,?,?,00A84F20), ref: 00AC35D3
                          • LockResource.KERNEL32(00A850AA,?,?,00A850AA,?,?,00000000,00000000,?,?,?,?,?,?,00A84F20,?), ref: 00AC35E6
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                          • String ID: SCRIPT
                          • API String ID: 3051347437-3967369404
                          • Opcode ID: 85003a10613887bc30d01d000a1da82b790a424821b6cf3e3bfc74526d3fd07f
                          • Instruction ID: 0fcefbf236babf106bca2f7f340c77b995cc1ead9adf08d4614e01a0338017dd
                          • Opcode Fuzzy Hash: 85003a10613887bc30d01d000a1da82b790a424821b6cf3e3bfc74526d3fd07f
                          • Instruction Fuzzy Hash: 20117C75244705BFDB219B65DC48FA77FB9EBC9B55F208169B402D7260EB71D8008A60
                          Function 00AC2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00A82B6B
                            • Part of subcall function 00A83A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00B51418,?,00A82E7F,?,?,?,00000000), ref: 00A83A78
                            • Part of subcall function 00A89CB3: _wcslen.LIBCMT ref: 00A89CBD
                          • GetForegroundWindow.USER32(runas,?,?,?,?,?,00B42224), ref: 00AC2C10
                          • ShellExecuteW.SHELL32(00000000,?,?,00B42224), ref: 00AC2C17
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
                          • String ID: runas
                          • API String ID: 448630720-4000483414
                          • Opcode ID: acde094dd9ac3a445ea1b35529ee2aca92c0824e3871f04c41441cde9796c78d
                          • Instruction ID: 77275fc940becdd42289214fbc3637cd40777a5e6ff395e1c817d7f5a335feca
                          • Opcode Fuzzy Hash: acde094dd9ac3a445ea1b35529ee2aca92c0824e3871f04c41441cde9796c78d
                          • Instruction Fuzzy Hash: 3A11E6322083016ACB15FF64DA56FBEBBE8EF91741F44186DF082571A3CF218A4AD712
                          Function 00B0A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • CreateToolhelp32Snapshot.KERNEL32 ref: 00B0A6AC
                          • Process32FirstW.KERNEL32(00000000,?), ref: 00B0A6BA
                            • Part of subcall function 00A89CB3: _wcslen.LIBCMT ref: 00A89CBD
                          • Process32NextW.KERNEL32(00000000,?), ref: 00B0A79C
                          • CloseHandle.KERNELBASE(00000000), ref: 00B0A7AB
                            • Part of subcall function 00A9CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00AC3303,?), ref: 00A9CE8A
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
                          • String ID:
                          • API String ID: 1991900642-0
                          • Opcode ID: 10a3e29da5ae1bce2563e0b29a255e17831756b8a23412446628a7f18873b4cf
                          • Instruction ID: a30ba309ec37bd2a02fdbf6a6e8c1c2587d784fffce5796201de96cceb5c06c3
                          • Opcode Fuzzy Hash: 10a3e29da5ae1bce2563e0b29a255e17831756b8a23412446628a7f18873b4cf
                          • Instruction Fuzzy Hash: D6518B71508311AFD710EF24C986E6BBBE8FF89754F00892DF589A7291EB30D904CB92
                          Function 00AEDBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1019 aedbbe-aedbda lstrlenW 1020 aedbdc-aedbe6 GetFileAttributesW 1019->1020 1021 aedc06 1019->1021 1022 aedbe8-aedbf7 FindFirstFileW 1020->1022 1023 aedc09-aedc0d 1020->1023 1021->1023 1022->1021 1024 aedbf9-aedc04 FindClose 1022->1024 1024->1023
                          APIs
                          • lstrlenW.KERNEL32(?,00AC5222), ref: 00AEDBCE
                          • GetFileAttributesW.KERNELBASE(?), ref: 00AEDBDD
                          • FindFirstFileW.KERNEL32(?,?), ref: 00AEDBEE
                          • FindClose.KERNEL32(00000000), ref: 00AEDBFA
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: FileFind$AttributesCloseFirstlstrlen
                          • String ID:
                          • API String ID: 2695905019-0
                          • Opcode ID: ebc583692d53de2828b80a8887c1e6cae4008d62c028d13602c76f362428763b
                          • Instruction ID: 9f457b526094b801aab967788bd205d82f2437ab4edaf51a0ff85d90e04e75c6
                          • Opcode Fuzzy Hash: ebc583692d53de2828b80a8887c1e6cae4008d62c028d13602c76f362428763b
                          • Instruction Fuzzy Hash: 4FF0E5308509106782206F7CAC0D8EA3B7C9E81374BA08702F836C30F0EFB05D64C6D6
                          Function 00AA4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • GetCurrentProcess.KERNEL32(00AB28E9,?,00AA4CBE,00AB28E9,00B488B8,0000000C,00AA4E15,00AB28E9,00000002,00000000,?,00AB28E9), ref: 00AA4D09
                          • TerminateProcess.KERNEL32(00000000,?,00AA4CBE,00AB28E9,00B488B8,0000000C,00AA4E15,00AB28E9,00000002,00000000,?,00AB28E9), ref: 00AA4D10
                          • ExitProcess.KERNEL32 ref: 00AA4D22
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Process$CurrentExitTerminate
                          • String ID:
                          • API String ID: 1703294689-0
                          • Opcode ID: 5bb1b2a17f3a737aeaf9709c3e781c15dbdb48926b48b5d6991c0faa4ee85e77
                          • Instruction ID: 9ea91281e2ee7e79e986bade2b91d73a2fe7e39e4072a9294b2e9e5b09409ae9
                          • Opcode Fuzzy Hash: 5bb1b2a17f3a737aeaf9709c3e781c15dbdb48926b48b5d6991c0faa4ee85e77
                          • Instruction Fuzzy Hash: A9E0B631040148AFCF11AF54EE09A997F69EB86785B508014FD159B162DB75DE52CA84
                          Function 00B0AFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 0 b0aff9-b0b056 call aa2340 3 b0b094-b0b098 0->3 4 b0b058-b0b06b call a8b567 0->4 5 b0b09a-b0b0bb call a8b567 * 2 3->5 6 b0b0dd-b0b0e0 3->6 12 b0b0c8 4->12 13 b0b06d-b0b092 call a8b567 * 2 4->13 30 b0b0bf-b0b0c4 5->30 8 b0b0e2-b0b0e5 6->8 9 b0b0f5-b0b119 call a87510 call a87620 6->9 14 b0b0e8-b0b0ed call a8b567 8->14 32 b0b1d8-b0b1e0 9->32 33 b0b11f-b0b178 call a87510 call a87620 call a87510 call a87620 call a87510 call a87620 9->33 21 b0b0cb-b0b0cf 12->21 13->30 14->9 26 b0b0d1-b0b0d7 21->26 27 b0b0d9-b0b0db 21->27 26->14 27->6 27->9 30->6 34 b0b0c6 30->34 35 b0b1e2-b0b1fd call a87510 call a87620 32->35 36 b0b20a-b0b238 GetCurrentDirectoryW call a9fe0b GetCurrentDirectoryW 32->36 81 b0b1a6-b0b1d6 GetSystemDirectoryW call a9fe0b GetSystemDirectoryW 33->81 82 b0b17a-b0b195 call a87510 call a87620 33->82 34->21 35->36 53 b0b1ff-b0b208 call aa4963 35->53 45 b0b23c 36->45 47 b0b240-b0b244 45->47 50 b0b275-b0b285 call af00d9 47->50 51 b0b246-b0b270 call a89c6e * 3 47->51 64 b0b287-b0b289 50->64 65 b0b28b-b0b2e1 call af07c0 call af06e6 call af05a7 50->65 51->50 53->36 53->50 68 b0b2ee-b0b2f2 64->68 65->68 96 b0b2e3 65->96 70 b0b2f8-b0b321 call ae11c8 68->70 71 b0b39a-b0b3be CreateProcessW 68->71 87 b0b323-b0b328 call ae1201 70->87 88 b0b32a call ae14ce 70->88 75 b0b3c1-b0b3d4 call a9fe14 * 2 71->75 101 b0b3d6-b0b3e8 75->101 102 b0b42f-b0b43d CloseHandle 75->102 81->45 82->81 107 b0b197-b0b1a0 call aa4963 82->107 100 b0b32f-b0b33c call aa4963 87->100 88->100 96->68 117 b0b347-b0b357 call aa4963 100->117 118 b0b33e-b0b345 100->118 105 b0b3ea 101->105 106 b0b3ed-b0b3fc 101->106 109 b0b49c 102->109 110 b0b43f-b0b444 102->110 105->106 113 b0b401-b0b42a GetLastError call a8630c call a8cfa0 106->113 114 b0b3fe 106->114 107->47 107->81 115 b0b4a0-b0b4a4 109->115 111 b0b451-b0b456 110->111 112 b0b446-b0b44c CloseHandle 110->112 120 b0b463-b0b468 111->120 121 b0b458-b0b45e CloseHandle 111->121 112->111 130 b0b4e5-b0b4f6 call af0175 113->130 114->113 123 b0b4b2-b0b4bc 115->123 124 b0b4a6-b0b4b0 115->124 134 b0b362-b0b372 call aa4963 117->134 135 b0b359-b0b360 117->135 118->117 118->118 127 b0b475-b0b49a call af09d9 call b0b536 120->127 128 b0b46a-b0b470 CloseHandle 120->128 121->120 131 b0b4c4-b0b4e3 call a8cfa0 CloseHandle 123->131 132 b0b4be 123->132 124->130 127->115 128->127 131->130 132->131 146 b0b374-b0b37b 134->146 147 b0b37d-b0b398 call a9fe14 * 3 134->147 135->134 135->135 146->146 146->147 147->75
                          APIs
                          • _wcslen.LIBCMT ref: 00B0B198
                          • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00B0B1B0
                          • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00B0B1D4
                          • _wcslen.LIBCMT ref: 00B0B200
                          • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00B0B214
                          • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00B0B236
                          • _wcslen.LIBCMT ref: 00B0B332
                            • Part of subcall function 00AF05A7: GetStdHandle.KERNEL32(000000F6), ref: 00AF05C6
                          • _wcslen.LIBCMT ref: 00B0B34B
                          • _wcslen.LIBCMT ref: 00B0B366
                          • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00B0B3B6
                          • GetLastError.KERNEL32(00000000), ref: 00B0B407
                          • CloseHandle.KERNEL32(?), ref: 00B0B439
                          • CloseHandle.KERNEL32(00000000), ref: 00B0B44A
                          • CloseHandle.KERNEL32(00000000), ref: 00B0B45C
                          • CloseHandle.KERNEL32(00000000), ref: 00B0B46E
                          • CloseHandle.KERNEL32(?), ref: 00B0B4E3
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
                          • String ID:
                          • API String ID: 2178637699-0
                          • Opcode ID: f6ee22210271c750b447b19beaf690783350f04728bf3bb5ee4e7a8dcc6e8adb
                          • Instruction ID: 84a75d669de812250ced9dbcf58219384ea78f269fd4cb75ddc08877523f732b
                          • Opcode Fuzzy Hash: f6ee22210271c750b447b19beaf690783350f04728bf3bb5ee4e7a8dcc6e8adb
                          • Instruction Fuzzy Hash: 8DF179316082409FCB14EF24C991F6EBBE5EF85714F18859DF8969B2A2DB31EC40CB52
                          Function 00A8D730 Relevance: 21.6, APIs: 14, Instructions: 618windowsleeptimeCOMMON
                          Download Yara Rule
                          APIs
                          • GetInputState.USER32 ref: 00A8D807
                          • timeGetTime.WINMM ref: 00A8DA07
                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00A8DB28
                          • TranslateMessage.USER32(?), ref: 00A8DB7B
                          • DispatchMessageW.USER32(?), ref: 00A8DB89
                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00A8DB9F
                          • Sleep.KERNELBASE(0000000A), ref: 00A8DBB1
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
                          • String ID:
                          • API String ID: 2189390790-0
                          • Opcode ID: ed823fef9b8ef2c1313c61a5b995cd1faf179b273429ddfd9765cd6e5eb61507
                          • Instruction ID: 9285d1ac9cbe51205aec4b9fd44bb01f8637e5279b84b84cc65359ee4cfe942d
                          • Opcode Fuzzy Hash: ed823fef9b8ef2c1313c61a5b995cd1faf179b273429ddfd9765cd6e5eb61507
                          • Instruction Fuzzy Hash: 5A42B070608341EFDB28EF24C844BAABBF1BF95314F54895AE496873D1DB71E844CB92
                          Function 00A82CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • GetSysColorBrush.USER32(0000000F), ref: 00A82D07
                          • RegisterClassExW.USER32(00000030), ref: 00A82D31
                          • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00A82D42
                          • InitCommonControlsEx.COMCTL32(?), ref: 00A82D5F
                          • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00A82D6F
                          • LoadIconW.USER32(000000A9), ref: 00A82D85
                          • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00A82D94
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                          • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                          • API String ID: 2914291525-1005189915
                          • Opcode ID: 504febea6c5a04ef5edd32c8cd47d249444efe217b8ebf30bea1df15f7552814
                          • Instruction ID: d8e38f2812a2ba2a49bfd77f8378c0f3c9fcca840cbabab9049218e78158254c
                          • Opcode Fuzzy Hash: 504febea6c5a04ef5edd32c8cd47d249444efe217b8ebf30bea1df15f7552814
                          • Instruction Fuzzy Hash: 6D21E2B5941308AFDB01DFA8EC49BDDBFB8FB08701F00855AE511A72A0DBB14A408F94
                          Function 00AC065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 457 ac065b-ac068b call ac042f 460 ac068d-ac0698 call aaf2c6 457->460 461 ac06a6-ac06b2 call ab5221 457->461 468 ac069a-ac06a1 call aaf2d9 460->468 466 ac06cb-ac0714 call ac039a 461->466 467 ac06b4-ac06c9 call aaf2c6 call aaf2d9 461->467 476 ac0716-ac071f 466->476 477 ac0781-ac078a GetFileType 466->477 467->468 478 ac097d-ac0983 468->478 482 ac0756-ac077c GetLastError call aaf2a3 476->482 483 ac0721-ac0725 476->483 479 ac078c-ac07bd GetLastError call aaf2a3 CloseHandle 477->479 480 ac07d3-ac07d6 477->480 479->468 494 ac07c3-ac07ce call aaf2d9 479->494 486 ac07df-ac07e5 480->486 487 ac07d8-ac07dd 480->487 482->468 483->482 488 ac0727-ac0754 call ac039a 483->488 491 ac07e9-ac0837 call ab516a 486->491 492 ac07e7 486->492 487->491 488->477 488->482 499 ac0839-ac0845 call ac05ab 491->499 500 ac0847-ac086b call ac014d 491->500 492->491 494->468 499->500 506 ac086f-ac0879 call ab86ae 499->506 507 ac086d 500->507 508 ac087e-ac08c1 500->508 506->478 507->506 510 ac08e2-ac08f0 508->510 511 ac08c3-ac08c7 508->511 514 ac097b 510->514 515 ac08f6-ac08fa 510->515 511->510 513 ac08c9-ac08dd 511->513 513->510 514->478 515->514 516 ac08fc-ac092f CloseHandle call ac039a 515->516 519 ac0931-ac095d GetLastError call aaf2a3 call ab5333 516->519 520 ac0963-ac0977 516->520 519->520 520->514
                          APIs
                            • Part of subcall function 00AC039A: CreateFileW.KERNELBASE(00000000,00000000,?,00AC0704,?,?,00000000,?,00AC0704,00000000,0000000C), ref: 00AC03B7
                          • GetLastError.KERNEL32 ref: 00AC076F
                          • __dosmaperr.LIBCMT ref: 00AC0776
                          • GetFileType.KERNELBASE(00000000), ref: 00AC0782
                          • GetLastError.KERNEL32 ref: 00AC078C
                          • __dosmaperr.LIBCMT ref: 00AC0795
                          • CloseHandle.KERNEL32(00000000), ref: 00AC07B5
                          • CloseHandle.KERNEL32(?), ref: 00AC08FF
                          • GetLastError.KERNEL32 ref: 00AC0931
                          • __dosmaperr.LIBCMT ref: 00AC0938
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                          • String ID: H
                          • API String ID: 4237864984-2852464175
                          • Opcode ID: 44da0d9f7eb6bddf88f4bd1263be9cf9bee0ff5170a668ded8b81303be7eb903
                          • Instruction ID: 6e6d6cee9604562667a8f03f2b8962965b9ab54e18f9f9ebf7e6893b9190babe
                          • Opcode Fuzzy Hash: 44da0d9f7eb6bddf88f4bd1263be9cf9bee0ff5170a668ded8b81303be7eb903
                          • Instruction Fuzzy Hash: 4CA11332A14608CFDF19AF68D851FAE7BA0AB0A320F15415DF815AF3D2DB359D12CB91
                          Function 00A8344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                            • Part of subcall function 00A83A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00B51418,?,00A82E7F,?,?,?,00000000), ref: 00A83A78
                            • Part of subcall function 00A83357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00A83379
                          • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00A8356A
                          • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00AC318D
                          • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00AC31CE
                          • RegCloseKey.ADVAPI32(?), ref: 00AC3210
                          • _wcslen.LIBCMT ref: 00AC3277
                          • _wcslen.LIBCMT ref: 00AC3286
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
                          • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                          • API String ID: 98802146-2727554177
                          • Opcode ID: cc0c802768701c5d65345e827cc0ca57c7ffb359a9dec6f15e0afc8dffc8ce15
                          • Instruction ID: 4171e989bc7f7dde88da8843430b5b2870a5c10daa931c9bf056b65294f3a303
                          • Opcode Fuzzy Hash: cc0c802768701c5d65345e827cc0ca57c7ffb359a9dec6f15e0afc8dffc8ce15
                          • Instruction Fuzzy Hash: CF71C0724093019ED704EF65DD82EABBBE8FF9A740F80446EF545931B0EB309A48CB56
                          Function 00A82B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63windowregistryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • GetSysColorBrush.USER32(0000000F), ref: 00A82B8E
                          • LoadCursorW.USER32(00000000,00007F00), ref: 00A82B9D
                          • LoadIconW.USER32(00000063), ref: 00A82BB3
                          • LoadIconW.USER32(000000A4), ref: 00A82BC5
                          • LoadIconW.USER32(000000A2), ref: 00A82BD7
                          • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00A82BEF
                          • RegisterClassExW.USER32(?), ref: 00A82C40
                            • Part of subcall function 00A82CD4: GetSysColorBrush.USER32(0000000F), ref: 00A82D07
                            • Part of subcall function 00A82CD4: RegisterClassExW.USER32(00000030), ref: 00A82D31
                            • Part of subcall function 00A82CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00A82D42
                            • Part of subcall function 00A82CD4: InitCommonControlsEx.COMCTL32(?), ref: 00A82D5F
                            • Part of subcall function 00A82CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00A82D6F
                            • Part of subcall function 00A82CD4: LoadIconW.USER32(000000A9), ref: 00A82D85
                            • Part of subcall function 00A82CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00A82D94
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                          • String ID: #$0$AutoIt v3
                          • API String ID: 423443420-4155596026
                          • Opcode ID: d7f64807fe60971398ed0aba6b74f68be2dc469206431c2d37ca88c87158b472
                          • Instruction ID: 54526442a090729edbbcc61b396d3b91548e50ad8275af774ee989adf1f81d2f
                          • Opcode Fuzzy Hash: d7f64807fe60971398ed0aba6b74f68be2dc469206431c2d37ca88c87158b472
                          • Instruction Fuzzy Hash: C4212C75E40314BBDB10DFA9EC65BA97FB4FB48B51F00459AE500A76A0DBB14940CF98
                          Function 00A83170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145windowtimeregistryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 598 a83170-a83185 599 a831e5-a831e7 598->599 600 a83187-a8318a 598->600 599->600 601 a831e9 599->601 602 a831eb 600->602 603 a8318c-a83193 600->603 604 a831d0-a831d8 DefWindowProcW 601->604 605 ac2dfb-ac2e23 call a818e2 call a9e499 602->605 606 a831f1-a831f6 602->606 607 a83199-a8319e 603->607 608 a83265-a8326d PostQuitMessage 603->608 611 a831de-a831e4 604->611 641 ac2e28-ac2e2f 605->641 613 a831f8-a831fb 606->613 614 a8321d-a83244 SetTimer RegisterWindowMessageW 606->614 609 ac2e7c-ac2e90 call aebf30 607->609 610 a831a4-a831a8 607->610 612 a83219-a8321b 608->612 609->612 635 ac2e96 609->635 617 ac2e68-ac2e72 call aec161 610->617 618 a831ae-a831b3 610->618 612->611 621 ac2d9c-ac2d9f 613->621 622 a83201-a8320f KillTimer call a830f2 613->622 614->612 619 a83246-a83251 CreatePopupMenu 614->619 631 ac2e77 617->631 624 ac2e4d-ac2e54 618->624 625 a831b9-a831be 618->625 619->612 627 ac2dd7-ac2df6 MoveWindow 621->627 628 ac2da1-ac2da5 621->628 639 a83214 call a83c50 622->639 624->604 638 ac2e5a-ac2e63 call ae0ad7 624->638 633 a83253-a83263 call a8326f 625->633 634 a831c4-a831ca 625->634 627->612 636 ac2dc6-ac2dd2 SetFocus 628->636 637 ac2da7-ac2daa 628->637 631->612 633->612 634->604 634->641 635->604 636->612 637->634 642 ac2db0-ac2dc1 call a818e2 637->642 638->604 639->612 641->604 646 ac2e35-ac2e48 call a830f2 call a83837 641->646 642->612 646->604
                          APIs
                          • DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00A8316A,?,?), ref: 00A831D8
                          • KillTimer.USER32(?,00000001,?,?,?,?,?,00A8316A,?,?), ref: 00A83204
                          • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00A83227
                          • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00A8316A,?,?), ref: 00A83232
                          • CreatePopupMenu.USER32 ref: 00A83246
                          • PostQuitMessage.USER32(00000000), ref: 00A83267
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                          • String ID: TaskbarCreated
                          • API String ID: 129472671-2362178303
                          • Opcode ID: 33c18494d445df9e494200de268b79de4644cb3adba58965af3a9432c1f5a6d0
                          • Instruction ID: 9b0149b6478a09dd753a8d20c413d155d5059194fc730feed1608fcc10f2b3bf
                          • Opcode Fuzzy Hash: 33c18494d445df9e494200de268b79de4644cb3adba58965af3a9432c1f5a6d0
                          • Instruction Fuzzy Hash: 6E412533240204AADF157F7C9D1DBBD3E69EB15F01F0446A9FA02872E1EFA19E418B61
                          Function 00A81410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 654 a81410-a81449 655 ac24b8-ac24b9 DestroyWindow 654->655 656 a8144f-a81465 mciSendStringW 654->656 659 ac24c4-ac24d1 655->659 657 a8146b-a81473 656->657 658 a816c6-a816d3 656->658 657->659 660 a81479-a81488 call a8182e 657->660 661 a816f8-a816ff 658->661 662 a816d5-a816f0 UnregisterHotKey 658->662 663 ac2500-ac2507 659->663 664 ac24d3-ac24d6 659->664 675 ac250e-ac251a 660->675 676 a8148e-a81496 660->676 661->657 667 a81705 661->667 662->661 666 a816f2-a816f3 call a810d0 662->666 663->659 672 ac2509 663->672 668 ac24d8-ac24e0 call a86246 664->668 669 ac24e2-ac24e5 FindClose 664->669 666->661 667->658 674 ac24eb-ac24f8 668->674 669->674 672->675 674->663 678 ac24fa-ac24fb call af32b1 674->678 681 ac251c-ac251e FreeLibrary 675->681 682 ac2524-ac252b 675->682 679 a8149c-a814c1 call a8cfa0 676->679 680 ac2532-ac253f 676->680 678->663 692 a814f8-a81503 CoUninitialize 679->692 693 a814c3 679->693 684 ac2566-ac256d 680->684 685 ac2541-ac255e VirtualFree 680->685 681->682 682->675 683 ac252d 682->683 683->680 684->680 689 ac256f 684->689 685->684 688 ac2560-ac2561 call af3317 685->688 688->684 695 ac2574-ac2578 689->695 694 a81509-a8150e 692->694 692->695 696 a814c6-a814f6 call a81a05 call a819ae 693->696 697 ac2589-ac2596 call af32eb 694->697 698 a81514-a8151e 694->698 695->694 699 ac257e-ac2584 695->699 696->692 710 ac2598 697->710 701 a81524-a815a5 call a8988f call a81944 call a817d5 call a9fe14 call a8177c call a8988f call a8cfa0 call a817fe call a9fe14 698->701 702 a81707-a81714 call a9f80e 698->702 699->694 716 ac259d-ac25bf call a9fdcd 701->716 744 a815ab-a815cf call a9fe14 701->744 702->701 715 a8171a 702->715 710->716 715->702 722 ac25c1 716->722 725 ac25c6-ac25e8 call a9fdcd 722->725 732 ac25ea 725->732 735 ac25ef-ac2611 call a9fdcd 732->735 740 ac2613 735->740 743 ac2618-ac2625 call ae64d4 740->743 749 ac2627 743->749 744->725 750 a815d5-a815f9 call a9fe14 744->750 752 ac262c-ac2639 call a9ac64 749->752 750->735 755 a815ff-a81619 call a9fe14 750->755 759 ac263b 752->759 755->743 760 a8161f-a81643 call a817d5 call a9fe14 755->760 762 ac2640-ac264d call af3245 759->762 760->752 769 a81649-a81651 760->769 768 ac264f 762->768 770 ac2654-ac2661 call af32cc 768->770 769->762 771 a81657-a81675 call a8988f call a8190a 769->771 776 ac2663 770->776 771->770 780 a8167b-a81689 771->780 779 ac2668-ac2675 call af32cc 776->779 785 ac2677 779->785 780->779 782 a8168f-a816c5 call a8988f * 3 call a81876 780->782 785->785
                          APIs
                          • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00A81459
                          • CoUninitialize.COMBASE ref: 00A814F8
                          • UnregisterHotKey.USER32(?), ref: 00A816DD
                          • DestroyWindow.USER32(?), ref: 00AC24B9
                          • FreeLibrary.KERNEL32(?), ref: 00AC251E
                          • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00AC254B
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                          • String ID: close all
                          • API String ID: 469580280-3243417748
                          • Opcode ID: 593a195a3d20d6b21ca1551737bf371e3edd437c4265033e1de230956af78058
                          • Instruction ID: 42f2b75d863bb9aefb37cdfdd6617b3fd0d6a239fd7d1a5c799e6a494b5c37f7
                          • Opcode Fuzzy Hash: 593a195a3d20d6b21ca1551737bf371e3edd437c4265033e1de230956af78058
                          • Instruction Fuzzy Hash: 5AD147317012128FDB29EF15CA99F69F7A4BF05700F2542ADE44AAB261DB30AD13CF91
                          Function 00A82C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 803 a82c63-a82cd3 CreateWindowExW * 2 ShowWindow * 2
                          APIs
                          • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00A82C91
                          • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00A82CB2
                          • ShowWindow.USER32(00000000,?,?,?,?,?,?,00A81CAD,?), ref: 00A82CC6
                          • ShowWindow.USER32(00000000,?,?,?,?,?,?,00A81CAD,?), ref: 00A82CCF
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Window$CreateShow
                          • String ID: AutoIt v3$edit
                          • API String ID: 1584632944-3779509399
                          • Opcode ID: bf50a22d434c1d8f88b70657125570ebf30489f6c666d950fcd335ac5d8bb63f
                          • Instruction ID: 8528698cb382afb30aa0f3d6e6dbde41c8832322707d82442e96f1870251e032
                          • Opcode Fuzzy Hash: bf50a22d434c1d8f88b70657125570ebf30489f6c666d950fcd335ac5d8bb63f
                          • Instruction Fuzzy Hash: 68F03A755803907AEB310B1BAC18FB72EBDD7C6F61F01449AF900A31B0CA610840DAB8
                          Function 00A83B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 954 a83b1c-a83b27 955 a83b99-a83b9b 954->955 956 a83b29-a83b2e 954->956 957 a83b8c-a83b8f 955->957 956->955 958 a83b30-a83b48 RegOpenKeyExW 956->958 958->955 959 a83b4a-a83b69 RegQueryValueExW 958->959 960 a83b6b-a83b76 959->960 961 a83b80-a83b8b RegCloseKey 959->961 962 a83b78-a83b7a 960->962 963 a83b90-a83b97 960->963 961->957 964 a83b7e 962->964 963->964 964->961
                          APIs
                          • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00A83B0F,SwapMouseButtons,00000004,?), ref: 00A83B40
                          • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00A83B0F,SwapMouseButtons,00000004,?), ref: 00A83B61
                          • RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00A83B0F,SwapMouseButtons,00000004,?), ref: 00A83B83
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: CloseOpenQueryValue
                          • String ID: Control Panel\Mouse
                          • API String ID: 3677997916-824357125
                          • Opcode ID: 148d19427e73264f1114dbdda428912a4c5d2e0bfb974549c12ca7f7d289ec99
                          • Instruction ID: 361b2ea40ddbd2c0bdd26b0bea4f9cfc8d8bbc5217ac4b3ea8ac4c131837ca48
                          • Opcode Fuzzy Hash: 148d19427e73264f1114dbdda428912a4c5d2e0bfb974549c12ca7f7d289ec99
                          • Instruction Fuzzy Hash: AE112AB6510208FFDF21DFA5DC48AEEBBB8EF04B84B108459A806D7110E6719F409760
                          Function 00A83923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON
                          Download Yara Rule
                          APIs
                          • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00AC33A2
                            • Part of subcall function 00A86B57: _wcslen.LIBCMT ref: 00A86B6A
                          • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00A83A04
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: IconLoadNotifyShell_String_wcslen
                          • String ID: Line:
                          • API String ID: 2289894680-1585850449
                          • Opcode ID: d043f14bb0d7be4e81a1cebde926df53bce52c2d425dff2c99b1ecb1f06e92c7
                          • Instruction ID: 1d9184d3b820dbe5e820ba810f4b5c3302222c4d65204b057a2426f1375e4262
                          • Opcode Fuzzy Hash: d043f14bb0d7be4e81a1cebde926df53bce52c2d425dff2c99b1ecb1f06e92c7
                          • Instruction Fuzzy Hash: 5D31CF72408300AADB25FB24DC55BEBB7E8AB40B10F00496EF59A97191EF709A49C7C6
                          Function 00A9FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                          Download Yara Rule
                          APIs
                          • __CxxThrowException@8.LIBVCRUNTIME ref: 00AA0668
                            • Part of subcall function 00AA32A4: RaiseException.KERNEL32(?,?,?,00AA068A,?,00B51444,?,?,?,?,?,?,00AA068A,00A81129,00B48738,00A81129), ref: 00AA3304
                          • __CxxThrowException@8.LIBVCRUNTIME ref: 00AA0685
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Exception@8Throw$ExceptionRaise
                          • String ID: Unknown exception
                          • API String ID: 3476068407-410509341
                          • Opcode ID: 93edff4ff68ed023ac4d40cc470c8119a5dfb0171573453d8d2dd44b848fca07
                          • Instruction ID: 6c6003fee8d07ef2c1664903574ff9d568f2106e6c024a855b707f42aacf11cf
                          • Opcode Fuzzy Hash: 93edff4ff68ed023ac4d40cc470c8119a5dfb0171573453d8d2dd44b848fca07
                          • Instruction Fuzzy Hash: 56F0C234A0020D7B8F00B7A4D946DAE77AC5E42358B604171B814D75E1EFB1EB69C5C0
                          Function 00A810F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00A81BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00A81BF4
                            • Part of subcall function 00A81BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00A81BFC
                            • Part of subcall function 00A81BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00A81C07
                            • Part of subcall function 00A81BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00A81C12
                            • Part of subcall function 00A81BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00A81C1A
                            • Part of subcall function 00A81BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00A81C22
                            • Part of subcall function 00A81B4A: RegisterWindowMessageW.USER32(00000004,?,00A812C4), ref: 00A81BA2
                          • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00A8136A
                          • OleInitialize.OLE32 ref: 00A81388
                          • CloseHandle.KERNEL32(00000000,00000000), ref: 00AC24AB
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                          • String ID:
                          • API String ID: 1986988660-0
                          • Opcode ID: a4137cd03fefac0c8f3cbd276562f7e815aa6cb6189caf7d701ebf479c50db77
                          • Instruction ID: 0c6c20a70c9c906960dedff233462016d040db3903a9d540716ea9b5d35e0570
                          • Opcode Fuzzy Hash: a4137cd03fefac0c8f3cbd276562f7e815aa6cb6189caf7d701ebf479c50db77
                          • Instruction Fuzzy Hash: 9C71B6B59023008ED785EF7DBA457A53AE4BBA83867548EEAD41AC7361FF304885CF50
                          Function 00AEC161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00A83923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00A83A04
                          • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00AEC259
                          • KillTimer.USER32(?,00000001,?,?), ref: 00AEC261
                          • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00AEC270
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: IconNotifyShell_Timer$Kill
                          • String ID:
                          • API String ID: 3500052701-0
                          • Opcode ID: de86bf545dfab11a608d1b97e1cea2f833eb61513923be0e1f050f0ff208a1b3
                          • Instruction ID: ce7f237684f6463f448543216748aec29aa9c1d8523436476f6d771ece699384
                          • Opcode Fuzzy Hash: de86bf545dfab11a608d1b97e1cea2f833eb61513923be0e1f050f0ff208a1b3
                          • Instruction Fuzzy Hash: 3031D570904384AFEB32AF758855BEBBBFC9F06314F00449EE2DA97241C7745A86CB51
                          Function 00AB86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • CloseHandle.KERNELBASE(00000000,00000000,?,?,00AB85CC,?,00B48CC8,0000000C), ref: 00AB8704
                          • GetLastError.KERNEL32(?,00AB85CC,?,00B48CC8,0000000C), ref: 00AB870E
                          • __dosmaperr.LIBCMT ref: 00AB8739
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: CloseErrorHandleLast__dosmaperr
                          • String ID:
                          • API String ID: 2583163307-0
                          • Opcode ID: 299b072e0650dbac25d41e5f2659b23fbe58cf6c4931d76a04147778d4b27163
                          • Instruction ID: b62a99bbf24d58527a8fe573d6f09779fcaad0f927a05f5d1d45a97ae0688036
                          • Opcode Fuzzy Hash: 299b072e0650dbac25d41e5f2659b23fbe58cf6c4931d76a04147778d4b27163
                          • Instruction Fuzzy Hash: 6A014E32A0572026D664733CA9557FE6B9D4B92778F390159F8148F1D3DEB8CC81D150
                          Function 00A8DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON
                          Download Yara Rule
                          APIs
                          • TranslateMessage.USER32(?), ref: 00A8DB7B
                          • DispatchMessageW.USER32(?), ref: 00A8DB89
                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00A8DB9F
                          • Sleep.KERNELBASE(0000000A), ref: 00A8DBB1
                          • TranslateAcceleratorW.USER32(?,?,?), ref: 00AD1CC9
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Message$Translate$AcceleratorDispatchPeekSleep
                          • String ID:
                          • API String ID: 3288985973-0
                          • Opcode ID: 532381368b20759fbc6d05a6ec66bc7410ac4042e9b18cb7237c19efa933bfb5
                          • Instruction ID: 2d122ac9e5dd2bba04406a4d8872e69f75ce5623849c35a9d8c58cdbb2af5f10
                          • Opcode Fuzzy Hash: 532381368b20759fbc6d05a6ec66bc7410ac4042e9b18cb7237c19efa933bfb5
                          • Instruction Fuzzy Hash: 7BF05E306443409BEB30DB608C49FEA77A9EB45311F508919E65A830C0DF7098488B25
                          Function 00A91310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON
                          Download Yara Rule
                          APIs
                          • __Init_thread_footer.LIBCMT ref: 00A917F6
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Init_thread_footer
                          • String ID: CALL
                          • API String ID: 1385522511-4196123274
                          • Opcode ID: dd4f2387a0c9f1ce16071171fa6fa5d86e4f73d57170a840802c653863cffacb
                          • Instruction ID: 4debb884a98a4e51ae94e70994ae7b005391f74b850ff663eeddb282c6023a84
                          • Opcode Fuzzy Hash: dd4f2387a0c9f1ce16071171fa6fa5d86e4f73d57170a840802c653863cffacb
                          • Instruction Fuzzy Hash: 6C228BB46083029FCB14DF14C584B2ABBF1BF89314F29895DF5968B3A2D731E945CB92
                          Function 00A82DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON
                          Download Yara Rule
                          APIs
                          • GetOpenFileNameW.COMDLG32(?), ref: 00AC2C8C
                            • Part of subcall function 00A83AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A83A97,?,?,00A82E7F,?,?,?,00000000), ref: 00A83AC2
                            • Part of subcall function 00A82DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00A82DC4
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Name$Path$FileFullLongOpen
                          • String ID: X
                          • API String ID: 779396738-3081909835
                          • Opcode ID: 1fc35abb5930b04289a46070919c3417fec31fcc686c8c2664dceb735db7c33b
                          • Instruction ID: 58a730e53c2986fa6dacd10e5caa5d173b8820fdceba1fdf916e44cbb634ab3f
                          • Opcode Fuzzy Hash: 1fc35abb5930b04289a46070919c3417fec31fcc686c8c2664dceb735db7c33b
                          • Instruction Fuzzy Hash: F021B771A002589FDF01EF94C949BEE7BFCAF49715F008059E405B7241DBB45A898FA1
                          Function 00A83837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON
                          Download Yara Rule
                          APIs
                          • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00A83908
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: IconNotifyShell_
                          • String ID:
                          • API String ID: 1144537725-0
                          • Opcode ID: 5f51b6139bddc1288164ebce9e8d5268362626f8cfd22a46c5f1e999caa8f299
                          • Instruction ID: d3945723bd1b4a6c517635ae33e366bb7befa1b8834c6eb82645ef614a0ee4bb
                          • Opcode Fuzzy Hash: 5f51b6139bddc1288164ebce9e8d5268362626f8cfd22a46c5f1e999caa8f299
                          • Instruction Fuzzy Hash: DE3193715043019FDB20EF24D894797BBE4FB49709F00096EF59987250EB71AA44CB52
                          Function 00A9F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON
                          Download Yara Rule
                          APIs
                          • timeGetTime.WINMM ref: 00A9F661
                            • Part of subcall function 00A8D730: GetInputState.USER32 ref: 00A8D807
                          • Sleep.KERNEL32(00000000), ref: 00ADF2DE
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: InputSleepStateTimetime
                          • String ID:
                          • API String ID: 4149333218-0
                          • Opcode ID: 1252358bc7003941cf336eab2a456d0f6e38ebdde1d2ad200ff403fd39da929f
                          • Instruction ID: 25ab10f43cad830e668693b51d421d2dc2a17f265661ef3880d331c36ea51415
                          • Opcode Fuzzy Hash: 1252358bc7003941cf336eab2a456d0f6e38ebdde1d2ad200ff403fd39da929f
                          • Instruction Fuzzy Hash: 7BF082712803059FD314FF65D545B9ABBE4EF45760F004029E85AC73A1DB70A800CB90
                          Function 00A8B710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON
                          Download Yara Rule
                          APIs
                          • __Init_thread_footer.LIBCMT ref: 00A8BB4E
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Init_thread_footer
                          • String ID:
                          • API String ID: 1385522511-0
                          • Opcode ID: 85f7d678ea5678c9868280b80a993fc580baeb6a71313f14d573fb1485649781
                          • Instruction ID: 67d1596d4480087d191de2c349764e16a96255bdd43d0a00e6f755b58ba38a9a
                          • Opcode Fuzzy Hash: 85f7d678ea5678c9868280b80a993fc580baeb6a71313f14d573fb1485649781
                          • Instruction Fuzzy Hash: F832AB34A002099FDB24EF54C894FBEB7B9EF45340F18809AE916AB361D774ED41CBA1
                          Function 00A84ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00A84E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00A84EDD,?,00B51418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00A84E9C
                            • Part of subcall function 00A84E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00A84EAE
                            • Part of subcall function 00A84E90: FreeLibrary.KERNEL32(00000000,?,?,00A84EDD,?,00B51418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00A84EC0
                          • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00B51418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00A84EFD
                            • Part of subcall function 00A84E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00AC3CDE,?,00B51418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00A84E62
                            • Part of subcall function 00A84E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00A84E74
                            • Part of subcall function 00A84E59: FreeLibrary.KERNEL32(00000000,?,?,00AC3CDE,?,00B51418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00A84E87
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Library$Load$AddressFreeProc
                          • String ID:
                          • API String ID: 2632591731-0
                          • Opcode ID: f936b5ab68e8235e9745e8c89b56583751af2a5be0fcc924dc47e68579162d5c
                          • Instruction ID: 5a8df62306b267249aa0ab9d9c43d4dfddee8159d0fe6ccf55c420d43da0ca0c
                          • Opcode Fuzzy Hash: f936b5ab68e8235e9745e8c89b56583751af2a5be0fcc924dc47e68579162d5c
                          • Instruction Fuzzy Hash: 8B11E332600206AACF14FF70DE02FED77A5AF48B14F20842EF642A61D1EE709E459B90
                          Function 00AB8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: __wsopen_s
                          • String ID:
                          • API String ID: 3347428461-0
                          • Opcode ID: cb9d16bfaefe56ca91b4ce430b0448bf34a4900a5faadc3b1034f3fe3c0e7357
                          • Instruction ID: 2c065155f934ae03b318901469a2de5f674d7456fcb1080a86ed429e3a6202e1
                          • Opcode Fuzzy Hash: cb9d16bfaefe56ca91b4ce430b0448bf34a4900a5faadc3b1034f3fe3c0e7357
                          • Instruction Fuzzy Hash: 9B11187590420AAFCF05DF58E941ADA7BF9EF48314F114199FC08AB312DA31DA11CBA5
                          Function 00AB5000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00AB4C7D: RtlAllocateHeap.NTDLL(00000008,00A81129,00000000,?,00AB2E29,00000001,00000364,?,?,?,00AAF2DE,00AB3863,00B51444,?,00A9FDF5,?), ref: 00AB4CBE
                          • _free.LIBCMT ref: 00AB506C
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: AllocateHeap_free
                          • String ID:
                          • API String ID: 614378929-0
                          • Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
                          • Instruction ID: c8e7dcaf21eb0d827b6ea6d2929e0235ee3f89299a7351171537db92ebd8601e
                          • Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
                          • Instruction Fuzzy Hash: 0A0149726047056FE3319F65D881ADAFBECFB89370F25052DE184832C2EA30A905C7B4
                          Function 00AAE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                          • Instruction ID: 5c720be89bbabe7fa1cdbdf1bbe034fe030e169de2f175af08e4c741acb0de7d
                          • Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                          • Instruction Fuzzy Hash: 3DF0F432511A10AAD6317B698E05B9A739C9F53330F100F1AF425931D3DB74D80586A5
                          Function 00AB4C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • RtlAllocateHeap.NTDLL(00000008,00A81129,00000000,?,00AB2E29,00000001,00000364,?,?,?,00AAF2DE,00AB3863,00B51444,?,00A9FDF5,?), ref: 00AB4CBE
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: AllocateHeap
                          • String ID:
                          • API String ID: 1279760036-0
                          • Opcode ID: b4027969909b799f02409888a5c1918f98d9eeb6e9087febe266085ba1a746f9
                          • Instruction ID: 2a13cc43aff9c2ed5cad346139aef5b3bc9f3a5b41f95fa960d41f7c8411e908
                          • Opcode Fuzzy Hash: b4027969909b799f02409888a5c1918f98d9eeb6e9087febe266085ba1a746f9
                          • Instruction Fuzzy Hash: 10F0B43164632466DB215F669D05BDA3F9CAF8BFA1B144121F919A71C3CB71DC1046E0
                          Function 00AB3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • RtlAllocateHeap.NTDLL(00000000,?,00B51444,?,00A9FDF5,?,?,00A8A976,00000010,00B51440,00A813FC,?,00A813C6,?,00A81129), ref: 00AB3852
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: AllocateHeap
                          • String ID:
                          • API String ID: 1279760036-0
                          • Opcode ID: 0aec889a6b9f3c72acd47269aaa1ab68b9e5b3ae521b2c47b0c8e5569108ff6c
                          • Instruction ID: 3fce964ddd8493587830abb293876afe77533f575295570838016d861941c32e
                          • Opcode Fuzzy Hash: 0aec889a6b9f3c72acd47269aaa1ab68b9e5b3ae521b2c47b0c8e5569108ff6c
                          • Instruction Fuzzy Hash: AEE0A0331423246ADE212BFA9D00BDA365CAB827B0F160021BC04934D2DB509D0181E2
                          Function 00A84F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                          Download Yara Rule
                          APIs
                          • FreeLibrary.KERNEL32(?,?,00B51418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00A84F6D
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: FreeLibrary
                          • String ID:
                          • API String ID: 3664257935-0
                          • Opcode ID: 9c96fc223ef94cc3b11c5fb8a728f0f37be2fc7ae0e447c01174fcda7ceb6ea0
                          • Instruction ID: 0ca0cee64526943acd640547917ef84d0493d2687fead791ffe23d9f852ed2fa
                          • Opcode Fuzzy Hash: 9c96fc223ef94cc3b11c5fb8a728f0f37be2fc7ae0e447c01174fcda7ceb6ea0
                          • Instruction Fuzzy Hash: 58F03971105752CFDB34AF64D590822BBF4BF187293258A7EE2EA83621CB319C44DF10
                          Function 00A830F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON
                          Download Yara Rule
                          APIs
                          • Shell_NotifyIconW.SHELL32(00000002,?), ref: 00A8314E
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: IconNotifyShell_
                          • String ID:
                          • API String ID: 1144537725-0
                          • Opcode ID: 3a8c518591d812c2fe3cfb3f74b9f7a48e7d5087baba076fa8f6f3e5d41240d3
                          • Instruction ID: fc0d8fa4b39032ca15a5b506a5978329eea1e987c8e48436dda56af65649558c
                          • Opcode Fuzzy Hash: 3a8c518591d812c2fe3cfb3f74b9f7a48e7d5087baba076fa8f6f3e5d41240d3
                          • Instruction Fuzzy Hash: D5F03070914318AFEB529B28DC4A7DA7BBCAB01708F0005E9A68897292DB745B89CF55
                          Function 00A82DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                          Download Yara Rule
                          APIs
                          • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00A82DC4
                            • Part of subcall function 00A86B57: _wcslen.LIBCMT ref: 00A86B6A
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: LongNamePath_wcslen
                          • String ID:
                          • API String ID: 541455249-0
                          • Opcode ID: ea94aa46a1f3da6d77362688306c5342cfe30d907f9202d6fb3661b0534c8ecc
                          • Instruction ID: dc883996c23a11785ed340b6d548cef69ecc23eeec340073b971e92afbb7fd81
                          • Opcode Fuzzy Hash: ea94aa46a1f3da6d77362688306c5342cfe30d907f9202d6fb3661b0534c8ecc
                          • Instruction Fuzzy Hash: 2EE0C272A002245BCB20A6989C0AFEA77EDDFC8794F0540B6FD09E7248DA70ED808690
                          Function 00A82B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00A83837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00A83908
                            • Part of subcall function 00A8D730: GetInputState.USER32 ref: 00A8D807
                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00A82B6B
                            • Part of subcall function 00A830F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00A8314E
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: IconNotifyShell_$CurrentDirectoryInputState
                          • String ID:
                          • API String ID: 3667716007-0
                          • Opcode ID: 1965a6841f35da200d937a17d9fcf6a2b4bb73988a08b83b65120c3855cc7259
                          • Instruction ID: ee4ed1403ae1cbdda77576167731a2d719a7774724a9e0a37059b7efbeec7c09
                          • Opcode Fuzzy Hash: 1965a6841f35da200d937a17d9fcf6a2b4bb73988a08b83b65120c3855cc7259
                          • Instruction Fuzzy Hash: B2E0863370424406CE04BB74AA566BDA7599BD1756F40197EF542472A2CE2449494752
                          Function 00AC039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • CreateFileW.KERNELBASE(00000000,00000000,?,00AC0704,?,?,00000000,?,00AC0704,00000000,0000000C), ref: 00AC03B7
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: CreateFile
                          • String ID:
                          • API String ID: 823142352-0
                          • Opcode ID: b776737d84c988da700726b8a564ee3827695a029b094eb2d6f945b055fef015
                          • Instruction ID: b8d9eef3d3a76fbbd67537f88c4555b729ddf64e3224afe741e551ec1f067939
                          • Opcode Fuzzy Hash: b776737d84c988da700726b8a564ee3827695a029b094eb2d6f945b055fef015
                          • Instruction Fuzzy Hash: FFD06C3208010DBBDF028F84DD06EDA3FAAFB48714F018000BE18A6020C732E831AB90
                          Function 00A81CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                          Download Yara Rule
                          APIs
                          • SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00A81CBC
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: InfoParametersSystem
                          • String ID:
                          • API String ID: 3098949447-0
                          • Opcode ID: 4f2b0f2ea3f7cef68d2ae65e25af08b6b3f84da139c69aeafe108f947fabd59c
                          • Instruction ID: 896f58e01bf12f7d65285ee406927c5d629dfadd85666f3ef4bce10debaf113c
                          • Opcode Fuzzy Hash: 4f2b0f2ea3f7cef68d2ae65e25af08b6b3f84da139c69aeafe108f947fabd59c
                          • Instruction Fuzzy Hash: 79C092362C1304AFF2158B84BC5BF507B65A368B02F448841FA09AB5F3DBA22820EA54

                          Non-executed Functions

                          Function 00B19576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00A99BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00A99BB2
                          • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00B1961A
                          • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00B1965B
                          • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00B1969F
                          • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00B196C9
                          • SendMessageW.USER32 ref: 00B196F2
                          • GetKeyState.USER32(00000011), ref: 00B1978B
                          • GetKeyState.USER32(00000009), ref: 00B19798
                          • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00B197AE
                          • GetKeyState.USER32(00000010), ref: 00B197B8
                          • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00B197E9
                          • SendMessageW.USER32 ref: 00B19810
                          • SendMessageW.USER32(?,00001030,?,00B17E95), ref: 00B19918
                          • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00B1992E
                          • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00B19941
                          • SetCapture.USER32(?), ref: 00B1994A
                          • ClientToScreen.USER32(?,?), ref: 00B199AF
                          • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00B199BC
                          • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00B199D6
                          • ReleaseCapture.USER32 ref: 00B199E1
                          • GetCursorPos.USER32(?), ref: 00B19A19
                          • ScreenToClient.USER32(?,?), ref: 00B19A26
                          • SendMessageW.USER32(?,00001012,00000000,?), ref: 00B19A80
                          • SendMessageW.USER32 ref: 00B19AAE
                          • SendMessageW.USER32(?,00001111,00000000,?), ref: 00B19AEB
                          • SendMessageW.USER32 ref: 00B19B1A
                          • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00B19B3B
                          • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00B19B4A
                          • GetCursorPos.USER32(?), ref: 00B19B68
                          • ScreenToClient.USER32(?,?), ref: 00B19B75
                          • GetParent.USER32(?), ref: 00B19B93
                          • SendMessageW.USER32(?,00001012,00000000,?), ref: 00B19BFA
                          • SendMessageW.USER32 ref: 00B19C2B
                          • ClientToScreen.USER32(?,?), ref: 00B19C84
                          • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00B19CB4
                          • SendMessageW.USER32(?,00001111,00000000,?), ref: 00B19CDE
                          • SendMessageW.USER32 ref: 00B19D01
                          • ClientToScreen.USER32(?,?), ref: 00B19D4E
                          • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00B19D82
                            • Part of subcall function 00A99944: GetWindowLongW.USER32(?,000000EB), ref: 00A99952
                          • GetWindowLongW.USER32(?,000000F0), ref: 00B19E05
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
                          • String ID: @GUI_DRAGID$F
                          • API String ID: 3429851547-4164748364
                          • Opcode ID: 3866d577d0f1ff954937800a6b954fd7da64b38b6ab993bae16e650ad8da3f46
                          • Instruction ID: f75a0bb681a6c8f04a267088a8e453b4697d732d0f7b81e759a8ffa1cd1e6a82
                          • Opcode Fuzzy Hash: 3866d577d0f1ff954937800a6b954fd7da64b38b6ab993bae16e650ad8da3f46
                          • Instruction Fuzzy Hash: A9428F71204281EFD724CF28CC54BEABBE5FF89310F544AA9F595872A1DB319C94CB51
                          Function 00B14873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 00B148F3
                          • SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00B14908
                          • SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00B14927
                          • SendMessageW.USER32(?,00000148,00000000,00000000), ref: 00B1494B
                          • SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 00B1495C
                          • SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 00B1497B
                          • SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 00B149AE
                          • SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 00B149D4
                          • SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00B14A0F
                          • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00B14A56
                          • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00B14A7E
                          • IsMenu.USER32(?), ref: 00B14A97
                          • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00B14AF2
                          • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00B14B20
                          • GetWindowLongW.USER32(?,000000F0), ref: 00B14B94
                          • SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00B14BE3
                          • SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00B14C82
                          • wsprintfW.USER32 ref: 00B14CAE
                          • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00B14CC9
                          • GetWindowTextW.USER32(?,00000000,00000001), ref: 00B14CF1
                          • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00B14D13
                          • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00B14D33
                          • GetWindowTextW.USER32(?,00000000,00000001), ref: 00B14D5A
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
                          • String ID: %d/%02d/%02d
                          • API String ID: 4054740463-328681919
                          • Opcode ID: 6a2a9a35f54bf1224ee4e962a5cd3470d9f4e125662dfda8c84ede4b9c73cf31
                          • Instruction ID: 1622c0225e5d3a54343e3b479537721362b75bd8010a1413382bde88818bf174
                          • Opcode Fuzzy Hash: 6a2a9a35f54bf1224ee4e962a5cd3470d9f4e125662dfda8c84ede4b9c73cf31
                          • Instruction Fuzzy Hash: BE12BB71640214AFEB248F28CC89FEE7BE8EF45710F5441A9F51AEB2A1DB749981CB50
                          Function 00A9F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                          Download Yara Rule
                          APIs
                          • GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00A9F998
                          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00ADF474
                          • IsIconic.USER32(00000000), ref: 00ADF47D
                          • ShowWindow.USER32(00000000,00000009), ref: 00ADF48A
                          • SetForegroundWindow.USER32(00000000), ref: 00ADF494
                          • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00ADF4AA
                          • GetCurrentThreadId.KERNEL32 ref: 00ADF4B1
                          • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00ADF4BD
                          • AttachThreadInput.USER32(?,00000000,00000001), ref: 00ADF4CE
                          • AttachThreadInput.USER32(?,00000000,00000001), ref: 00ADF4D6
                          • AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00ADF4DE
                          • SetForegroundWindow.USER32(00000000), ref: 00ADF4E1
                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 00ADF4F6
                          • keybd_event.USER32(00000012,00000000), ref: 00ADF501
                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 00ADF50B
                          • keybd_event.USER32(00000012,00000000), ref: 00ADF510
                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 00ADF519
                          • keybd_event.USER32(00000012,00000000), ref: 00ADF51E
                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 00ADF528
                          • keybd_event.USER32(00000012,00000000), ref: 00ADF52D
                          • SetForegroundWindow.USER32(00000000), ref: 00ADF530
                          • AttachThreadInput.USER32(?,000000FF,00000000), ref: 00ADF557
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                          • String ID: Shell_TrayWnd
                          • API String ID: 4125248594-2988720461
                          • Opcode ID: cdf5eeaa24ae4d422551c607b9086bc818a39103724c9c4e71df259906ca73b2
                          • Instruction ID: c99001258ad5bb2b62d7ed78150cad3b029e570d632f910afa8f94cfde8ed0a4
                          • Opcode Fuzzy Hash: cdf5eeaa24ae4d422551c607b9086bc818a39103724c9c4e71df259906ca73b2
                          • Instruction Fuzzy Hash: D2314371A80318BFEB216BB55C4AFBF7E6DEB44B50F504066FA02E71D1CBB15D00AA60
                          Function 00AE1201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00AE16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00AE170D
                            • Part of subcall function 00AE16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00AE173A
                            • Part of subcall function 00AE16C3: GetLastError.KERNEL32 ref: 00AE174A
                          • LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00AE1286
                          • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00AE12A8
                          • CloseHandle.KERNEL32(?), ref: 00AE12B9
                          • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00AE12D1
                          • GetProcessWindowStation.USER32 ref: 00AE12EA
                          • SetProcessWindowStation.USER32(00000000), ref: 00AE12F4
                          • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00AE1310
                            • Part of subcall function 00AE10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00AE11FC), ref: 00AE10D4
                            • Part of subcall function 00AE10BF: CloseHandle.KERNEL32(?,?,00AE11FC), ref: 00AE10E9
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
                          • String ID: $default$winsta0
                          • API String ID: 22674027-1027155976
                          • Opcode ID: 2f952e2d944dd5a060511075eea0a5d9fe589db992a3bc829ae2e4e1fd547cc4
                          • Instruction ID: 5d4cbb71dcbaec49513a16278a315e0ddb304006866b55c26275bbea0534c9c8
                          • Opcode Fuzzy Hash: 2f952e2d944dd5a060511075eea0a5d9fe589db992a3bc829ae2e4e1fd547cc4
                          • Instruction Fuzzy Hash: 0581A0B1A40299AFDF219FA5DD49FEE7FB9EF04704F148129F911A72A0DB708954CB20
                          Function 00AE0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00AE10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00AE1114
                            • Part of subcall function 00AE10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00AE0B9B,?,?,?), ref: 00AE1120
                            • Part of subcall function 00AE10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00AE0B9B,?,?,?), ref: 00AE112F
                            • Part of subcall function 00AE10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00AE0B9B,?,?,?), ref: 00AE1136
                            • Part of subcall function 00AE10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00AE114D
                          • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00AE0BCC
                          • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00AE0C00
                          • GetLengthSid.ADVAPI32(?), ref: 00AE0C17
                          • GetAce.ADVAPI32(?,00000000,?), ref: 00AE0C51
                          • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00AE0C6D
                          • GetLengthSid.ADVAPI32(?), ref: 00AE0C84
                          • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00AE0C8C
                          • HeapAlloc.KERNEL32(00000000), ref: 00AE0C93
                          • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00AE0CB4
                          • CopySid.ADVAPI32(00000000), ref: 00AE0CBB
                          • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00AE0CEA
                          • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00AE0D0C
                          • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00AE0D1E
                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00AE0D45
                          • HeapFree.KERNEL32(00000000), ref: 00AE0D4C
                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00AE0D55
                          • HeapFree.KERNEL32(00000000), ref: 00AE0D5C
                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00AE0D65
                          • HeapFree.KERNEL32(00000000), ref: 00AE0D6C
                          • GetProcessHeap.KERNEL32(00000000,?), ref: 00AE0D78
                          • HeapFree.KERNEL32(00000000), ref: 00AE0D7F
                            • Part of subcall function 00AE1193: GetProcessHeap.KERNEL32(00000008,00AE0BB1,?,00000000,?,00AE0BB1,?), ref: 00AE11A1
                            • Part of subcall function 00AE1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00AE0BB1,?), ref: 00AE11A8
                            • Part of subcall function 00AE1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00AE0BB1,?), ref: 00AE11B7
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                          • String ID:
                          • API String ID: 4175595110-0
                          • Opcode ID: 0a6519f26cdedf87c125d92ea647da77c897df16680e61e79d0fc460b81d1c97
                          • Instruction ID: c29a2b3d2f78f0dda76b0ccf5bd91b40ceb7d7517ae2e483afc2710b6248f80c
                          • Opcode Fuzzy Hash: 0a6519f26cdedf87c125d92ea647da77c897df16680e61e79d0fc460b81d1c97
                          • Instruction Fuzzy Hash: 23715C7294024AEBDF10DFA5DC88FEEBBB8FF08300F148515E915A7191DBB5AA45CB60
                          Function 00AFEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON
                          Download Yara Rule
                          APIs
                          • OpenClipboard.USER32(00B1CC08), ref: 00AFEB29
                          • IsClipboardFormatAvailable.USER32(0000000D), ref: 00AFEB37
                          • GetClipboardData.USER32(0000000D), ref: 00AFEB43
                          • CloseClipboard.USER32 ref: 00AFEB4F
                          • GlobalLock.KERNEL32(00000000), ref: 00AFEB87
                          • CloseClipboard.USER32 ref: 00AFEB91
                          • GlobalUnlock.KERNEL32(00000000), ref: 00AFEBBC
                          • IsClipboardFormatAvailable.USER32(00000001), ref: 00AFEBC9
                          • GetClipboardData.USER32(00000001), ref: 00AFEBD1
                          • GlobalLock.KERNEL32(00000000), ref: 00AFEBE2
                          • GlobalUnlock.KERNEL32(00000000), ref: 00AFEC22
                          • IsClipboardFormatAvailable.USER32(0000000F), ref: 00AFEC38
                          • GetClipboardData.USER32(0000000F), ref: 00AFEC44
                          • GlobalLock.KERNEL32(00000000), ref: 00AFEC55
                          • DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00AFEC77
                          • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00AFEC94
                          • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00AFECD2
                          • GlobalUnlock.KERNEL32(00000000), ref: 00AFECF3
                          • CountClipboardFormats.USER32 ref: 00AFED14
                          • CloseClipboard.USER32 ref: 00AFED59
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
                          • String ID:
                          • API String ID: 420908878-0
                          • Opcode ID: 61213cf9bfa17d5f22bba42af2de622772183f134fc391e5bcf9384712aac4a9
                          • Instruction ID: 65eca84ac2b1f306c65b8878b438251491c362fc5de42e0834144c4ea3ce4857
                          • Opcode Fuzzy Hash: 61213cf9bfa17d5f22bba42af2de622772183f134fc391e5bcf9384712aac4a9
                          • Instruction Fuzzy Hash: 8761BC34244205AFD310EFA4C888FBA7BA4AF84704F488559F596972A2DF31DD06CBA2
                          Function 00AF698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON
                          Download Yara Rule
                          APIs
                          • FindFirstFileW.KERNEL32(?,?), ref: 00AF69BE
                          • FindClose.KERNEL32(00000000), ref: 00AF6A12
                          • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00AF6A4E
                          • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00AF6A75
                            • Part of subcall function 00A89CB3: _wcslen.LIBCMT ref: 00A89CBD
                          • FileTimeToSystemTime.KERNEL32(?,?), ref: 00AF6AB2
                          • FileTimeToSystemTime.KERNEL32(?,?), ref: 00AF6ADF
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
                          • String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
                          • API String ID: 3830820486-3289030164
                          • Opcode ID: 03bce68515b9d767fb44ef4151beda1e36e693f5189286deaa4d904197ef0f93
                          • Instruction ID: 0093f9f673340a60752115da354e22f2e5807072404a167676b0d3663c19d43a
                          • Opcode Fuzzy Hash: 03bce68515b9d767fb44ef4151beda1e36e693f5189286deaa4d904197ef0f93
                          • Instruction Fuzzy Hash: DAD13DB2508304AFC714EBA4C982EBBB7ECAF98704F44491DF685D7191EB74DA44CB62
                          Function 00AF9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON
                          Download Yara Rule
                          APIs
                          • FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 00AF9663
                          • GetFileAttributesW.KERNEL32(?), ref: 00AF96A1
                          • SetFileAttributesW.KERNEL32(?,?), ref: 00AF96BB
                          • FindNextFileW.KERNEL32(00000000,?), ref: 00AF96D3
                          • FindClose.KERNEL32(00000000), ref: 00AF96DE
                          • FindFirstFileW.KERNEL32(*.*,?), ref: 00AF96FA
                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00AF974A
                          • SetCurrentDirectoryW.KERNEL32(00B46B7C), ref: 00AF9768
                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 00AF9772
                          • FindClose.KERNEL32(00000000), ref: 00AF977F
                          • FindClose.KERNEL32(00000000), ref: 00AF978F
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                          • String ID: *.*
                          • API String ID: 1409584000-438819550
                          • Opcode ID: a9cfb5805ae896988455e6bd8094d7331c686cd179c2810adc18969c4a9f8894
                          • Instruction ID: 11d4a5826fd1e9724d2e095fe0442cc07d55f1f7bea7e66dc8dc90fcf03e5d77
                          • Opcode Fuzzy Hash: a9cfb5805ae896988455e6bd8094d7331c686cd179c2810adc18969c4a9f8894
                          • Instruction Fuzzy Hash: AB31A23254021D6BDB14AFF4EC49BEF7BAC9F09321F508195FA15E30A0DB74DE448A54
                          Function 00AF979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON
                          Download Yara Rule
                          APIs
                          • FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 00AF97BE
                          • FindNextFileW.KERNEL32(00000000,?), ref: 00AF9819
                          • FindClose.KERNEL32(00000000), ref: 00AF9824
                          • FindFirstFileW.KERNEL32(*.*,?), ref: 00AF9840
                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00AF9890
                          • SetCurrentDirectoryW.KERNEL32(00B46B7C), ref: 00AF98AE
                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 00AF98B8
                          • FindClose.KERNEL32(00000000), ref: 00AF98C5
                          • FindClose.KERNEL32(00000000), ref: 00AF98D5
                            • Part of subcall function 00AEDAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00AEDB00
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                          • String ID: *.*
                          • API String ID: 2640511053-438819550
                          • Opcode ID: 09ce8a1625d62c58f1ac1851d5b743f652b012de5517657bd785fa251ab5e530
                          • Instruction ID: 36ca15ffe86da62074de78293d6bbdf106d1f098afa0aef23a14294c0f6bc2d4
                          • Opcode Fuzzy Hash: 09ce8a1625d62c58f1ac1851d5b743f652b012de5517657bd785fa251ab5e530
                          • Instruction Fuzzy Hash: D831C33254021D6ADB14AFF4EC49BEF7BACDF06360F108195F954A31E0DB70DE848AA4
                          Function 00B0BE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B0C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B0B6AE,?,?), ref: 00B0C9B5
                            • Part of subcall function 00B0C998: _wcslen.LIBCMT ref: 00B0C9F1
                            • Part of subcall function 00B0C998: _wcslen.LIBCMT ref: 00B0CA68
                            • Part of subcall function 00B0C998: _wcslen.LIBCMT ref: 00B0CA9E
                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B0BF3E
                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 00B0BFA9
                          • RegCloseKey.ADVAPI32(00000000), ref: 00B0BFCD
                          • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00B0C02C
                          • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00B0C0E7
                          • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00B0C154
                          • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00B0C1E9
                          • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 00B0C23A
                          • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00B0C2E3
                          • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00B0C382
                          • RegCloseKey.ADVAPI32(00000000), ref: 00B0C38F
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
                          • String ID:
                          • API String ID: 3102970594-0
                          • Opcode ID: be4628a82added75a7aa841a884ca8f4e697cba249719110c2782189c8898c9d
                          • Instruction ID: ad52027597cc51c446224256ad45da65a8f745b7090da2df40bf37fe4fabfe1b
                          • Opcode Fuzzy Hash: be4628a82added75a7aa841a884ca8f4e697cba249719110c2782189c8898c9d
                          • Instruction Fuzzy Hash: 9B025D716042009FD714DF28C995E2ABBE5EF89318F18C59DF84ADB2A2DB31EC45CB52
                          Function 00AF8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON
                          Download Yara Rule
                          APIs
                          • GetLocalTime.KERNEL32(?), ref: 00AF8257
                          • SystemTimeToFileTime.KERNEL32(?,?), ref: 00AF8267
                          • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00AF8273
                          • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00AF8310
                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00AF8324
                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00AF8356
                          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00AF838C
                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00AF8395
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: CurrentDirectoryTime$File$Local$System
                          • String ID: *.*
                          • API String ID: 1464919966-438819550
                          • Opcode ID: 6bcbbe268e0b1ce39d3d4e4b2a5395bfd85a6e0149ce47cab6c67746e537fb95
                          • Instruction ID: 32051b9cfd1a9c4e8bd9f59beef77782e6ad2a027ac8bacbc800ef5eb93e65ce
                          • Opcode Fuzzy Hash: 6bcbbe268e0b1ce39d3d4e4b2a5395bfd85a6e0149ce47cab6c67746e537fb95
                          • Instruction Fuzzy Hash: 57618BB25043099FCB10EF60C9409AFB7E8FF89714F04891EFA9987251DB35E945CB92
                          Function 00AED076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00A83AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A83A97,?,?,00A82E7F,?,?,?,00000000), ref: 00A83AC2
                            • Part of subcall function 00AEE199: GetFileAttributesW.KERNEL32(?,00AECF95), ref: 00AEE19A
                          • FindFirstFileW.KERNEL32(?,?), ref: 00AED122
                          • DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00AED1DD
                          • MoveFileW.KERNEL32(?,?), ref: 00AED1F0
                          • DeleteFileW.KERNEL32(?,?,?,?), ref: 00AED20D
                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 00AED237
                            • Part of subcall function 00AED29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00AED21C,?,?), ref: 00AED2B2
                          • FindClose.KERNEL32(00000000,?,?,?), ref: 00AED253
                          • FindClose.KERNEL32(00000000), ref: 00AED264
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
                          • String ID: \*.*
                          • API String ID: 1946585618-1173974218
                          • Opcode ID: 19a1fbfb2723afd52e01d474c34abc81014f0d70c3c0f3f8052e5a1eaa492cb6
                          • Instruction ID: 773eb41713eccbf4402595b0baabc6cd8e261d1d8bdf2197a5bd629b8caa02ae
                          • Opcode Fuzzy Hash: 19a1fbfb2723afd52e01d474c34abc81014f0d70c3c0f3f8052e5a1eaa492cb6
                          • Instruction Fuzzy Hash: 0B615B3180514DABCF05FBE1CA929FEBBB5AF25300F648169E40277191EB31AF09DB61
                          Function 00AFED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                          • String ID:
                          • API String ID: 1737998785-0
                          • Opcode ID: af9a3ef8ef8e53c79e328b08e274697bdcd5115abc236c349af198df0037c115
                          • Instruction ID: 79a95a6904572e620bdd06bbf713174e58427e41e2642bfe31d36e9f6eebb1a1
                          • Opcode Fuzzy Hash: af9a3ef8ef8e53c79e328b08e274697bdcd5115abc236c349af198df0037c115
                          • Instruction Fuzzy Hash: 4441BE35204611AFE320DF55E888B69BBE5FF44328F54C4A9F5558BA72CB35EC41CB90
                          Function 00AEE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00AE16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00AE170D
                            • Part of subcall function 00AE16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00AE173A
                            • Part of subcall function 00AE16C3: GetLastError.KERNEL32 ref: 00AE174A
                          • ExitWindowsEx.USER32(?,00000000), ref: 00AEE932
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                          • String ID: $ $@$SeShutdownPrivilege
                          • API String ID: 2234035333-3163812486
                          • Opcode ID: 51cbaaf0018f5be85d6040b6eea9415b9a15a5306df5722d4c4e7233fc8c1ea1
                          • Instruction ID: 3b91874b001344c0658f943144be4fe9e4ff5367617d301409d7b6b0e21bdedd
                          • Opcode Fuzzy Hash: 51cbaaf0018f5be85d6040b6eea9415b9a15a5306df5722d4c4e7233fc8c1ea1
                          • Instruction Fuzzy Hash: E601F972650251ABEB54A7B69C8AFFFB2EC9718750F154422FC13E71D3EAB09C4481A4
                          Function 00B01204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON
                          Download Yara Rule
                          APIs
                          • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00B01276
                          • WSAGetLastError.WSOCK32 ref: 00B01283
                          • bind.WSOCK32(00000000,?,00000010), ref: 00B012BA
                          • WSAGetLastError.WSOCK32 ref: 00B012C5
                          • closesocket.WSOCK32(00000000), ref: 00B012F4
                          • listen.WSOCK32(00000000,00000005), ref: 00B01303
                          • WSAGetLastError.WSOCK32 ref: 00B0130D
                          • closesocket.WSOCK32(00000000), ref: 00B0133C
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: ErrorLast$closesocket$bindlistensocket
                          • String ID:
                          • API String ID: 540024437-0
                          • Opcode ID: ba38ec928b4b33a0d8c8afdc366d59270b205a32d2068a2c6bf2ba908bc8e29d
                          • Instruction ID: a1aebc5216adb2995f8d11420cccc0a5127f33027ed4e272f202f5520e213c01
                          • Opcode Fuzzy Hash: ba38ec928b4b33a0d8c8afdc366d59270b205a32d2068a2c6bf2ba908bc8e29d
                          • Instruction Fuzzy Hash: 2D416D71600100AFD714DF68C588B69BFE5EF46318F588598E8569F2D2C771ED81CBA1
                          Function 00ABB952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • _free.LIBCMT ref: 00ABB9D4
                          • _free.LIBCMT ref: 00ABB9F8
                          • _free.LIBCMT ref: 00ABBB7F
                          • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00B23700), ref: 00ABBB91
                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00B5121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00ABBC09
                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00B51270,000000FF,?,0000003F,00000000,?), ref: 00ABBC36
                          • _free.LIBCMT ref: 00ABBD4B
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: _free$ByteCharMultiWide$InformationTimeZone
                          • String ID:
                          • API String ID: 314583886-0
                          • Opcode ID: e52454df7717a7f74418fbf549bfd27a698b6f0e90a84cb057d02ca88fd7bc8c
                          • Instruction ID: f6f01bacc307bd779328b52db5d2f670b80e0e132159a05bd8d74045396a2c2f
                          • Opcode Fuzzy Hash: e52454df7717a7f74418fbf549bfd27a698b6f0e90a84cb057d02ca88fd7bc8c
                          • Instruction Fuzzy Hash: 9DC10371914204AFCB20DF698D51BEABBBCEF46350F14459AE494DB293EBB18E41CB70
                          Function 00AED3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00A83AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A83A97,?,?,00A82E7F,?,?,?,00000000), ref: 00A83AC2
                            • Part of subcall function 00AEE199: GetFileAttributesW.KERNEL32(?,00AECF95), ref: 00AEE19A
                          • FindFirstFileW.KERNEL32(?,?), ref: 00AED420
                          • DeleteFileW.KERNEL32(?,?,?,?), ref: 00AED470
                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 00AED481
                          • FindClose.KERNEL32(00000000), ref: 00AED498
                          • FindClose.KERNEL32(00000000), ref: 00AED4A1
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                          • String ID: \*.*
                          • API String ID: 2649000838-1173974218
                          • Opcode ID: 67c5d8d39828dd213384b6cc03f0e89c868a3327b08bacc3335e4eb6ae2d5ccd
                          • Instruction ID: 6389eb92870ed2a4460581f46f2fb2ae23b88ff0ab0923a6cc9d7d0600328c36
                          • Opcode Fuzzy Hash: 67c5d8d39828dd213384b6cc03f0e89c868a3327b08bacc3335e4eb6ae2d5ccd
                          • Instruction Fuzzy Hash: 683160710083859BC305FF64D9958AFB7E8AEA5314F844A1EF4D593191EB30AA09D763
                          Function 00ABE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: __floor_pentium4
                          • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                          • API String ID: 4168288129-2761157908
                          • Opcode ID: 51c0e5b5be58e30553588eb440b76362d54d8e536541d8e4bad2bbb0069bde29
                          • Instruction ID: cd4ce8154468fbca8f16f78984a23dbf18b6545926ebb2fced6c69dc5689510d
                          • Opcode Fuzzy Hash: 51c0e5b5be58e30553588eb440b76362d54d8e536541d8e4bad2bbb0069bde29
                          • Instruction Fuzzy Hash: 07C23C71E046288FDB25CF68DD407EAB7B9EB49305F1841EAD84DE7242E775AE818F40
                          Function 00AF648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON
                          Download Yara Rule
                          APIs
                          • _wcslen.LIBCMT ref: 00AF64DC
                          • CoInitialize.OLE32(00000000), ref: 00AF6639
                          • CoCreateInstance.OLE32(00B1FCF8,00000000,00000001,00B1FB68,?), ref: 00AF6650
                          • CoUninitialize.OLE32 ref: 00AF68D4
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: CreateInitializeInstanceUninitialize_wcslen
                          • String ID: .lnk
                          • API String ID: 886957087-24824748
                          • Opcode ID: a0266997ead616ea7ab75e835d9747c8b8c722686cc185b6dbe9e17d3c395cdf
                          • Instruction ID: f61de2b5f63e1271355a7624d815bde2df4a44444e55f8140a4a2555e3adea20
                          • Opcode Fuzzy Hash: a0266997ead616ea7ab75e835d9747c8b8c722686cc185b6dbe9e17d3c395cdf
                          • Instruction Fuzzy Hash: DAD16971508305AFD304EF64C981A6BB7E8FF98704F14496DF5959B2A1EB30ED09CBA2
                          Function 00B022DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON
                          Download Yara Rule
                          APIs
                          • GetForegroundWindow.USER32(?,?,00000000), ref: 00B022E8
                            • Part of subcall function 00AFE4EC: GetWindowRect.USER32(?,?), ref: 00AFE504
                          • GetDesktopWindow.USER32 ref: 00B02312
                          • GetWindowRect.USER32(00000000), ref: 00B02319
                          • mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00B02355
                          • GetCursorPos.USER32(?), ref: 00B02381
                          • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00B023DF
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Window$Rectmouse_event$CursorDesktopForeground
                          • String ID:
                          • API String ID: 2387181109-0
                          • Opcode ID: 1765d3caa64d80a1587d510bab4b29c8a205e170d1e0a899996c76d8e8ab8c97
                          • Instruction ID: 88da68813256f7e9850c19172f89eb056ee1ad26fa6af38e578ecc8abdc07233
                          • Opcode Fuzzy Hash: 1765d3caa64d80a1587d510bab4b29c8a205e170d1e0a899996c76d8e8ab8c97
                          • Instruction Fuzzy Hash: 3931E072504315AFCB20DF54D849B9BBBEAFF84310F00491AF98997191DB34EA08CB96
                          Function 00AF9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00A89CB3: _wcslen.LIBCMT ref: 00A89CBD
                          • FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00AF9B78
                          • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00AF9C8B
                            • Part of subcall function 00AF3874: GetInputState.USER32 ref: 00AF38CB
                            • Part of subcall function 00AF3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00AF3966
                          • Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00AF9BA8
                          • FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00AF9C75
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
                          • String ID: *.*
                          • API String ID: 1972594611-438819550
                          • Opcode ID: 7f77bf3ed768aa6d69fb27b30746c5032e3b44c374662ba4db3bc5dc9ed82144
                          • Instruction ID: cc1a6a485f660a2999425aa291ef1bb4c73862f42a523b1f08e711134dcda93e
                          • Opcode Fuzzy Hash: 7f77bf3ed768aa6d69fb27b30746c5032e3b44c374662ba4db3bc5dc9ed82144
                          • Instruction Fuzzy Hash: 3241487194420EAFCF54EFA4C985BEEBBB8EF05310F244056F905A2191EB309E85CBA1
                          Function 00A9997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00A99BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00A99BB2
                          • DefDlgProcW.USER32(?,?,?,?,?), ref: 00A99A4E
                          • GetSysColor.USER32(0000000F), ref: 00A99B23
                          • SetBkColor.GDI32(?,00000000), ref: 00A99B36
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Color$LongProcWindow
                          • String ID:
                          • API String ID: 3131106179-0
                          • Opcode ID: 0294db8c13c6a8bb74973c56e25de81460fc95eeeb2703865debb6d2be8b7817
                          • Instruction ID: 4851ccfee9d54217e2d49a0f5b77b3d55825c50a0c5994b336fdbc43a106b223
                          • Opcode Fuzzy Hash: 0294db8c13c6a8bb74973c56e25de81460fc95eeeb2703865debb6d2be8b7817
                          • Instruction Fuzzy Hash: 5FA1E770308544BFEF299B2C8C99FBF36EDEB46380B14454EF503D6A91EA259D42D272
                          Function 00B01806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B0304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00B0307A
                            • Part of subcall function 00B0304E: _wcslen.LIBCMT ref: 00B0309B
                          • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00B0185D
                          • WSAGetLastError.WSOCK32 ref: 00B01884
                          • bind.WSOCK32(00000000,?,00000010), ref: 00B018DB
                          • WSAGetLastError.WSOCK32 ref: 00B018E6
                          • closesocket.WSOCK32(00000000), ref: 00B01915
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
                          • String ID:
                          • API String ID: 1601658205-0
                          • Opcode ID: 1ab6ed3fe6fa37056753b71dae8808e3ab93f1cf0ffabd7f083431573ace8e61
                          • Instruction ID: ed31004820fa7e4204fd8e7235f5b45ac07afa22149476e45ddd7bea7461ec5e
                          • Opcode Fuzzy Hash: 1ab6ed3fe6fa37056753b71dae8808e3ab93f1cf0ffabd7f083431573ace8e61
                          • Instruction Fuzzy Hash: A751D471A002109FEB14AF28C986F6A7BE5EB44718F54C498F9065F3D3D771AD41CBA1
                          Function 00B11C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Window$EnabledForegroundIconicVisibleZoomed
                          • String ID:
                          • API String ID: 292994002-0
                          • Opcode ID: 59e1951d3a5d923ca1751dac2985c7dbab9f73d6d43a6ae5d35030607e879331
                          • Instruction ID: 4ef54ba1977b7beb262436abf541f01f71dc7f6b56f6c839ce2bb59516dba315
                          • Opcode Fuzzy Hash: 59e1951d3a5d923ca1751dac2985c7dbab9f73d6d43a6ae5d35030607e879331
                          • Instruction Fuzzy Hash: 1221A3317802115FD7209F2ED884BAA7BE5EF95324B9984A8E946CF351CB71DC82CBD0
                          Function 00A88060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                          • API String ID: 0-1546025612
                          • Opcode ID: a023ddc79a74144d865e5eae7ae11a1cc9a7547bd328cd0132b88779c6d9ec58
                          • Instruction ID: 83abbdf3cc227138b27a6a861a5d0fb10c6efc6637a94c267baddb7105d16d7c
                          • Opcode Fuzzy Hash: a023ddc79a74144d865e5eae7ae11a1cc9a7547bd328cd0132b88779c6d9ec58
                          • Instruction Fuzzy Hash: 82A27171E0061ACBDF24DF58C940BEEB7B1BF54310F6581AAE815AB285EB749D81CF90
                          Function 00AEAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON
                          Download Yara Rule
                          APIs
                          • GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00AEAAAC
                          • SetKeyboardState.USER32(00000080), ref: 00AEAAC8
                          • PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00AEAB36
                          • SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00AEAB88
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: KeyboardState$InputMessagePostSend
                          • String ID:
                          • API String ID: 432972143-0
                          • Opcode ID: a4e66b3ef7f87116fa97e82dbdb61a17f41e5a53f520163d1668c568f4c0e29d
                          • Instruction ID: f0af9e119849d5cca53902eab971261c663e93c7afcc52f709b4be8123edd5f0
                          • Opcode Fuzzy Hash: a4e66b3ef7f87116fa97e82dbdb61a17f41e5a53f520163d1668c568f4c0e29d
                          • Instruction Fuzzy Hash: 72310870A80388AEFF35CB66CC05BFA7BA6EB64310F04821AF581961D1D775AD85C762
                          Function 00AFCE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON
                          Download Yara Rule
                          APIs
                          • InternetReadFile.WININET(?,?,00000400,?), ref: 00AFCE89
                          • GetLastError.KERNEL32(?,00000000), ref: 00AFCEEA
                          • SetEvent.KERNEL32(?,?,00000000), ref: 00AFCEFE
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: ErrorEventFileInternetLastRead
                          • String ID:
                          • API String ID: 234945975-0
                          • Opcode ID: e2c9fbc0d6ce9420b7f98fe1bacd4bc78ad7c46bbfccbe5bc0454bac0ed2af19
                          • Instruction ID: d2b0068455f9208002f408f2bc4f67e4db9802e09096e65faa4c298778e18467
                          • Opcode Fuzzy Hash: e2c9fbc0d6ce9420b7f98fe1bacd4bc78ad7c46bbfccbe5bc0454bac0ed2af19
                          • Instruction Fuzzy Hash: 32215E7154070DABD720DFA6DA44BA6BBF8EF50364F10841AF646D3151EB74EE048B54
                          Function 00AE8298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlenW.KERNEL32(?,?,?,00000000), ref: 00AE82AA
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: lstrlen
                          • String ID: ($|
                          • API String ID: 1659193697-1631851259
                          • Opcode ID: b0b0b169828a664d3c0d25298dd80fae242ce2571c2a6197ca92a2754aa57427
                          • Instruction ID: e82fe329077f8f6dcfc38cceaaa592bd125d409cd3bb082516382997063adf51
                          • Opcode Fuzzy Hash: b0b0b169828a664d3c0d25298dd80fae242ce2571c2a6197ca92a2754aa57427
                          • Instruction Fuzzy Hash: F0323575A007469FCB28CF5AC481A6AB7F0FF48710B15C56EE49ADB3A1EB74E941CB40
                          Function 00AF5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON
                          Download Yara Rule
                          APIs
                          • FindFirstFileW.KERNEL32(?,?), ref: 00AF5CC1
                          • FindNextFileW.KERNEL32(00000000,?), ref: 00AF5D17
                          • FindClose.KERNEL32(?), ref: 00AF5D5F
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Find$File$CloseFirstNext
                          • String ID:
                          • API String ID: 3541575487-0
                          • Opcode ID: 527ecaeca86188e0b75e909112e5344ffc7d790f704110c2721b64397c290ffa
                          • Instruction ID: 5df8178655b7a0fc9449b36c3e5a66f3839fa7dc4fae917aa3de97bc884d2d42
                          • Opcode Fuzzy Hash: 527ecaeca86188e0b75e909112e5344ffc7d790f704110c2721b64397c290ffa
                          • Instruction Fuzzy Hash: 1551AC34A046059FC714DF68C484AA6B7E4FF0A324F14855DFA9A8B3A1DB30ED04CF91
                          Function 00AB2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • IsDebuggerPresent.KERNEL32 ref: 00AB271A
                          • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00AB2724
                          • UnhandledExceptionFilter.KERNEL32(?), ref: 00AB2731
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: ExceptionFilterUnhandled$DebuggerPresent
                          • String ID:
                          • API String ID: 3906539128-0
                          • Opcode ID: c8ec7c3abe1992cca2fa021a7a76b6e0a8bc7bf99e76673835b057dc4c9fcc2a
                          • Instruction ID: 4f33a31608c5fb75d33d16ecadde4b2f2727c541a0e9b8a0fbe8029d40ff41c5
                          • Opcode Fuzzy Hash: c8ec7c3abe1992cca2fa021a7a76b6e0a8bc7bf99e76673835b057dc4c9fcc2a
                          • Instruction Fuzzy Hash: 3D31D5749412189BCB21DF68DD88BDDBBB8AF08310F5041EAE41CA72A1EB309F818F44
                          Function 00AF51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON
                          Download Yara Rule
                          APIs
                          • SetErrorMode.KERNEL32(00000001), ref: 00AF51DA
                          • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00AF5238
                          • SetErrorMode.KERNEL32(00000000), ref: 00AF52A1
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: ErrorMode$DiskFreeSpace
                          • String ID:
                          • API String ID: 1682464887-0
                          • Opcode ID: a1bde0c2520100abf49debae49f31a890a2c5fd11a78ef0024e6bb699dedfc3f
                          • Instruction ID: 5d0bd1ca2b7b7bab36a5adf33afe96e1a9e82b29c00c8fac127b04531b2c8709
                          • Opcode Fuzzy Hash: a1bde0c2520100abf49debae49f31a890a2c5fd11a78ef0024e6bb699dedfc3f
                          • Instruction Fuzzy Hash: 2D314F75A00518DFDB00DF94D884EEDBBB4FF49314F048099E905AB352DB31E855CBA0
                          Function 00AE16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00A9FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00AA0668
                            • Part of subcall function 00A9FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00AA0685
                          • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00AE170D
                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00AE173A
                          • GetLastError.KERNEL32 ref: 00AE174A
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
                          • String ID:
                          • API String ID: 577356006-0
                          • Opcode ID: 0a44bc970848e3bd27a9b75e65008f08b8360b5d62df1e3984e81f81d6b22ab0
                          • Instruction ID: 7d224c814fc1e6a073da4e7e16bdc074093fefbe7f7b01424c1f9c795938d91e
                          • Opcode Fuzzy Hash: 0a44bc970848e3bd27a9b75e65008f08b8360b5d62df1e3984e81f81d6b22ab0
                          • Instruction Fuzzy Hash: 3B11CEB2510304AFD718AF54EC86DAABBF9EB08B14B20852EE05697641EB70BC41CA24
                          Function 00AED5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00AED608
                          • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00AED645
                          • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00AED650
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: CloseControlCreateDeviceFileHandle
                          • String ID:
                          • API String ID: 33631002-0
                          • Opcode ID: 295a834c4fb48881058d8742ed6f72e6316353c022275d871a4485b1ac2d7c80
                          • Instruction ID: c340cceead0974c0ff8891070722e609ab7d8a4acb19cf3434a6924f8e0a887f
                          • Opcode Fuzzy Hash: 295a834c4fb48881058d8742ed6f72e6316353c022275d871a4485b1ac2d7c80
                          • Instruction Fuzzy Hash: 13113C75E45228BBDB108F95AC45FEFBFBCEB45B50F108115F914E7290D6704A058BA1
                          Function 00AE1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                          Download Yara Rule
                          APIs
                          • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00AE168C
                          • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00AE16A1
                          • FreeSid.ADVAPI32(?), ref: 00AE16B1
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: AllocateCheckFreeInitializeMembershipToken
                          • String ID:
                          • API String ID: 3429775523-0
                          • Opcode ID: 55e50b9a131c8b7de9fcc8df639eb9d6386ea525acebe73111ad181170e71f64
                          • Instruction ID: 8aa8dde40552bf11f4b27a7b9f3a7a757650272b79daf6b338e387d9f20e2156
                          • Opcode Fuzzy Hash: 55e50b9a131c8b7de9fcc8df639eb9d6386ea525acebe73111ad181170e71f64
                          • Instruction Fuzzy Hash: EDF0F471990309FBDB00DFE49C89EAEBBBCEB08604F508565E501E2181E774AA448A50
                          Function 00ABC2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID: /
                          • API String ID: 0-2043925204
                          • Opcode ID: 144e64d512263bd70a6f3c842e7f6a4fb033893d0e2223ad881b699dfcd098a0
                          • Instruction ID: 5e9c57220adda51837eb591508203889d0173c02b1df28c847811ae883e17c4b
                          • Opcode Fuzzy Hash: 144e64d512263bd70a6f3c842e7f6a4fb033893d0e2223ad881b699dfcd098a0
                          • Instruction Fuzzy Hash: CD415B725002186FCB20AFB9CC48EFBB7BCEB84724F504269F915CB182E6719E81CB50
                          Function 00ADD27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                          Download Yara Rule
                          APIs
                          • GetUserNameW.ADVAPI32(?,?), ref: 00ADD28C
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: NameUser
                          • String ID: X64
                          • API String ID: 2645101109-893830106
                          • Opcode ID: 9b8c01fb8d14535b421e9fbc08af6a3fedd016068bd12aad8b884ec8403ca338
                          • Instruction ID: 88e7a58779805b86ea4b82cd9bf63e583fbd2eb44ba1f488c513cbdfe351344f
                          • Opcode Fuzzy Hash: 9b8c01fb8d14535b421e9fbc08af6a3fedd016068bd12aad8b884ec8403ca338
                          • Instruction Fuzzy Hash: 0FD0CAB480122DEACF94CBA0EC88DDAB7BCBB08345F204292F146A2100DB3096888F20
                          Function 00AACAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                          • Instruction ID: f0c1a4aec0f960fa73f5699264b99f5ea929de64bbb3b2cf06fbe6dddf5bfdb7
                          • Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                          • Instruction Fuzzy Hash: A3021E71E002199FEF24CFA9C9806ADFBF1EF49324F258169D919E7384D731AE418B94
                          Function 00AF68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                          Download Yara Rule
                          APIs
                          • FindFirstFileW.KERNEL32(?,?), ref: 00AF6918
                          • FindClose.KERNEL32(00000000), ref: 00AF6961
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Find$CloseFileFirst
                          • String ID:
                          • API String ID: 2295610775-0
                          • Opcode ID: a4e76a629afdb182037d4414f731fb9629bd4c09b121a4b2678116809cf4d58c
                          • Instruction ID: 63e788d81139e1af7025120fbba72a8b35b15c6a39bec8c93a09892d9db5daef
                          • Opcode Fuzzy Hash: a4e76a629afdb182037d4414f731fb9629bd4c09b121a4b2678116809cf4d58c
                          • Instruction Fuzzy Hash: 04118E316042049FD710DF69D4C4A26BBE5FF85328F54C699F5698F6A2CB70EC05CB91
                          Function 00AF37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00B04891,?,?,00000035,?), ref: 00AF37E4
                          • FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00B04891,?,?,00000035,?), ref: 00AF37F4
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: ErrorFormatLastMessage
                          • String ID:
                          • API String ID: 3479602957-0
                          • Opcode ID: 7cbaa96a44db0fdd4a4948804079b96c27f3ed4bfb8234607a58e278da4ed3a3
                          • Instruction ID: 03bf59dc581deae2dfd1d9fcb77b94dbb49adb7a5fe4a611bb915d3bfccb2040
                          • Opcode Fuzzy Hash: 7cbaa96a44db0fdd4a4948804079b96c27f3ed4bfb8234607a58e278da4ed3a3
                          • Instruction Fuzzy Hash: BFF0E5B17042282AEB2067A69D4DFEB7AAEEFC5761F000165F609D3281D9B09944C7F0
                          Function 00AEB226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                          Download Yara Rule
                          APIs
                          • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00AEB25D
                          • keybd_event.USER32(?,75A4C0D0,?,00000000), ref: 00AEB270
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: InputSendkeybd_event
                          • String ID:
                          • API String ID: 3536248340-0
                          • Opcode ID: 0e5dc09109001a7520f32620cc6b3709cea88dcd9a5467bbdb60d0a555c2a2e1
                          • Instruction ID: 61319686cab56b46569ad4ba33ad315c86924ce7a658fcaf326dad5630381ccb
                          • Opcode Fuzzy Hash: 0e5dc09109001a7520f32620cc6b3709cea88dcd9a5467bbdb60d0a555c2a2e1
                          • Instruction Fuzzy Hash: E4F01D7185428DABDB059FA1C806BEE7FB4FF04305F008009F965A6191C77986119FA4
                          Function 00AE10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                          Download Yara Rule
                          APIs
                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00AE11FC), ref: 00AE10D4
                          • CloseHandle.KERNEL32(?,?,00AE11FC), ref: 00AE10E9
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: AdjustCloseHandlePrivilegesToken
                          • String ID:
                          • API String ID: 81990902-0
                          • Opcode ID: fbccfd60232ddd568cabfa279a48670a4983763fff49c5ecf8bea5f4ffdfb2c1
                          • Instruction ID: 9081938c69fe2dd503b008352a19035cc8bd0b3bfba0a271510cfe69b4128066
                          • Opcode Fuzzy Hash: fbccfd60232ddd568cabfa279a48670a4983763fff49c5ecf8bea5f4ffdfb2c1
                          • Instruction Fuzzy Hash: B7E0BF72154610AFEB252B51FD09EB77BE9EB04310B24C82DF5A5814B1DB726C90DB54
                          Function 00A8CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON
                          Download Yara Rule
                          Strings
                          • Variable is not of type 'Object'., xrefs: 00AD0C40
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID: Variable is not of type 'Object'.
                          • API String ID: 0-1840281001
                          • Opcode ID: 734f1855d61c729895fc9b037d5fdda8a5b8daa20527d10a6e3d7f6c64f107e5
                          • Instruction ID: 2421e9ef46bf31b118aef2a658d247f8d2e2932c4e9c995e38817fc0536a48e2
                          • Opcode Fuzzy Hash: 734f1855d61c729895fc9b037d5fdda8a5b8daa20527d10a6e3d7f6c64f107e5
                          • Instruction Fuzzy Hash: 75328870900218DFDF14EF94D985BEDBBB5BF05318F14806AE806AB292DB75AE45CF60
                          Function 00AB676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00AB6766,?,?,00000008,?,?,00ABFEFE,00000000), ref: 00AB6998
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: ExceptionRaise
                          • String ID:
                          • API String ID: 3997070919-0
                          • Opcode ID: 12bef984b4ab182706006702ab22c3bbce86294f813a5abd93abe0d2210101d3
                          • Instruction ID: 160671e1170b19a4320203e91a1d1b925265550ec699a9206cf4fae5e03816e5
                          • Opcode Fuzzy Hash: 12bef984b4ab182706006702ab22c3bbce86294f813a5abd93abe0d2210101d3
                          • Instruction Fuzzy Hash: 53B13C726106089FDB15CF28C486BA57BF4FF45364F29865CE899CF2A2C739E991CB40
                          Function 00A9B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID: 0-3916222277
                          • Opcode ID: b1cba6e7569677588b1b643648cc5afc5b5b88ee3987ca758300f807d47eef20
                          • Instruction ID: 0631869903f56784e7b3c6475d3f37f94b91e250edfb82566ddbdb6536389d65
                          • Opcode Fuzzy Hash: b1cba6e7569677588b1b643648cc5afc5b5b88ee3987ca758300f807d47eef20
                          • Instruction Fuzzy Hash: 58126D75A10229DBCF24CF58D9806EEB7F5FF48710F14819AE809EB255DB349A81DFA0
                          Function 00AFEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                          Download Yara Rule
                          APIs
                          • BlockInput.USER32(00000001), ref: 00AFEABD
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: BlockInput
                          • String ID:
                          • API String ID: 3456056419-0
                          • Opcode ID: 328a42b25f79e97a3c9d6f6bac3ee599497e31db378295745a474670c037834a
                          • Instruction ID: fda4c20d486e2f09378efa38786bf5c0ab2dde09f5a40b0022d0443a8d566bc7
                          • Opcode Fuzzy Hash: 328a42b25f79e97a3c9d6f6bac3ee599497e31db378295745a474670c037834a
                          • Instruction Fuzzy Hash: 71E01A312102049FD710EF99D804E9ABBE9AF987A0F408426FD4AC7261DB70A8408BA0
                          Function 00AA09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                          Download Yara Rule
                          APIs
                          • SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,00AA03EE), ref: 00AA09DA
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: ExceptionFilterUnhandled
                          • String ID:
                          • API String ID: 3192549508-0
                          • Opcode ID: 4dc7be7a3a4dabee086e78310ec363755923758dc53211666dcb6ccf1e263271
                          • Instruction ID: 7fe7c3d36912501d4df602322a8e1ab339a458c759d7d57127d6181e343f5337
                          • Opcode Fuzzy Hash: 4dc7be7a3a4dabee086e78310ec363755923758dc53211666dcb6ccf1e263271
                          • Instruction Fuzzy Hash:
                          Function 00AA781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID: 0
                          • API String ID: 0-4108050209
                          • Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                          • Instruction ID: 36071676543707f8f74878427c837d6691ef61e1d017ca905ae6f8476c02bf0f
                          • Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                          • Instruction Fuzzy Hash: 5551557260C7056BDB3887688D5EBBF63A99B0B340F18051BD886D72C2CB1DDE85D356
                          Function 00AB6DD9 Relevance: .6, Instructions: 637COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 95ee080141789b6b802c942246ef3edc073ae1d853912c57b0a76b69b3789f3e
                          • Instruction ID: 2cccfcec255029e85f56d26afc1bac7bf817e3db9d046ed82912cf5df2423e46
                          • Opcode Fuzzy Hash: 95ee080141789b6b802c942246ef3edc073ae1d853912c57b0a76b69b3789f3e
                          • Instruction Fuzzy Hash: AB320022D29F414DD7339634C822339A65DAFB73C5F15D737E81AB69AAEF69C4834100
                          Function 00A9CC39 Relevance: .6, Instructions: 635COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 61a63bb8b4adcfff60ba35267b64d96007e5cab59dd6070381b01fa1f638f80b
                          • Instruction ID: f7302250b88250565732704f09020a26930520a079ddf4bef231cee01807d756
                          • Opcode Fuzzy Hash: 61a63bb8b4adcfff60ba35267b64d96007e5cab59dd6070381b01fa1f638f80b
                          • Instruction Fuzzy Hash: 9432E131B401168BDF28CB69C4946BD7BF2EB45330FA8856BD49B9B392D634DE81DB40
                          Function 00A87920 Relevance: .6, Instructions: 563COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: cb22ba4ab10ad03b5a6613b04f6f5343f8339ab054421c01e8d243f70b46988c
                          • Instruction ID: 1f513b970b14c9cefb652aacb93709e7d4488baed12615294f9b45d008960ba5
                          • Opcode Fuzzy Hash: cb22ba4ab10ad03b5a6613b04f6f5343f8339ab054421c01e8d243f70b46988c
                          • Instruction Fuzzy Hash: BF228F70E046099FDF14DFA5C981BAEB7F6FF44300F244529E816AB291EB35E951CB50
                          Function 00A891C0 Relevance: .5, Instructions: 475COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: fd6261bc37a9c347e6d34f7b11f88e13663a304c737b3f6712c4729c4dc2539e
                          • Instruction ID: 51b4c00f11c00933c3ae81e48db03469c54e59f413f57b477c2b2788b431d99b
                          • Opcode Fuzzy Hash: fd6261bc37a9c347e6d34f7b11f88e13663a304c737b3f6712c4729c4dc2539e
                          • Instruction Fuzzy Hash: F70280B1A0020AEFDF04DF54D981BAEB7F1FF44340F158169E816DB291EB31AA21CB95
                          Function 00AB9EEE Relevance: .3, Instructions: 294COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d9a741f98128e3f170f3c25c4e2ad1c575ff62b1df76b115259c6a460a5fe445
                          • Instruction ID: a93be53529e9004efe11b325dd427d76790308967ac044447f059c02d66dfd55
                          • Opcode Fuzzy Hash: d9a741f98128e3f170f3c25c4e2ad1c575ff62b1df76b115259c6a460a5fe445
                          • Instruction Fuzzy Hash: DFB1F220D2AF414DD32396398871336B69CAFBB6D5F91D71BFC2675D22EF2686834140
                          Function 00AA1C77 Relevance: .3, Instructions: 254COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                          • Instruction ID: 4e36eb484c560cbb63633f516119c626051bcc5d79c30b1d7cb7cb93eedef793
                          • Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                          • Instruction Fuzzy Hash: 569153726080A35ADB29473A857407EFFE15A933B2B1A079ED4F2CB1C5FF249964D620
                          Function 00AA1F32 Relevance: .2, Instructions: 244COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
                          • Instruction ID: 5e829aecc28e684111fe55ee5fd4f9fcfc46f005b644cf1a9b16d502cac15660
                          • Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
                          • Instruction Fuzzy Hash: EF912F722090A34EDB69473D857453EFFE15A933A171A079EE4F2CB1C5EF248964E720
                          Function 00AA19B0 Relevance: .2, Instructions: 240COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                          • Instruction ID: 96d52092c10e8c1ab45088d8743351ec65cf85cf093652d2eb3d7e33c3889cdc
                          • Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                          • Instruction Fuzzy Hash: 549130722090A35EDB69477A857403EFFF15A933A2B1A079ED4F2CB1C1FF248965D620
                          Function 00AA7A4A Relevance: .2, Instructions: 237COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ebf312025fd685482e07da92bcadefc8b07612218551987a7ef8ca380c887fb1
                          • Instruction ID: 27f845dc10b4906fc426ee2810f3034d68a0585c799b5820c95135d1b2c08dd0
                          • Opcode Fuzzy Hash: ebf312025fd685482e07da92bcadefc8b07612218551987a7ef8ca380c887fb1
                          • Instruction Fuzzy Hash: F96137B1708709A6DE349B288D95BBF63A8DF43750F24091AE843DB2C1DB159E42C775
                          Function 00AA7CA7 Relevance: .2, Instructions: 237COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0de080297a5409d978f6569f19a908afe248f3a4ecbd8095941aeb785e659bbe
                          • Instruction ID: 447c52a392f2bf35b438ffcdc35c8f3f7e386d4dfbedc3361b3748c028e9deaf
                          • Opcode Fuzzy Hash: 0de080297a5409d978f6569f19a908afe248f3a4ecbd8095941aeb785e659bbe
                          • Instruction Fuzzy Hash: A661997160870967DF388B288DA5BBF63A8EF43704F14095AE943DB2C1EB16ED428B55
                          Function 00AA1706 Relevance: .2, Instructions: 232COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                          • Instruction ID: f3064c1ef404cf326a88a49b6cc334b914c53b16a87077993816bddc45391849
                          • Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                          • Instruction Fuzzy Hash: 848174726090A31DDB6D473A857443EFFE15A933A1B1A079DD4F2CB1C1EF24C954E620
                          Function 00A9D063 Relevance: .1, Instructions: 134COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 258c31b98c21070db14766f0e04f80bb9f7ca5d19298dc7472ee0d830283b858
                          • Instruction ID: 0b40acc8305f8a9403fc51106febde4f8529244de17a77a5ac17b760e15b7156
                          • Opcode Fuzzy Hash: 258c31b98c21070db14766f0e04f80bb9f7ca5d19298dc7472ee0d830283b858
                          • Instruction Fuzzy Hash: 75512A9985FBDA1FDB179734886A198FFB0AC1726174887CFD8825E8CBD381041AC75B
                          Function 00AF2046 Relevance: .1, Instructions: 72COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 284c4cdcf42df3814828f3ca44ad4ee68e879d544a6254c94109ab6f711dac70
                          • Instruction ID: ff8ae548ba247c5f1dbd8e70ac8d45b9f1502eab957b2bb6343cb0f9cd3f8453
                          • Opcode Fuzzy Hash: 284c4cdcf42df3814828f3ca44ad4ee68e879d544a6254c94109ab6f711dac70
                          • Instruction Fuzzy Hash: B521A5326216158BDB28CF79C82277A73E5A764311F15866EE4A7C37D0DE39AD04CB80
                          Function 00B02ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON
                          Download Yara Rule
                          APIs
                          • DeleteObject.GDI32(00000000), ref: 00B02B30
                          • DeleteObject.GDI32(00000000), ref: 00B02B43
                          • DestroyWindow.USER32 ref: 00B02B52
                          • GetDesktopWindow.USER32 ref: 00B02B6D
                          • GetWindowRect.USER32(00000000), ref: 00B02B74
                          • SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00B02CA3
                          • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00B02CB1
                          • CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B02CF8
                          • GetClientRect.USER32(00000000,?), ref: 00B02D04
                          • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00B02D40
                          • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B02D62
                          • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B02D75
                          • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B02D80
                          • GlobalLock.KERNEL32(00000000), ref: 00B02D89
                          • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B02D98
                          • GlobalUnlock.KERNEL32(00000000), ref: 00B02DA1
                          • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B02DA8
                          • GlobalFree.KERNEL32(00000000), ref: 00B02DB3
                          • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B02DC5
                          • OleLoadPicture.OLEAUT32(?,00000000,00000000,00B1FC38,00000000), ref: 00B02DDB
                          • GlobalFree.KERNEL32(00000000), ref: 00B02DEB
                          • CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00B02E11
                          • SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00B02E30
                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B02E52
                          • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B0303F
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                          • String ID: $AutoIt v3$DISPLAY$static
                          • API String ID: 2211948467-2373415609
                          • Opcode ID: 4be34078b4bc6f0c90c18eac45af2728118c252187ddd736e904d7701c257b78
                          • Instruction ID: 114e6cd75076a1fa9b2eedb53aa4ff41fe7ef931a7424e0efc35b3106dfc52b2
                          • Opcode Fuzzy Hash: 4be34078b4bc6f0c90c18eac45af2728118c252187ddd736e904d7701c257b78
                          • Instruction Fuzzy Hash: 93028A71940205AFDB14DFA4CD89EAE7FB9FB49711F108598F915AB2A1DB70ED00CB60
                          Function 00B170D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON
                          Download Yara Rule
                          APIs
                          • SetTextColor.GDI32(?,00000000), ref: 00B1712F
                          • GetSysColorBrush.USER32(0000000F), ref: 00B17160
                          • GetSysColor.USER32(0000000F), ref: 00B1716C
                          • SetBkColor.GDI32(?,000000FF), ref: 00B17186
                          • SelectObject.GDI32(?,?), ref: 00B17195
                          • InflateRect.USER32(?,000000FF,000000FF), ref: 00B171C0
                          • GetSysColor.USER32(00000010), ref: 00B171C8
                          • CreateSolidBrush.GDI32(00000000), ref: 00B171CF
                          • FrameRect.USER32(?,?,00000000), ref: 00B171DE
                          • DeleteObject.GDI32(00000000), ref: 00B171E5
                          • InflateRect.USER32(?,000000FE,000000FE), ref: 00B17230
                          • FillRect.USER32(?,?,?), ref: 00B17262
                          • GetWindowLongW.USER32(?,000000F0), ref: 00B17284
                            • Part of subcall function 00B173E8: GetSysColor.USER32(00000012), ref: 00B17421
                            • Part of subcall function 00B173E8: SetTextColor.GDI32(?,?), ref: 00B17425
                            • Part of subcall function 00B173E8: GetSysColorBrush.USER32(0000000F), ref: 00B1743B
                            • Part of subcall function 00B173E8: GetSysColor.USER32(0000000F), ref: 00B17446
                            • Part of subcall function 00B173E8: GetSysColor.USER32(00000011), ref: 00B17463
                            • Part of subcall function 00B173E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00B17471
                            • Part of subcall function 00B173E8: SelectObject.GDI32(?,00000000), ref: 00B17482
                            • Part of subcall function 00B173E8: SetBkColor.GDI32(?,00000000), ref: 00B1748B
                            • Part of subcall function 00B173E8: SelectObject.GDI32(?,?), ref: 00B17498
                            • Part of subcall function 00B173E8: InflateRect.USER32(?,000000FF,000000FF), ref: 00B174B7
                            • Part of subcall function 00B173E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00B174CE
                            • Part of subcall function 00B173E8: GetWindowLongW.USER32(00000000,000000F0), ref: 00B174DB
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                          • String ID:
                          • API String ID: 4124339563-0
                          • Opcode ID: 0fdbb45bb9256d78adf3454ce13e9b4155b9de03d6438633a7ee8e2e5baed45a
                          • Instruction ID: 67a98e6c50c074cbc8980a448beced26829d9f7290243ed250c0af910e11ddac
                          • Opcode Fuzzy Hash: 0fdbb45bb9256d78adf3454ce13e9b4155b9de03d6438633a7ee8e2e5baed45a
                          • Instruction Fuzzy Hash: 97A18E72088301FFDB019F60DC48A9A7BF9FB49320F904A19F962A71A1DB70E9458B91
                          Function 00A98D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON
                          Download Yara Rule
                          APIs
                          • DestroyWindow.USER32(?,?), ref: 00A98E14
                          • SendMessageW.USER32(?,00001308,?,00000000), ref: 00AD6AC5
                          • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00AD6AFE
                          • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00AD6F43
                            • Part of subcall function 00A98F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00A98BE8,?,00000000,?,?,?,?,00A98BBA,00000000,?), ref: 00A98FC5
                          • SendMessageW.USER32(?,00001053), ref: 00AD6F7F
                          • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00AD6F96
                          • ImageList_Destroy.COMCTL32(00000000,?), ref: 00AD6FAC
                          • ImageList_Destroy.COMCTL32(00000000,?), ref: 00AD6FB7
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
                          • String ID: 0
                          • API String ID: 2760611726-4108050209
                          • Opcode ID: cb2483d5b6115b5d6543f3e5b04dccfb840690307f0985d43e11a8c42e384042
                          • Instruction ID: 2a0e38c1869611c395d7a9e4d0ee0e79f2711b21d637197e988245edd346806f
                          • Opcode Fuzzy Hash: cb2483d5b6115b5d6543f3e5b04dccfb840690307f0985d43e11a8c42e384042
                          • Instruction Fuzzy Hash: CC12AD30600611DFDB25CF28D994BAABBF5FB49301F54846AF4968B261CB35EC52CB91
                          Function 00B02711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON
                          Download Yara Rule
                          APIs
                          • DestroyWindow.USER32(00000000), ref: 00B0273E
                          • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00B0286A
                          • SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00B028A9
                          • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00B028B9
                          • CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00B02900
                          • GetClientRect.USER32(00000000,?), ref: 00B0290C
                          • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00B02955
                          • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00B02964
                          • GetStockObject.GDI32(00000011), ref: 00B02974
                          • SelectObject.GDI32(00000000,00000000), ref: 00B02978
                          • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00B02988
                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00B02991
                          • DeleteDC.GDI32(00000000), ref: 00B0299A
                          • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00B029C6
                          • SendMessageW.USER32(00000030,00000000,00000001), ref: 00B029DD
                          • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00B02A1D
                          • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00B02A31
                          • SendMessageW.USER32(00000404,00000001,00000000), ref: 00B02A42
                          • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00B02A77
                          • GetStockObject.GDI32(00000011), ref: 00B02A82
                          • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00B02A8D
                          • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00B02A97
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                          • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                          • API String ID: 2910397461-517079104
                          • Opcode ID: 5f767fc5a62092cdf3d4206eca6d3c4e67c98b84da7feb3cd4439abc359f9ade
                          • Instruction ID: b0e68b093fa5918c586f4fed15160483d76e85cb7301fafc6201f1eb26616f2b
                          • Opcode Fuzzy Hash: 5f767fc5a62092cdf3d4206eca6d3c4e67c98b84da7feb3cd4439abc359f9ade
                          • Instruction Fuzzy Hash: BCB14971A40215BFEB14DFA8CD89FAE7BB9EB08711F108554F915E72A0DB70AD40CBA4
                          Function 00AF4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON
                          Download Yara Rule
                          APIs
                          • SetErrorMode.KERNEL32(00000001), ref: 00AF4AED
                          • GetDriveTypeW.KERNEL32(?,00B1CB68,?,\\.\,00B1CC08), ref: 00AF4BCA
                          • SetErrorMode.KERNEL32(00000000,00B1CB68,?,\\.\,00B1CC08), ref: 00AF4D36
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: ErrorMode$DriveType
                          • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                          • API String ID: 2907320926-4222207086
                          • Opcode ID: 85a8120173ab2d3a797613af03d81fc28dbbba477c88595718beb95cc3163432
                          • Instruction ID: 5c7d31d69e6bdf5435c16c32d068931689cad9e41a63c4203d512441a16b6797
                          • Opcode Fuzzy Hash: 85a8120173ab2d3a797613af03d81fc28dbbba477c88595718beb95cc3163432
                          • Instruction Fuzzy Hash: 7E61D430A4520D9BCB04DFA4CA8197E77F0EB4D714B249065F906AB262DB35DE42EB52
                          Function 00B173E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetSysColor.USER32(00000012), ref: 00B17421
                          • SetTextColor.GDI32(?,?), ref: 00B17425
                          • GetSysColorBrush.USER32(0000000F), ref: 00B1743B
                          • GetSysColor.USER32(0000000F), ref: 00B17446
                          • CreateSolidBrush.GDI32(?), ref: 00B1744B
                          • GetSysColor.USER32(00000011), ref: 00B17463
                          • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00B17471
                          • SelectObject.GDI32(?,00000000), ref: 00B17482
                          • SetBkColor.GDI32(?,00000000), ref: 00B1748B
                          • SelectObject.GDI32(?,?), ref: 00B17498
                          • InflateRect.USER32(?,000000FF,000000FF), ref: 00B174B7
                          • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00B174CE
                          • GetWindowLongW.USER32(00000000,000000F0), ref: 00B174DB
                          • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00B1752A
                          • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00B17554
                          • InflateRect.USER32(?,000000FD,000000FD), ref: 00B17572
                          • DrawFocusRect.USER32(?,?), ref: 00B1757D
                          • GetSysColor.USER32(00000011), ref: 00B1758E
                          • SetTextColor.GDI32(?,00000000), ref: 00B17596
                          • DrawTextW.USER32(?,00B170F5,000000FF,?,00000000), ref: 00B175A8
                          • SelectObject.GDI32(?,?), ref: 00B175BF
                          • DeleteObject.GDI32(?), ref: 00B175CA
                          • SelectObject.GDI32(?,?), ref: 00B175D0
                          • DeleteObject.GDI32(?), ref: 00B175D5
                          • SetTextColor.GDI32(?,?), ref: 00B175DB
                          • SetBkColor.GDI32(?,?), ref: 00B175E5
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                          • String ID:
                          • API String ID: 1996641542-0
                          • Opcode ID: 87ccfeae3265ecb5d5b5a20ea8f8e1089733a109b7632a943e3c34a13e59f59f
                          • Instruction ID: 20c9c8fa4ffc88904643ec9b3ad3a3364225fb471cbfa23273ce1911398c66c0
                          • Opcode Fuzzy Hash: 87ccfeae3265ecb5d5b5a20ea8f8e1089733a109b7632a943e3c34a13e59f59f
                          • Instruction Fuzzy Hash: 02615D72984218FFDF019FA4DC49AEE7FB9EB08320F618155F915BB2A1DB749940CB90
                          Function 00B10FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetCursorPos.USER32(?), ref: 00B11128
                          • GetDesktopWindow.USER32 ref: 00B1113D
                          • GetWindowRect.USER32(00000000), ref: 00B11144
                          • GetWindowLongW.USER32(?,000000F0), ref: 00B11199
                          • DestroyWindow.USER32(?), ref: 00B111B9
                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00B111ED
                          • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00B1120B
                          • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00B1121D
                          • SendMessageW.USER32(00000000,00000421,?,?), ref: 00B11232
                          • SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00B11245
                          • IsWindowVisible.USER32(00000000), ref: 00B112A1
                          • SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00B112BC
                          • SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00B112D0
                          • GetWindowRect.USER32(00000000,?), ref: 00B112E8
                          • MonitorFromPoint.USER32(?,?,00000002), ref: 00B1130E
                          • GetMonitorInfoW.USER32(00000000,?), ref: 00B11328
                          • CopyRect.USER32(?,?), ref: 00B1133F
                          • SendMessageW.USER32(00000000,00000412,00000000), ref: 00B113AA
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                          • String ID: ($0$tooltips_class32
                          • API String ID: 698492251-4156429822
                          • Opcode ID: 61546cc84ab6ce67390fc6e5fed97a534542c60d0ea1000c209956d57b5879a9
                          • Instruction ID: 36c76d7c6fe2e35d55136b50c7b14d2c49946b01c6232ddb803493fd5f7228a2
                          • Opcode Fuzzy Hash: 61546cc84ab6ce67390fc6e5fed97a534542c60d0ea1000c209956d57b5879a9
                          • Instruction Fuzzy Hash: 5AB19E71604341AFD704DF68C985BAEBBE4FF88750F408958FA999B2A1CB31DC44CBA1
                          Function 00B10241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON
                          Download Yara Rule
                          APIs
                          • CharUpperBuffW.USER32(?,?), ref: 00B102E5
                          • _wcslen.LIBCMT ref: 00B1031F
                          • _wcslen.LIBCMT ref: 00B10389
                          • _wcslen.LIBCMT ref: 00B103F1
                          • _wcslen.LIBCMT ref: 00B10475
                          • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00B104C5
                          • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00B10504
                            • Part of subcall function 00A9F9F2: _wcslen.LIBCMT ref: 00A9F9FD
                            • Part of subcall function 00AE223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00AE2258
                            • Part of subcall function 00AE223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00AE228A
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: _wcslen$MessageSend$BuffCharUpper
                          • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                          • API String ID: 1103490817-719923060
                          • Opcode ID: 4bd7993f96bb95a50c869e124eccfad9a97fc44772cbe197e874c4b27d184596
                          • Instruction ID: 0a77face2f4fa4aec55a1eaa64f0884f4394e91ed08418d18ba247c0935edba7
                          • Opcode Fuzzy Hash: 4bd7993f96bb95a50c869e124eccfad9a97fc44772cbe197e874c4b27d184596
                          • Instruction Fuzzy Hash: C5E1C2312282018FC714EF24C5909AAB7E6FFD8714B94499CF8969B3A1DB70EDC5CB51
                          Function 00A98891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON
                          Download Yara Rule
                          APIs
                          • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00A98968
                          • GetSystemMetrics.USER32(00000007), ref: 00A98970
                          • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00A9899B
                          • GetSystemMetrics.USER32(00000008), ref: 00A989A3
                          • GetSystemMetrics.USER32(00000004), ref: 00A989C8
                          • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00A989E5
                          • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00A989F5
                          • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00A98A28
                          • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00A98A3C
                          • GetClientRect.USER32(00000000,000000FF), ref: 00A98A5A
                          • GetStockObject.GDI32(00000011), ref: 00A98A76
                          • SendMessageW.USER32(00000000,00000030,00000000), ref: 00A98A81
                            • Part of subcall function 00A9912D: GetCursorPos.USER32(?), ref: 00A99141
                            • Part of subcall function 00A9912D: ScreenToClient.USER32(00000000,?), ref: 00A9915E
                            • Part of subcall function 00A9912D: GetAsyncKeyState.USER32(00000001), ref: 00A99183
                            • Part of subcall function 00A9912D: GetAsyncKeyState.USER32(00000002), ref: 00A9919D
                          • SetTimer.USER32(00000000,00000000,00000028,00A990FC), ref: 00A98AA8
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                          • String ID: AutoIt v3 GUI
                          • API String ID: 1458621304-248962490
                          • Opcode ID: cbb68c01de623015d40f64880b3e00c46bcdd138b521046526d7ad059d4ea7f4
                          • Instruction ID: 7f5d2e9f72d1df0a4983efe84fbd597f26768798f4b8c47dc79b7b0c5b4b082a
                          • Opcode Fuzzy Hash: cbb68c01de623015d40f64880b3e00c46bcdd138b521046526d7ad059d4ea7f4
                          • Instruction Fuzzy Hash: E7B16C71A40209AFDF14DFA8CD45BEE3BF5FB48315F10856AFA16A7290DB34A841CB50
                          Function 00AE0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00AE10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00AE1114
                            • Part of subcall function 00AE10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00AE0B9B,?,?,?), ref: 00AE1120
                            • Part of subcall function 00AE10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00AE0B9B,?,?,?), ref: 00AE112F
                            • Part of subcall function 00AE10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00AE0B9B,?,?,?), ref: 00AE1136
                            • Part of subcall function 00AE10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00AE114D
                          • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00AE0DF5
                          • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00AE0E29
                          • GetLengthSid.ADVAPI32(?), ref: 00AE0E40
                          • GetAce.ADVAPI32(?,00000000,?), ref: 00AE0E7A
                          • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00AE0E96
                          • GetLengthSid.ADVAPI32(?), ref: 00AE0EAD
                          • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00AE0EB5
                          • HeapAlloc.KERNEL32(00000000), ref: 00AE0EBC
                          • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00AE0EDD
                          • CopySid.ADVAPI32(00000000), ref: 00AE0EE4
                          • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00AE0F13
                          • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00AE0F35
                          • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00AE0F47
                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00AE0F6E
                          • HeapFree.KERNEL32(00000000), ref: 00AE0F75
                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00AE0F7E
                          • HeapFree.KERNEL32(00000000), ref: 00AE0F85
                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00AE0F8E
                          • HeapFree.KERNEL32(00000000), ref: 00AE0F95
                          • GetProcessHeap.KERNEL32(00000000,?), ref: 00AE0FA1
                          • HeapFree.KERNEL32(00000000), ref: 00AE0FA8
                            • Part of subcall function 00AE1193: GetProcessHeap.KERNEL32(00000008,00AE0BB1,?,00000000,?,00AE0BB1,?), ref: 00AE11A1
                            • Part of subcall function 00AE1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00AE0BB1,?), ref: 00AE11A8
                            • Part of subcall function 00AE1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00AE0BB1,?), ref: 00AE11B7
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                          • String ID:
                          • API String ID: 4175595110-0
                          • Opcode ID: 580e6f562cc295c66c843e4d46a42da7f810d4f0c1a15c65fd50a88fd5b766b7
                          • Instruction ID: 5580bcdc49d0f757909d8c1cebcad1b28946db06283d7b4ae86d51dd22fd186a
                          • Opcode Fuzzy Hash: 580e6f562cc295c66c843e4d46a42da7f810d4f0c1a15c65fd50a88fd5b766b7
                          • Instruction Fuzzy Hash: CA717B7294024AABDB209FA5DC48FEEBBB8BF08300F148115F959E7191DB709E55CB60
                          Function 00B0C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B0C4BD
                          • RegCreateKeyExW.ADVAPI32(?,?,00000000,00B1CC08,00000000,?,00000000,?,?), ref: 00B0C544
                          • RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00B0C5A4
                          • _wcslen.LIBCMT ref: 00B0C5F4
                          • _wcslen.LIBCMT ref: 00B0C66F
                          • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00B0C6B2
                          • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00B0C7C1
                          • RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00B0C84D
                          • RegCloseKey.ADVAPI32(?), ref: 00B0C881
                          • RegCloseKey.ADVAPI32(00000000), ref: 00B0C88E
                          • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00B0C960
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Value$Close$_wcslen$ConnectCreateRegistry
                          • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                          • API String ID: 9721498-966354055
                          • Opcode ID: 730ccc2e3c724ae7dfe14ad2ce0b1207e2773560d560cb2c38791f7149b6adee
                          • Instruction ID: ca5ab5113f6a5354c19319ee68ccea4a9315b43483174edfa740231d19ae225d
                          • Opcode Fuzzy Hash: 730ccc2e3c724ae7dfe14ad2ce0b1207e2773560d560cb2c38791f7149b6adee
                          • Instruction Fuzzy Hash: 181269356042019FDB14EF14C981A2ABBE5FF88714F14899CF89A9B3A2DB31FD41CB95
                          Function 00B1091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON
                          Download Yara Rule
                          APIs
                          • CharUpperBuffW.USER32(?,?), ref: 00B109C6
                          • _wcslen.LIBCMT ref: 00B10A01
                          • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00B10A54
                          • _wcslen.LIBCMT ref: 00B10A8A
                          • _wcslen.LIBCMT ref: 00B10B06
                          • _wcslen.LIBCMT ref: 00B10B81
                            • Part of subcall function 00A9F9F2: _wcslen.LIBCMT ref: 00A9F9FD
                            • Part of subcall function 00AE2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00AE2BFA
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: _wcslen$MessageSend$BuffCharUpper
                          • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                          • API String ID: 1103490817-4258414348
                          • Opcode ID: 0e269150fd342cf76365a0d2f9f27fca3bfe8d5a49fb774ac847393a8305c68b
                          • Instruction ID: 0d91e5beded7437b4d56776ff64acdfc1b132441ba983bb82e9cfbe63e362c70
                          • Opcode Fuzzy Hash: 0e269150fd342cf76365a0d2f9f27fca3bfe8d5a49fb774ac847393a8305c68b
                          • Instruction Fuzzy Hash: 3BE1AF312283418FCB14EF24C59096AB7E1FF98314F94899DF8969B362DB70ED85CB91
                          Function 00B0C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: _wcslen$BuffCharUpper
                          • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                          • API String ID: 1256254125-909552448
                          • Opcode ID: 782b0024cbd1fc9c6cb47b2810e48cc5fc2768cb721c49f9bdded7a34ec4f72c
                          • Instruction ID: f61031300e11efba1ca26e588e472f23d4fae8c92f01c0ecb75d87bb3eccf6f6
                          • Opcode Fuzzy Hash: 782b0024cbd1fc9c6cb47b2810e48cc5fc2768cb721c49f9bdded7a34ec4f72c
                          • Instruction Fuzzy Hash: 2871E13360016A8BDB20DF6CC9415BB3FD5EBA1750B6507A8F866972D8EB30CE45D3A0
                          Function 00B1833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON
                          Download Yara Rule
                          APIs
                          • _wcslen.LIBCMT ref: 00B1835A
                          • _wcslen.LIBCMT ref: 00B1836E
                          • _wcslen.LIBCMT ref: 00B18391
                          • _wcslen.LIBCMT ref: 00B183B4
                          • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00B183F2
                          • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00B15BF2), ref: 00B1844E
                          • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00B18487
                          • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00B184CA
                          • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00B18501
                          • FreeLibrary.KERNEL32(?), ref: 00B1850D
                          • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00B1851D
                          • DestroyIcon.USER32(?,?,?,?,?,00B15BF2), ref: 00B1852C
                          • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00B18549
                          • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00B18555
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
                          • String ID: .dll$.exe$.icl
                          • API String ID: 799131459-1154884017
                          • Opcode ID: 6b9e146e384dca60765044d0ad9f27ea82be78c2dbbd3cee56ff4e67cb8e4922
                          • Instruction ID: 29e6ed438dbe608c480323990dcc36ac5822c26489e369eab03f4ee408bde6b4
                          • Opcode Fuzzy Hash: 6b9e146e384dca60765044d0ad9f27ea82be78c2dbbd3cee56ff4e67cb8e4922
                          • Instruction Fuzzy Hash: EB61CF71540205BAEB14DF64DC81BFE7BA8FB18B11F508649F815D71D1DFB4AA90CBA0
                          Function 00A87778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                          • API String ID: 0-1645009161
                          • Opcode ID: 3d6c0787845a14dbd1b514643656b5d876c72e0ddd63896133a600b909e1ec1c
                          • Instruction ID: 6b4dcbba685b4aae6d6ef73fdf8841f87a23eeb22aecdf7522661659f3f08898
                          • Opcode Fuzzy Hash: 3d6c0787845a14dbd1b514643656b5d876c72e0ddd63896133a600b909e1ec1c
                          • Instruction Fuzzy Hash: 9C81D071A44605BBDB20BF60CD42FAF7BB8AF15300F154068F805AB1D6EB74EA91C7A1
                          Function 00AF3E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON
                          Download Yara Rule
                          APIs
                          • CharLowerBuffW.USER32(?,?), ref: 00AF3EF8
                          • _wcslen.LIBCMT ref: 00AF3F03
                          • _wcslen.LIBCMT ref: 00AF3F5A
                          • _wcslen.LIBCMT ref: 00AF3F98
                          • GetDriveTypeW.KERNEL32(?), ref: 00AF3FD6
                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00AF401E
                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00AF4059
                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00AF4087
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: SendString_wcslen$BuffCharDriveLowerType
                          • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                          • API String ID: 1839972693-4113822522
                          • Opcode ID: 02ce18d7ca4d04462a49f861ade83d91702b28cce1ceab91d1775d75a4684af6
                          • Instruction ID: b9e938064f59cbf9ed921c97bd564fad0dc61479abd496abb8357e2b3859fa43
                          • Opcode Fuzzy Hash: 02ce18d7ca4d04462a49f861ade83d91702b28cce1ceab91d1775d75a4684af6
                          • Instruction Fuzzy Hash: F171CD32A042069FC710EF24C98197BB7F4EF99758F00492DFA9697261EB30DE45CB92
                          Function 00AE5A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON
                          Download Yara Rule
                          APIs
                          • LoadIconW.USER32(00000063), ref: 00AE5A2E
                          • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00AE5A40
                          • SetWindowTextW.USER32(?,?), ref: 00AE5A57
                          • GetDlgItem.USER32(?,000003EA), ref: 00AE5A6C
                          • SetWindowTextW.USER32(00000000,?), ref: 00AE5A72
                          • GetDlgItem.USER32(?,000003E9), ref: 00AE5A82
                          • SetWindowTextW.USER32(00000000,?), ref: 00AE5A88
                          • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00AE5AA9
                          • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00AE5AC3
                          • GetWindowRect.USER32(?,?), ref: 00AE5ACC
                          • _wcslen.LIBCMT ref: 00AE5B33
                          • SetWindowTextW.USER32(?,?), ref: 00AE5B6F
                          • GetDesktopWindow.USER32 ref: 00AE5B75
                          • GetWindowRect.USER32(00000000), ref: 00AE5B7C
                          • MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00AE5BD3
                          • GetClientRect.USER32(?,?), ref: 00AE5BE0
                          • PostMessageW.USER32(?,00000005,00000000,?), ref: 00AE5C05
                          • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00AE5C2F
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
                          • String ID:
                          • API String ID: 895679908-0
                          • Opcode ID: d69c05e5c3708ba00e86ebb76acd45ac9aa233596fd33451fd400d0ab00a630e
                          • Instruction ID: c3ed702d0f3d9a3039073a7642d0487925b6fb6e64666b79552a15f56a423bcf
                          • Opcode Fuzzy Hash: d69c05e5c3708ba00e86ebb76acd45ac9aa233596fd33451fd400d0ab00a630e
                          • Instruction Fuzzy Hash: 4A715D31900B49AFDB20DFB9DE85AAEBBF5FF48708F104518E542A35A0DB75E944CB50
                          Function 00AFFE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON
                          Download Yara Rule
                          APIs
                          • LoadCursorW.USER32(00000000,00007F89), ref: 00AFFE27
                          • LoadCursorW.USER32(00000000,00007F8A), ref: 00AFFE32
                          • LoadCursorW.USER32(00000000,00007F00), ref: 00AFFE3D
                          • LoadCursorW.USER32(00000000,00007F03), ref: 00AFFE48
                          • LoadCursorW.USER32(00000000,00007F8B), ref: 00AFFE53
                          • LoadCursorW.USER32(00000000,00007F01), ref: 00AFFE5E
                          • LoadCursorW.USER32(00000000,00007F81), ref: 00AFFE69
                          • LoadCursorW.USER32(00000000,00007F88), ref: 00AFFE74
                          • LoadCursorW.USER32(00000000,00007F80), ref: 00AFFE7F
                          • LoadCursorW.USER32(00000000,00007F86), ref: 00AFFE8A
                          • LoadCursorW.USER32(00000000,00007F83), ref: 00AFFE95
                          • LoadCursorW.USER32(00000000,00007F85), ref: 00AFFEA0
                          • LoadCursorW.USER32(00000000,00007F82), ref: 00AFFEAB
                          • LoadCursorW.USER32(00000000,00007F84), ref: 00AFFEB6
                          • LoadCursorW.USER32(00000000,00007F04), ref: 00AFFEC1
                          • LoadCursorW.USER32(00000000,00007F02), ref: 00AFFECC
                          • GetCursorInfo.USER32(?), ref: 00AFFEDC
                          • GetLastError.KERNEL32 ref: 00AFFF1E
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Cursor$Load$ErrorInfoLast
                          • String ID:
                          • API String ID: 3215588206-0
                          • Opcode ID: 6d15f25c2c41ccaee6fb90310c070c3be2ec058f426e0eb6fef4479af3602b17
                          • Instruction ID: 4379941068ccfc1d76dfbb101ac3fab2477320f40f762b4872c3d35bfed16523
                          • Opcode Fuzzy Hash: 6d15f25c2c41ccaee6fb90310c070c3be2ec058f426e0eb6fef4479af3602b17
                          • Instruction Fuzzy Hash: 914144B0D443196EDB109FBA8C8586EBFE8FF04754B50852AF11DE7291DB789901CF91
                          Function 00AA00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON
                          Download Yara Rule
                          APIs
                          • __scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00AA00C6
                            • Part of subcall function 00AA00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(00B5070C,00000FA0,9BD04A08,?,?,?,?,00AC23B3,000000FF), ref: 00AA011C
                            • Part of subcall function 00AA00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00AC23B3,000000FF), ref: 00AA0127
                            • Part of subcall function 00AA00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00AC23B3,000000FF), ref: 00AA0138
                            • Part of subcall function 00AA00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00AA014E
                            • Part of subcall function 00AA00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00AA015C
                            • Part of subcall function 00AA00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00AA016A
                            • Part of subcall function 00AA00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00AA0195
                            • Part of subcall function 00AA00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00AA01A0
                          • ___scrt_fastfail.LIBCMT ref: 00AA00E7
                            • Part of subcall function 00AA00A3: __onexit.LIBCMT ref: 00AA00A9
                          Strings
                          • InitializeConditionVariable, xrefs: 00AA0148
                          • SleepConditionVariableCS, xrefs: 00AA0154
                          • api-ms-win-core-synch-l1-2-0.dll, xrefs: 00AA0122
                          • kernel32.dll, xrefs: 00AA0133
                          • WakeAllConditionVariable, xrefs: 00AA0162
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
                          • String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                          • API String ID: 66158676-1714406822
                          • Opcode ID: 6884776bada938eb51a3e19e87eb8e0559789972622ec0947303c8f16696194c
                          • Instruction ID: 79abcac19d06b2f2bd67a667436abab71b1a80dc5d3b22565183389b89791149
                          • Opcode Fuzzy Hash: 6884776bada938eb51a3e19e87eb8e0559789972622ec0947303c8f16696194c
                          • Instruction Fuzzy Hash: 4C21A7326847116FDB116B64BD46FF937E4EB46F51F404679F805E72E1DF649C008A90
                          Function 00AE30F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: _wcslen
                          • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                          • API String ID: 176396367-1603158881
                          • Opcode ID: 61275be9a411a77fd9613d5249f347637e12c4f570e7d71930248f212677f045
                          • Instruction ID: 9794f90fa1bfc526857457daad236012ad3f2e5269384052b9b78c111a3146de
                          • Opcode Fuzzy Hash: 61275be9a411a77fd9613d5249f347637e12c4f570e7d71930248f212677f045
                          • Instruction Fuzzy Hash: 54E10533A00556AFCF249F69C859BEEFBB0BF54710F548169E456E7280DB30AF8587A0
                          Function 00AF44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON
                          Download Yara Rule
                          APIs
                          • CharLowerBuffW.USER32(00000000,00000000,00B1CC08), ref: 00AF4527
                          • _wcslen.LIBCMT ref: 00AF453B
                          • _wcslen.LIBCMT ref: 00AF4599
                          • _wcslen.LIBCMT ref: 00AF45F4
                          • _wcslen.LIBCMT ref: 00AF463F
                          • _wcslen.LIBCMT ref: 00AF46A7
                            • Part of subcall function 00A9F9F2: _wcslen.LIBCMT ref: 00A9F9FD
                          • GetDriveTypeW.KERNEL32(?,00B46BF0,00000061), ref: 00AF4743
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: _wcslen$BuffCharDriveLowerType
                          • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                          • API String ID: 2055661098-1000479233
                          • Opcode ID: 8ad8f9f54649984c3a2c5bb941911e29afa4b885b835880e59663612ce0a70df
                          • Instruction ID: e85c7a5e8ea5f341bb405b944d3311624819cbcfa615270e006d7eac04896af9
                          • Opcode Fuzzy Hash: 8ad8f9f54649984c3a2c5bb941911e29afa4b885b835880e59663612ce0a70df
                          • Instruction Fuzzy Hash: 3AB1FE316083069FC710EF68C990A7BB7E5AFAA760F50491DF696C7291E730DD44CBA2
                          Function 00B03FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryA.KERNEL32(kernel32.dll,?,00B1CC08), ref: 00B040BB
                          • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00B040CD
                          • GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,00B1CC08), ref: 00B040F2
                          • FreeLibrary.KERNEL32(00000000,?,00B1CC08), ref: 00B0413E
                          • StringFromGUID2.OLE32(?,?,00000028,?,00B1CC08), ref: 00B041A8
                          • SysFreeString.OLEAUT32(00000009), ref: 00B04262
                          • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00B042C8
                          • SysFreeString.OLEAUT32(?), ref: 00B042F2
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
                          • String ID: GetModuleHandleExW$kernel32.dll
                          • API String ID: 354098117-199464113
                          • Opcode ID: 7a8d7e57bb5623e0e961b0b216ba36c5e6dac8c81ccff3b9de9a41804da7831f
                          • Instruction ID: fb81b6a5fcaf284728b403996695fa8a86214e13bd36bcdc3467b0bab8009544
                          • Opcode Fuzzy Hash: 7a8d7e57bb5623e0e961b0b216ba36c5e6dac8c81ccff3b9de9a41804da7831f
                          • Instruction Fuzzy Hash: C5122DB5A00115EFDB14DF54C984EAEBBF5FF45314F248098EA05AB2A1DB31ED46CBA0
                          Function 00A8326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetMenuItemCount.USER32(00B51990), ref: 00AC2F8D
                          • GetMenuItemCount.USER32(00B51990), ref: 00AC303D
                          • GetCursorPos.USER32(?), ref: 00AC3081
                          • SetForegroundWindow.USER32(00000000), ref: 00AC308A
                          • TrackPopupMenuEx.USER32(00B51990,00000000,?,00000000,00000000,00000000), ref: 00AC309D
                          • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00AC30A9
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
                          • String ID: 0
                          • API String ID: 36266755-4108050209
                          • Opcode ID: ac935da290b6de1fed706a5ef7077354ea4b09d1a5494100668a30690bce8cd0
                          • Instruction ID: 141ab43e7b33296edc4bf19085d2cfeadc82b5a4b7ffdae74730998697256630
                          • Opcode Fuzzy Hash: ac935da290b6de1fed706a5ef7077354ea4b09d1a5494100668a30690bce8cd0
                          • Instruction Fuzzy Hash: 3F71F771644209BEEF259F28CC49FEABF75FF15764F20421AF5146A1E0CBB1A920DB90
                          Function 00B16CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON
                          Download Yara Rule
                          APIs
                          • DestroyWindow.USER32(00000000,?), ref: 00B16DEB
                            • Part of subcall function 00A86B57: _wcslen.LIBCMT ref: 00A86B6A
                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00B16E5F
                          • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00B16E81
                          • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00B16E94
                          • DestroyWindow.USER32(?), ref: 00B16EB5
                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00A80000,00000000), ref: 00B16EE4
                          • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00B16EFD
                          • GetDesktopWindow.USER32 ref: 00B16F16
                          • GetWindowRect.USER32(00000000), ref: 00B16F1D
                          • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00B16F35
                          • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00B16F4D
                            • Part of subcall function 00A99944: GetWindowLongW.USER32(?,000000EB), ref: 00A99952
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
                          • String ID: 0$tooltips_class32
                          • API String ID: 2429346358-3619404913
                          • Opcode ID: bff4677d6128856f33ceadcbb249768a8d25dc0b9397a33c7d501c057eaaebbb
                          • Instruction ID: 15053bc37e102afaae2ffa40bd2ce864a492e125f5c70df000bfdff56dd02c52
                          • Opcode Fuzzy Hash: bff4677d6128856f33ceadcbb249768a8d25dc0b9397a33c7d501c057eaaebbb
                          • Instruction Fuzzy Hash: 5B716675244340AFDB21CF18DC48BAABBE9FB89304F84499DF99987261CB70A946CB11
                          Function 00B1911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00A99BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00A99BB2
                          • DragQueryPoint.SHELL32(?,?), ref: 00B19147
                            • Part of subcall function 00B17674: ClientToScreen.USER32(?,?), ref: 00B1769A
                            • Part of subcall function 00B17674: GetWindowRect.USER32(?,?), ref: 00B17710
                            • Part of subcall function 00B17674: PtInRect.USER32(?,?,00B18B89), ref: 00B17720
                          • SendMessageW.USER32(?,000000B0,?,?), ref: 00B191B0
                          • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00B191BB
                          • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00B191DE
                          • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00B19225
                          • SendMessageW.USER32(?,000000B0,?,?), ref: 00B1923E
                          • SendMessageW.USER32(?,000000B1,?,?), ref: 00B19255
                          • SendMessageW.USER32(?,000000B1,?,?), ref: 00B19277
                          • DragFinish.SHELL32(?), ref: 00B1927E
                          • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00B19371
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
                          • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                          • API String ID: 221274066-3440237614
                          • Opcode ID: b4e52cc1c8e08cdb63b7bb87072aa73438e9f2df8da808fc15e02ca4e880e331
                          • Instruction ID: 282fa3b120a7d97c5ad1f7affd4a96ef959be645a79398ba93f88f72a59f9c46
                          • Opcode Fuzzy Hash: b4e52cc1c8e08cdb63b7bb87072aa73438e9f2df8da808fc15e02ca4e880e331
                          • Instruction Fuzzy Hash: 59618B71108301AFD701EF64DD85EAFBBE8EF88750F40496EF595931A0DB309A49CB92
                          Function 00AFC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON
                          Download Yara Rule
                          APIs
                          • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00AFC4B0
                          • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00AFC4C3
                          • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00AFC4D7
                          • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00AFC4F0
                          • InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00AFC533
                          • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00AFC549
                          • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00AFC554
                          • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00AFC584
                          • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00AFC5DC
                          • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00AFC5F0
                          • InternetCloseHandle.WININET(00000000), ref: 00AFC5FB
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
                          • String ID:
                          • API String ID: 3800310941-3916222277
                          • Opcode ID: a0407e5ea6e6f641900205757226428c3e1f7864f9f8bf4f88b97e7959b91733
                          • Instruction ID: 32d8e2ccb387509c6ea1c6f12623558ce3e441e1341021c3a9b53b25391a98bc
                          • Opcode Fuzzy Hash: a0407e5ea6e6f641900205757226428c3e1f7864f9f8bf4f88b97e7959b91733
                          • Instruction Fuzzy Hash: 5C513CB158020DBFDB218FA1CA48ABB7BBCFB08764F008419FA46D7250DB74E944DB60
                          Function 00B1856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00B18592
                          • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00B185A2
                          • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00B185AD
                          • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00B185BA
                          • GlobalLock.KERNEL32(00000000), ref: 00B185C8
                          • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00B185D7
                          • GlobalUnlock.KERNEL32(00000000), ref: 00B185E0
                          • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00B185E7
                          • CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00B185F8
                          • OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,00B1FC38,?), ref: 00B18611
                          • GlobalFree.KERNEL32(00000000), ref: 00B18621
                          • GetObjectW.GDI32(?,00000018,?), ref: 00B18641
                          • CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00B18671
                          • DeleteObject.GDI32(?), ref: 00B18699
                          • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00B186AF
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                          • String ID:
                          • API String ID: 3840717409-0
                          • Opcode ID: 7c2353177f3917d8b73fd33b5dee5abba946b4936fee608287be541991d9d964
                          • Instruction ID: e8e8b301c7cf7dfe1f11ea4fc56579c18c52a40627c5a79cea4f842f99ab6e7b
                          • Opcode Fuzzy Hash: 7c2353177f3917d8b73fd33b5dee5abba946b4936fee608287be541991d9d964
                          • Instruction Fuzzy Hash: 55411875640208BFDB119FA5DC88EEA7BBDFF89B11F508068F905E7260DB309A41CB60
                          Function 00AF14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON
                          Download Yara Rule
                          APIs
                          • VariantInit.OLEAUT32(00000000), ref: 00AF1502
                          • VariantCopy.OLEAUT32(?,?), ref: 00AF150B
                          • VariantClear.OLEAUT32(?), ref: 00AF1517
                          • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00AF15FB
                          • VarR8FromDec.OLEAUT32(?,?), ref: 00AF1657
                          • VariantInit.OLEAUT32(?), ref: 00AF1708
                          • SysFreeString.OLEAUT32(?), ref: 00AF178C
                          • VariantClear.OLEAUT32(?), ref: 00AF17D8
                          • VariantClear.OLEAUT32(?), ref: 00AF17E7
                          • VariantInit.OLEAUT32(00000000), ref: 00AF1823
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
                          • String ID: %4d%02d%02d%02d%02d%02d$Default
                          • API String ID: 1234038744-3931177956
                          • Opcode ID: 2289a317dd05e3b5218c6ca2496fb912d2554d1162f29cbf0a26e51125d2ff5c
                          • Instruction ID: 3d52d88536be9c308f109e6d7ad932be72ebf7691cd2a864c8f877043a5805d5
                          • Opcode Fuzzy Hash: 2289a317dd05e3b5218c6ca2496fb912d2554d1162f29cbf0a26e51125d2ff5c
                          • Instruction Fuzzy Hash: 8DD1E071A04219EFDF04AFA5D985BB9B7F6BF44700F148056FA06AB280DB30EC41DBA1
                          Function 00B0B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00A89CB3: _wcslen.LIBCMT ref: 00A89CBD
                            • Part of subcall function 00B0C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B0B6AE,?,?), ref: 00B0C9B5
                            • Part of subcall function 00B0C998: _wcslen.LIBCMT ref: 00B0C9F1
                            • Part of subcall function 00B0C998: _wcslen.LIBCMT ref: 00B0CA68
                            • Part of subcall function 00B0C998: _wcslen.LIBCMT ref: 00B0CA9E
                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B0B6F4
                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00B0B772
                          • RegDeleteValueW.ADVAPI32(?,?), ref: 00B0B80A
                          • RegCloseKey.ADVAPI32(?), ref: 00B0B87E
                          • RegCloseKey.ADVAPI32(?), ref: 00B0B89C
                          • LoadLibraryA.KERNEL32(advapi32.dll), ref: 00B0B8F2
                          • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00B0B904
                          • RegDeleteKeyW.ADVAPI32(?,?), ref: 00B0B922
                          • FreeLibrary.KERNEL32(00000000), ref: 00B0B983
                          • RegCloseKey.ADVAPI32(00000000), ref: 00B0B994
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
                          • String ID: RegDeleteKeyExW$advapi32.dll
                          • API String ID: 146587525-4033151799
                          • Opcode ID: a01bba633c413f8fa09bf4ffebf3e457e89959b5b95f3eb74e65b1312e5a7dbb
                          • Instruction ID: eb970285cfd0070d7bc615b0f1b4babc2c9b4a4f92c3101b2656d8dd2cae8f7f
                          • Opcode Fuzzy Hash: a01bba633c413f8fa09bf4ffebf3e457e89959b5b95f3eb74e65b1312e5a7dbb
                          • Instruction Fuzzy Hash: DBC16B35208201AFD714DF24C495F2ABBE5FF84318F54859CF5AA8B2A2CB71ED45CB92
                          Function 00B0255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetDC.USER32(00000000), ref: 00B025D8
                          • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00B025E8
                          • CreateCompatibleDC.GDI32(?), ref: 00B025F4
                          • SelectObject.GDI32(00000000,?), ref: 00B02601
                          • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00B0266D
                          • GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00B026AC
                          • GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00B026D0
                          • SelectObject.GDI32(?,?), ref: 00B026D8
                          • DeleteObject.GDI32(?), ref: 00B026E1
                          • DeleteDC.GDI32(?), ref: 00B026E8
                          • ReleaseDC.USER32(00000000,?), ref: 00B026F3
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                          • String ID: (
                          • API String ID: 2598888154-3887548279
                          • Opcode ID: 579fd81ca27604b49fbb7bf5bed3ce7feb493886d94a048ee49f40baaabc0f38
                          • Instruction ID: 0fbfd9a91acc403864170d9ab1136931f79c3800fae381c80a3a6a91c98ce381
                          • Opcode Fuzzy Hash: 579fd81ca27604b49fbb7bf5bed3ce7feb493886d94a048ee49f40baaabc0f38
                          • Instruction Fuzzy Hash: DC61E275D00219EFCF04CFA4D888AAEBBF6FF48310F208569E955A7250D771A951CF50
                          Function 00ABDA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • ___free_lconv_mon.LIBCMT ref: 00ABDAA1
                            • Part of subcall function 00ABD63C: _free.LIBCMT ref: 00ABD659
                            • Part of subcall function 00ABD63C: _free.LIBCMT ref: 00ABD66B
                            • Part of subcall function 00ABD63C: _free.LIBCMT ref: 00ABD67D
                            • Part of subcall function 00ABD63C: _free.LIBCMT ref: 00ABD68F
                            • Part of subcall function 00ABD63C: _free.LIBCMT ref: 00ABD6A1
                            • Part of subcall function 00ABD63C: _free.LIBCMT ref: 00ABD6B3
                            • Part of subcall function 00ABD63C: _free.LIBCMT ref: 00ABD6C5
                            • Part of subcall function 00ABD63C: _free.LIBCMT ref: 00ABD6D7
                            • Part of subcall function 00ABD63C: _free.LIBCMT ref: 00ABD6E9
                            • Part of subcall function 00ABD63C: _free.LIBCMT ref: 00ABD6FB
                            • Part of subcall function 00ABD63C: _free.LIBCMT ref: 00ABD70D
                            • Part of subcall function 00ABD63C: _free.LIBCMT ref: 00ABD71F
                            • Part of subcall function 00ABD63C: _free.LIBCMT ref: 00ABD731
                          • _free.LIBCMT ref: 00ABDA96
                            • Part of subcall function 00AB29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00ABD7D1,00000000,00000000,00000000,00000000,?,00ABD7F8,00000000,00000007,00000000,?,00ABDBF5,00000000), ref: 00AB29DE
                            • Part of subcall function 00AB29C8: GetLastError.KERNEL32(00000000,?,00ABD7D1,00000000,00000000,00000000,00000000,?,00ABD7F8,00000000,00000007,00000000,?,00ABDBF5,00000000,00000000), ref: 00AB29F0
                          • _free.LIBCMT ref: 00ABDAB8
                          • _free.LIBCMT ref: 00ABDACD
                          • _free.LIBCMT ref: 00ABDAD8
                          • _free.LIBCMT ref: 00ABDAFA
                          • _free.LIBCMT ref: 00ABDB0D
                          • _free.LIBCMT ref: 00ABDB1B
                          • _free.LIBCMT ref: 00ABDB26
                          • _free.LIBCMT ref: 00ABDB5E
                          • _free.LIBCMT ref: 00ABDB65
                          • _free.LIBCMT ref: 00ABDB82
                          • _free.LIBCMT ref: 00ABDB9A
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                          • String ID:
                          • API String ID: 161543041-0
                          • Opcode ID: 921339c503ddfbf06274601934e45e211732a45472e6d7c2e25a0c1875aeec6c
                          • Instruction ID: a27b927b7bf38ecaf30e75b4e6ccfa324c2f3442af1d7ecd18af0515840fe100
                          • Opcode Fuzzy Hash: 921339c503ddfbf06274601934e45e211732a45472e6d7c2e25a0c1875aeec6c
                          • Instruction Fuzzy Hash: B2313D31604705AFEB21AB39E945BD6BBEDFF40350F15481AE449D7193EF31AC508724
                          Function 00AE365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON
                          Download Yara Rule
                          APIs
                          • GetClassNameW.USER32(?,?,00000100), ref: 00AE369C
                          • _wcslen.LIBCMT ref: 00AE36A7
                          • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00AE3797
                          • GetClassNameW.USER32(?,?,00000400), ref: 00AE380C
                          • GetDlgCtrlID.USER32(?), ref: 00AE385D
                          • GetWindowRect.USER32(?,?), ref: 00AE3882
                          • GetParent.USER32(?), ref: 00AE38A0
                          • ScreenToClient.USER32(00000000), ref: 00AE38A7
                          • GetClassNameW.USER32(?,?,00000100), ref: 00AE3921
                          • GetWindowTextW.USER32(?,?,00000400), ref: 00AE395D
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
                          • String ID: %s%u
                          • API String ID: 4010501982-679674701
                          • Opcode ID: 057434578bd9d82e7b8a133ea4e325e6ca5d83dfe7d09136a24d728e64a78c14
                          • Instruction ID: 63e2b7191d9d8533b311f9673281e67d00b9e9b58812e686b138734a99f3eaaa
                          • Opcode Fuzzy Hash: 057434578bd9d82e7b8a133ea4e325e6ca5d83dfe7d09136a24d728e64a78c14
                          • Instruction Fuzzy Hash: 5E91C272204746AFDB18DF26C899BEAF7A8FF44350F408529F999C3191DB30EA45CB91
                          Function 00AE4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON
                          Download Yara Rule
                          APIs
                          • GetClassNameW.USER32(?,?,00000400), ref: 00AE4994
                          • GetWindowTextW.USER32(?,?,00000400), ref: 00AE49DA
                          • _wcslen.LIBCMT ref: 00AE49EB
                          • CharUpperBuffW.USER32(?,00000000), ref: 00AE49F7
                          • _wcsstr.LIBVCRUNTIME ref: 00AE4A2C
                          • GetClassNameW.USER32(00000018,?,00000400), ref: 00AE4A64
                          • GetWindowTextW.USER32(?,?,00000400), ref: 00AE4A9D
                          • GetClassNameW.USER32(00000018,?,00000400), ref: 00AE4AE6
                          • GetClassNameW.USER32(?,?,00000400), ref: 00AE4B20
                          • GetWindowRect.USER32(?,?), ref: 00AE4B8B
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
                          • String ID: ThumbnailClass
                          • API String ID: 1311036022-1241985126
                          • Opcode ID: f8b039579f48b3bb5dbd5ad9de2bbc58c390a474aab42322bb5bec2a70f33956
                          • Instruction ID: 836d595a7298707f0787da297bd7394e536067b999f1faa824377cd77c6df523
                          • Opcode Fuzzy Hash: f8b039579f48b3bb5dbd5ad9de2bbc58c390a474aab42322bb5bec2a70f33956
                          • Instruction Fuzzy Hash: 7D9189710083459BDB04DF16C985BAABBECEF88354F048469FD859B096EB34ED45CBA1
                          Function 00B18D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00A99BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00A99BB2
                          • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00B18D5A
                          • GetFocus.USER32 ref: 00B18D6A
                          • GetDlgCtrlID.USER32(00000000), ref: 00B18D75
                          • DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00B18E1D
                          • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00B18ECF
                          • GetMenuItemCount.USER32(?), ref: 00B18EEC
                          • GetMenuItemID.USER32(?,00000000), ref: 00B18EFC
                          • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00B18F2E
                          • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00B18F70
                          • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00B18FA1
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
                          • String ID: 0
                          • API String ID: 1026556194-4108050209
                          • Opcode ID: 1911a6b99cfc97582e6656097ea6ab88984deef462cc7a86dea8db4579698604
                          • Instruction ID: 57b5c90bd0269cda6c8ea274e1deba2cb0e2c94bfd1246a5485c30d84ae15695
                          • Opcode Fuzzy Hash: 1911a6b99cfc97582e6656097ea6ab88984deef462cc7a86dea8db4579698604
                          • Instruction Fuzzy Hash: E681AF726043019FDB10CF14D884AEB7BEAFB88354F5449ADF985D7291DB30D981CBA1
                          Function 00AEDC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON
                          Download Yara Rule
                          APIs
                          • GetFileVersionInfoSizeW.VERSION(?,?), ref: 00AEDC20
                          • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00AEDC46
                          • _wcslen.LIBCMT ref: 00AEDC50
                          • _wcsstr.LIBVCRUNTIME ref: 00AEDCA0
                          • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00AEDCBC
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
                          • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                          • API String ID: 1939486746-1459072770
                          • Opcode ID: 0b631b3b0f339e37abca40d8e3e5bce7f66a0bfe6f38ccb7e994b83550458476
                          • Instruction ID: c5bda34d10e88eea9936c3b064b327dc0249876a1c3567e943e61733cc2fe0a9
                          • Opcode Fuzzy Hash: 0b631b3b0f339e37abca40d8e3e5bce7f66a0bfe6f38ccb7e994b83550458476
                          • Instruction Fuzzy Hash: 02411372A402047ADB01A775DD47EFF7BACEF46750F2000AAF900E71D2EB759A0197A5
                          Function 00B0CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00B0CC64
                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00B0CC8D
                          • FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00B0CD48
                            • Part of subcall function 00B0CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00B0CCAA
                            • Part of subcall function 00B0CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00B0CCBD
                            • Part of subcall function 00B0CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00B0CCCF
                            • Part of subcall function 00B0CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00B0CD05
                            • Part of subcall function 00B0CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00B0CD28
                          • RegDeleteKeyW.ADVAPI32(?,?), ref: 00B0CCF3
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
                          • String ID: RegDeleteKeyExW$advapi32.dll
                          • API String ID: 2734957052-4033151799
                          • Opcode ID: 104dc5312c8d306c7e3e098ac1548dc6eda5c95152802d61b22059e0ccc00317
                          • Instruction ID: a7e8c179af5b439886ac730822fc4b99ca753cf31743a045cad9469501a751b7
                          • Opcode Fuzzy Hash: 104dc5312c8d306c7e3e098ac1548dc6eda5c95152802d61b22059e0ccc00317
                          • Instruction Fuzzy Hash: D3316F71941129BBDB208B55DC88EFFBFBCEF45750F0042A5B906E3290DB349E45DAA0
                          Function 00AF3D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON
                          Download Yara Rule
                          APIs
                          • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00AF3D40
                          • _wcslen.LIBCMT ref: 00AF3D6D
                          • CreateDirectoryW.KERNEL32(?,00000000), ref: 00AF3D9D
                          • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00AF3DBE
                          • RemoveDirectoryW.KERNEL32(?), ref: 00AF3DCE
                          • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00AF3E55
                          • CloseHandle.KERNEL32(00000000), ref: 00AF3E60
                          • CloseHandle.KERNEL32(00000000), ref: 00AF3E6B
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
                          • String ID: :$\$\??\%s
                          • API String ID: 1149970189-3457252023
                          • Opcode ID: 4e77cd73d9adda5151e09837c3021deadcef54c16a8a2ed00c6aa8c31606b16a
                          • Instruction ID: b31eb17e465dd42d4c7673d36a3f677f90a6f4b6bd3cf10679bf8f016a6d6d31
                          • Opcode Fuzzy Hash: 4e77cd73d9adda5151e09837c3021deadcef54c16a8a2ed00c6aa8c31606b16a
                          • Instruction Fuzzy Hash: FF31AF72A40219ABDF209FA0DC49FEF3BBDEF89740F5040A5F619D60A0EB7097448B64
                          Function 00AEE6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                          Download Yara Rule
                          APIs
                          • timeGetTime.WINMM ref: 00AEE6B4
                            • Part of subcall function 00A9E551: timeGetTime.WINMM(?,?,00AEE6D4), ref: 00A9E555
                          • Sleep.KERNEL32(0000000A), ref: 00AEE6E1
                          • EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 00AEE705
                          • FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 00AEE727
                          • SetActiveWindow.USER32 ref: 00AEE746
                          • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00AEE754
                          • SendMessageW.USER32(00000010,00000000,00000000), ref: 00AEE773
                          • Sleep.KERNEL32(000000FA), ref: 00AEE77E
                          • IsWindow.USER32 ref: 00AEE78A
                          • EndDialog.USER32(00000000), ref: 00AEE79B
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                          • String ID: BUTTON
                          • API String ID: 1194449130-3405671355
                          • Opcode ID: a8c2da6f69e5c4a3beb534702e38b18a351c038a3ced3b04c6075bfbce06b17b
                          • Instruction ID: ae5340bb6df2585cb144b28cf8cc2d8a4c4c8dc76ec559b30660d53d09822db9
                          • Opcode Fuzzy Hash: a8c2da6f69e5c4a3beb534702e38b18a351c038a3ced3b04c6075bfbce06b17b
                          • Instruction Fuzzy Hash: EE21A2B0280385BFEB009F22EC89B663F6AF75634AF504865F505831B1DF71AC108B25
                          Function 00AEE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00A89CB3: _wcslen.LIBCMT ref: 00A89CBD
                          • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00AEEA5D
                          • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00AEEA73
                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00AEEA84
                          • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00AEEA96
                          • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00AEEAA7
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: SendString$_wcslen
                          • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                          • API String ID: 2420728520-1007645807
                          • Opcode ID: 44335ba0be477467f3710686075d7c42d00257e5b97dcff0a4b3deb97ddeddee
                          • Instruction ID: 3de6210b5fb33fc1265e32b630ad58da9c072252730ceb795986b46b8f332a99
                          • Opcode Fuzzy Hash: 44335ba0be477467f3710686075d7c42d00257e5b97dcff0a4b3deb97ddeddee
                          • Instruction Fuzzy Hash: E1115131A9026979D720F7A2DD4ADFF6BBCEBD6B40F400469B401A20E1EEB00A05D6B1
                          Function 00AE9F91 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON
                          Download Yara Rule
                          APIs
                          • GetKeyboardState.USER32(?), ref: 00AEA012
                          • SetKeyboardState.USER32(?), ref: 00AEA07D
                          • GetAsyncKeyState.USER32(000000A0), ref: 00AEA09D
                          • GetKeyState.USER32(000000A0), ref: 00AEA0B4
                          • GetAsyncKeyState.USER32(000000A1), ref: 00AEA0E3
                          • GetKeyState.USER32(000000A1), ref: 00AEA0F4
                          • GetAsyncKeyState.USER32(00000011), ref: 00AEA120
                          • GetKeyState.USER32(00000011), ref: 00AEA12E
                          • GetAsyncKeyState.USER32(00000012), ref: 00AEA157
                          • GetKeyState.USER32(00000012), ref: 00AEA165
                          • GetAsyncKeyState.USER32(0000005B), ref: 00AEA18E
                          • GetKeyState.USER32(0000005B), ref: 00AEA19C
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: State$Async$Keyboard
                          • String ID:
                          • API String ID: 541375521-0
                          • Opcode ID: c2f07bed68065f22c28ad7a80d19eaae8ef4ac142486f6db4fa7d149eca17cf3
                          • Instruction ID: 36b76ebbc7507b0692e40402b3345dbc0ef93cc17ed1c51697c62cbbfb36e3a8
                          • Opcode Fuzzy Hash: c2f07bed68065f22c28ad7a80d19eaae8ef4ac142486f6db4fa7d149eca17cf3
                          • Instruction Fuzzy Hash: 6351BA30A047C829FB35EB6289157EBBFB59F22380F088599D5C2571C2DA54BA4CC766
                          Function 00AE5CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON
                          Download Yara Rule
                          APIs
                          • GetDlgItem.USER32(?,00000001), ref: 00AE5CE2
                          • GetWindowRect.USER32(00000000,?), ref: 00AE5CFB
                          • MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00AE5D59
                          • GetDlgItem.USER32(?,00000002), ref: 00AE5D69
                          • GetWindowRect.USER32(00000000,?), ref: 00AE5D7B
                          • MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00AE5DCF
                          • GetDlgItem.USER32(?,000003E9), ref: 00AE5DDD
                          • GetWindowRect.USER32(00000000,?), ref: 00AE5DEF
                          • MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00AE5E31
                          • GetDlgItem.USER32(?,000003EA), ref: 00AE5E44
                          • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00AE5E5A
                          • InvalidateRect.USER32(?,00000000,00000001), ref: 00AE5E67
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Window$ItemMoveRect$Invalidate
                          • String ID:
                          • API String ID: 3096461208-0
                          • Opcode ID: 47d5e379aea0d8ab258e806fb954a6188a8d6659fc40954be13ad667f80f4970
                          • Instruction ID: b9787a5aa7cbd3f319b3f9461d5f8fc919d04765253f8ced120d8b164c7547d0
                          • Opcode Fuzzy Hash: 47d5e379aea0d8ab258e806fb954a6188a8d6659fc40954be13ad667f80f4970
                          • Instruction Fuzzy Hash: CB510BB1E40609AFDF18CF69DD89AAEBBB5EB48314F548129F915E7290DB709E00CB50
                          Function 00A98BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00A98F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00A98BE8,?,00000000,?,?,?,?,00A98BBA,00000000,?), ref: 00A98FC5
                          • DestroyWindow.USER32(?), ref: 00A98C81
                          • KillTimer.USER32(00000000,?,?,?,?,00A98BBA,00000000,?), ref: 00A98D1B
                          • DestroyAcceleratorTable.USER32(00000000), ref: 00AD6973
                          • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00A98BBA,00000000,?), ref: 00AD69A1
                          • ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00A98BBA,00000000,?), ref: 00AD69B8
                          • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00A98BBA,00000000), ref: 00AD69D4
                          • DeleteObject.GDI32(00000000), ref: 00AD69E6
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                          • String ID:
                          • API String ID: 641708696-0
                          • Opcode ID: f5d99702383586dc0b2d38cf412655252e0d1eface4a0d8f24f4f8e370c0e7f1
                          • Instruction ID: 6c60d689c445ade85e7134414f39a42944cb0a1b1f540366b48f7682c044a54b
                          • Opcode Fuzzy Hash: f5d99702383586dc0b2d38cf412655252e0d1eface4a0d8f24f4f8e370c0e7f1
                          • Instruction Fuzzy Hash: 8D619A30602700DFDF219F18CA58B697BF1FB46312F548959E0829B6A0CB79AD81CF90
                          Function 00A99838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00A99944: GetWindowLongW.USER32(?,000000EB), ref: 00A99952
                          • GetSysColor.USER32(0000000F), ref: 00A99862
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: ColorLongWindow
                          • String ID:
                          • API String ID: 259745315-0
                          • Opcode ID: 101e05584f6b205a4c3ad175a04856a0d889b6aeaeb54599c760456482cc6164
                          • Instruction ID: 539ddf47f6e2c974e04df7e6327e66dbfc7c64883ce9805506ca2e5259be129c
                          • Opcode Fuzzy Hash: 101e05584f6b205a4c3ad175a04856a0d889b6aeaeb54599c760456482cc6164
                          • Instruction Fuzzy Hash: 3841A131244640BFDF205F3C9C88BBA3BA5AB06331F54861DF9A2972E1EB319C42DB11
                          Function 00AE96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,00ACF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00AE9717
                          • LoadStringW.USER32(00000000,?,00ACF7F8,00000001), ref: 00AE9720
                            • Part of subcall function 00A89CB3: _wcslen.LIBCMT ref: 00A89CBD
                          • GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00ACF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00AE9742
                          • LoadStringW.USER32(00000000,?,00ACF7F8,00000001), ref: 00AE9745
                          • MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00AE9866
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: HandleLoadModuleString$Message_wcslen
                          • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                          • API String ID: 747408836-2268648507
                          • Opcode ID: 902412c40225de4f6ee1dedda4c6050ebe8e316be5edf67290bdc9f967518346
                          • Instruction ID: c7b6dea2fd2338b1b61f43260b7bd6d4015ab5e09d1a22b80faa0b87c131cb28
                          • Opcode Fuzzy Hash: 902412c40225de4f6ee1dedda4c6050ebe8e316be5edf67290bdc9f967518346
                          • Instruction Fuzzy Hash: 8B413972900209AADF04FBE1CE86EEFB778EF15740F540065F605760A2EB256F49CBA1
                          Function 00AE06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00A86B57: _wcslen.LIBCMT ref: 00A86B6A
                          • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00AE07A2
                          • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00AE07BE
                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00AE07DA
                          • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00AE0804
                          • CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00AE082C
                          • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00AE0837
                          • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00AE083C
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
                          • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                          • API String ID: 323675364-22481851
                          • Opcode ID: c37257b2ad16f5fce27d5824d843287fbd3a9e003b08f160003282fcda22bb69
                          • Instruction ID: 3eb0a83ea9400bda350efba4d293edcc320c589497ce2b3a82468510c888287b
                          • Opcode Fuzzy Hash: c37257b2ad16f5fce27d5824d843287fbd3a9e003b08f160003282fcda22bb69
                          • Instruction Fuzzy Hash: D8413672C10229ABDF21EFA4DC85DEEB7B8FF14340F444129E901A71A1EB709E44CBA0
                          Function 00B13F98 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                          Download Yara Rule
                          APIs
                          • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00B1403B
                          • CreateCompatibleDC.GDI32(00000000), ref: 00B14042
                          • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00B14055
                          • SelectObject.GDI32(00000000,00000000), ref: 00B1405D
                          • GetPixel.GDI32(00000000,00000000,00000000), ref: 00B14068
                          • DeleteDC.GDI32(00000000), ref: 00B14072
                          • GetWindowLongW.USER32(?,000000EC), ref: 00B1407C
                          • SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 00B14092
                          • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 00B1409E
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                          • String ID: static
                          • API String ID: 2559357485-2160076837
                          • Opcode ID: 65b42483305cdb04bcbc3ca6a47d2454d38a6a4045b2938a3df79913f8366171
                          • Instruction ID: d833afd53b70fa8674016b2fe2162acc53c83ab21a6eb48fae0a17409fdfb599
                          • Opcode Fuzzy Hash: 65b42483305cdb04bcbc3ca6a47d2454d38a6a4045b2938a3df79913f8366171
                          • Instruction Fuzzy Hash: 41317A32540219BBDF219FA4CC09FDA3FA9FF0D720F514250FA18A60A0CB75D860DB50
                          Function 00B03C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON
                          Download Yara Rule
                          APIs
                          • VariantInit.OLEAUT32(?), ref: 00B03C5C
                          • CoInitialize.OLE32(00000000), ref: 00B03C8A
                          • CoUninitialize.OLE32 ref: 00B03C94
                          • _wcslen.LIBCMT ref: 00B03D2D
                          • GetRunningObjectTable.OLE32(00000000,?), ref: 00B03DB1
                          • SetErrorMode.KERNEL32(00000001,00000029), ref: 00B03ED5
                          • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00B03F0E
                          • CoGetObject.OLE32(?,00000000,00B1FB98,?), ref: 00B03F2D
                          • SetErrorMode.KERNEL32(00000000), ref: 00B03F40
                          • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00B03FC4
                          • VariantClear.OLEAUT32(?), ref: 00B03FD8
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
                          • String ID:
                          • API String ID: 429561992-0
                          • Opcode ID: 0e8e7a36c8a90c11b85345ea7fe026d581accc1de5e3e71c1f1e8b7b2d461b58
                          • Instruction ID: 6a4f36ba264e1f9c9be5fad0d5758878501e333d280804aac711621c67f7a423
                          • Opcode Fuzzy Hash: 0e8e7a36c8a90c11b85345ea7fe026d581accc1de5e3e71c1f1e8b7b2d461b58
                          • Instruction Fuzzy Hash: B2C158716083019FD700DF68C98896BBBE9FF89B44F14499DF98A9B290DB31ED05CB52
                          Function 00AF7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON
                          Download Yara Rule
                          APIs
                          • CoInitialize.OLE32(00000000), ref: 00AF7AF3
                          • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00AF7B8F
                          • SHGetDesktopFolder.SHELL32(?), ref: 00AF7BA3
                          • CoCreateInstance.OLE32(00B1FD08,00000000,00000001,00B46E6C,?), ref: 00AF7BEF
                          • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00AF7C74
                          • CoTaskMemFree.OLE32(?,?), ref: 00AF7CCC
                          • SHBrowseForFolderW.SHELL32(?), ref: 00AF7D57
                          • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00AF7D7A
                          • CoTaskMemFree.OLE32(00000000), ref: 00AF7D81
                          • CoTaskMemFree.OLE32(00000000), ref: 00AF7DD6
                          • CoUninitialize.OLE32 ref: 00AF7DDC
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
                          • String ID:
                          • API String ID: 2762341140-0
                          • Opcode ID: a4d32f28cb8a0f61375d5859ab1c92edbffe96cf5a89c97cdc8185e07368ac07
                          • Instruction ID: 2d1002ffbb8d72a92cb3f8b6c57bfb1cfafa060b6261ff331a64f90359242507
                          • Opcode Fuzzy Hash: a4d32f28cb8a0f61375d5859ab1c92edbffe96cf5a89c97cdc8185e07368ac07
                          • Instruction Fuzzy Hash: 13C11975A04109AFCB14DFA4C884DAEBBF9FF49304B148499F91A9B361DB30EE45CB90
                          Function 00B1541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00B15504
                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00B15515
                          • CharNextW.USER32(00000158), ref: 00B15544
                          • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00B15585
                          • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00B1559B
                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00B155AC
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: MessageSend$CharNext
                          • String ID:
                          • API String ID: 1350042424-0
                          • Opcode ID: 6f712d179ee1abbb77e4474f2ee6a2326de9cebd4f196f2f0f3ec02da869527b
                          • Instruction ID: da4fb2cf9f83562637600dad741cbe5de6e2624434fb342e5726de11f71b1358
                          • Opcode Fuzzy Hash: 6f712d179ee1abbb77e4474f2ee6a2326de9cebd4f196f2f0f3ec02da869527b
                          • Instruction Fuzzy Hash: F8619170900608EFDF209F54CC85AFE7BF9EB89761F908185F525AB294D7709AC0DB61
                          Function 00ADFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON
                          Download Yara Rule
                          APIs
                          • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00ADFAAF
                          • SafeArrayAllocData.OLEAUT32(?), ref: 00ADFB08
                          • VariantInit.OLEAUT32(?), ref: 00ADFB1A
                          • SafeArrayAccessData.OLEAUT32(?,?), ref: 00ADFB3A
                          • VariantCopy.OLEAUT32(?,?), ref: 00ADFB8D
                          • SafeArrayUnaccessData.OLEAUT32(?), ref: 00ADFBA1
                          • VariantClear.OLEAUT32(?), ref: 00ADFBB6
                          • SafeArrayDestroyData.OLEAUT32(?), ref: 00ADFBC3
                          • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00ADFBCC
                          • VariantClear.OLEAUT32(?), ref: 00ADFBDE
                          • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00ADFBE9
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                          • String ID:
                          • API String ID: 2706829360-0
                          • Opcode ID: 8aa1c35b41f1135fb6433f372d5fbca1d2acb6b1b32033bdbe6e60eff54fd41b
                          • Instruction ID: 8d95a49ff1063c929d5641cdb6cdfee287d59a64fa78c88bf2d4d549f308acd6
                          • Opcode Fuzzy Hash: 8aa1c35b41f1135fb6433f372d5fbca1d2acb6b1b32033bdbe6e60eff54fd41b
                          • Instruction Fuzzy Hash: A3414135A042199FDB00DFA8D8549EEBFB9EF48354F50806AE947A7361DB30A945CFA0
                          Function 00AE9C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                          Download Yara Rule
                          APIs
                          • GetKeyboardState.USER32(?), ref: 00AE9CA1
                          • GetAsyncKeyState.USER32(000000A0), ref: 00AE9D22
                          • GetKeyState.USER32(000000A0), ref: 00AE9D3D
                          • GetAsyncKeyState.USER32(000000A1), ref: 00AE9D57
                          • GetKeyState.USER32(000000A1), ref: 00AE9D6C
                          • GetAsyncKeyState.USER32(00000011), ref: 00AE9D84
                          • GetKeyState.USER32(00000011), ref: 00AE9D96
                          • GetAsyncKeyState.USER32(00000012), ref: 00AE9DAE
                          • GetKeyState.USER32(00000012), ref: 00AE9DC0
                          • GetAsyncKeyState.USER32(0000005B), ref: 00AE9DD8
                          • GetKeyState.USER32(0000005B), ref: 00AE9DEA
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: State$Async$Keyboard
                          • String ID:
                          • API String ID: 541375521-0
                          • Opcode ID: 5e742045dd96577b84df19f1196685d5c7a05340071868b9ef249b99f8440573
                          • Instruction ID: 9987e9ac32632df8c290c9ab8fcac1c0f25c81a407ab97b18b03bbf02c41affc
                          • Opcode Fuzzy Hash: 5e742045dd96577b84df19f1196685d5c7a05340071868b9ef249b99f8440573
                          • Instruction Fuzzy Hash: FB41F7345047DA6DFF30976288443F7BEE16F21344F48805ADAC6575C2EBA4A9C8C7A2
                          Function 00B0055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON
                          Download Yara Rule
                          APIs
                          • WSAStartup.WSOCK32(00000101,?), ref: 00B005BC
                          • inet_addr.WSOCK32(?), ref: 00B0061C
                          • gethostbyname.WSOCK32(?), ref: 00B00628
                          • IcmpCreateFile.IPHLPAPI ref: 00B00636
                          • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00B006C6
                          • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00B006E5
                          • IcmpCloseHandle.IPHLPAPI(?), ref: 00B007B9
                          • WSACleanup.WSOCK32 ref: 00B007BF
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                          • String ID: Ping
                          • API String ID: 1028309954-2246546115
                          • Opcode ID: b4ee58295a0ebe47b1d9d45d36edebec8869662b78a0d637c4b516082e8562f9
                          • Instruction ID: 2a299c2353ae6b5b01f84c9f5b8eef6348d41af5dbb1fee34eafe5e847eb4c1f
                          • Opcode Fuzzy Hash: b4ee58295a0ebe47b1d9d45d36edebec8869662b78a0d637c4b516082e8562f9
                          • Instruction Fuzzy Hash: DB91A0356182019FD720EF15C988F1ABFE0EF45318F1485A9F46A9B6A2CB34ED45CF91
                          Function 00B08CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: _wcslen$BuffCharLower
                          • String ID: cdecl$none$stdcall$winapi
                          • API String ID: 707087890-567219261
                          • Opcode ID: bf6b9ee75be8aa36bed365100ec6fa7cbfa9bbd63af8f9f39ddcdd7ffb73c4dd
                          • Instruction ID: ee20b571c686cdb141eca6c226e26c7d3dbf46cb454085f4f37c3da10f453971
                          • Opcode Fuzzy Hash: bf6b9ee75be8aa36bed365100ec6fa7cbfa9bbd63af8f9f39ddcdd7ffb73c4dd
                          • Instruction Fuzzy Hash: FF519131A005169BCF14DF68C9808BEBBE6FF65720B2542A9E4A6E72C4DF30DE40C790
                          Function 00B0372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON
                          Download Yara Rule
                          APIs
                          • CoInitialize.OLE32 ref: 00B03774
                          • CoUninitialize.OLE32 ref: 00B0377F
                          • CoCreateInstance.OLE32(?,00000000,00000017,00B1FB78,?), ref: 00B037D9
                          • IIDFromString.OLE32(?,?), ref: 00B0384C
                          • VariantInit.OLEAUT32(?), ref: 00B038E4
                          • VariantClear.OLEAUT32(?), ref: 00B03936
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
                          • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                          • API String ID: 636576611-1287834457
                          • Opcode ID: 17b67178a7c4cacbbd825bfca415490ae1baedd4b2865dc00bd6480dc062ed3c
                          • Instruction ID: 16f6cb9824d35892059359dffaf7be1fe66f59d7066c2357df68145bc61ead4f
                          • Opcode Fuzzy Hash: 17b67178a7c4cacbbd825bfca415490ae1baedd4b2865dc00bd6480dc062ed3c
                          • Instruction Fuzzy Hash: 9A61A370608301AFD711DF54C989F6ABBE8FF49B14F104989F5859B291D770EE48CB92
                          Function 00AF3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON
                          Download Yara Rule
                          APIs
                          • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00AF33CF
                            • Part of subcall function 00A89CB3: _wcslen.LIBCMT ref: 00A89CBD
                          • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00AF33F0
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: LoadString$_wcslen
                          • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                          • API String ID: 4099089115-3080491070
                          • Opcode ID: 2fbfbd7c9bbccf3fe2a09d264571932432549a7327d87583e63422e0c9664fca
                          • Instruction ID: 27c2ce8c49ae04d51a130435cea58fc9a74b5ccf3d86866e7b54d2f47fc53918
                          • Opcode Fuzzy Hash: 2fbfbd7c9bbccf3fe2a09d264571932432549a7327d87583e63422e0c9664fca
                          • Instruction Fuzzy Hash: 35517B72900209BADF14EBE0CE56EFEB7B8EF14740F1444A5F505720A2EB252F58DB61
                          Function 00AEB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: _wcslen$BuffCharUpper
                          • String ID: APPEND$EXISTS$KEYS$REMOVE
                          • API String ID: 1256254125-769500911
                          • Opcode ID: d81b111fa894a2695e89ca815844d6c346a233d5a460f79eda2d929567599e28
                          • Instruction ID: a90fc1e335291cb91617f49d451905cbdd16effe949481fd3373ec8da7075f0a
                          • Opcode Fuzzy Hash: d81b111fa894a2695e89ca815844d6c346a233d5a460f79eda2d929567599e28
                          • Instruction Fuzzy Hash: 45411832A100679BCB206F7ECD945BFB7B5AFA1754B244529E421DB284F731CD81C7A0
                          Function 00AF5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON
                          Download Yara Rule
                          APIs
                          • SetErrorMode.KERNEL32(00000001), ref: 00AF53A0
                          • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00AF5416
                          • GetLastError.KERNEL32 ref: 00AF5420
                          • SetErrorMode.KERNEL32(00000000,READY), ref: 00AF54A7
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Error$Mode$DiskFreeLastSpace
                          • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                          • API String ID: 4194297153-14809454
                          • Opcode ID: b8261a329d86d1a1fbfbeb7a3beea92b6d6258dc5d712901a6819da7e1490afa
                          • Instruction ID: ae4787d808a1d06cfa7c8952798de3f12869e3b763ebb2d51b64e76e767133e7
                          • Opcode Fuzzy Hash: b8261a329d86d1a1fbfbeb7a3beea92b6d6258dc5d712901a6819da7e1490afa
                          • Instruction Fuzzy Hash: 71319F75E006099FD710DFA8C584ABABBB5EF05306F148069F605DB292DB31DE82CBA1
                          Function 00B13C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                          Download Yara Rule
                          APIs
                          • CreateMenu.USER32 ref: 00B13C79
                          • SetMenu.USER32(?,00000000), ref: 00B13C88
                          • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B13D10
                          • IsMenu.USER32(?), ref: 00B13D24
                          • CreatePopupMenu.USER32 ref: 00B13D2E
                          • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00B13D5B
                          • DrawMenuBar.USER32 ref: 00B13D63
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Menu$CreateItem$DrawInfoInsertPopup
                          • String ID: 0$F
                          • API String ID: 161812096-3044882817
                          • Opcode ID: 2257f957548198ef77dc086a2e0e4ed7fe4486f5bf1bf247019bc1dfb46f490c
                          • Instruction ID: 43c85edb0cf309fa80f3b2f06c1e6fcd30ede949e45ebd8ea01b73fcf1ae2b72
                          • Opcode Fuzzy Hash: 2257f957548198ef77dc086a2e0e4ed7fe4486f5bf1bf247019bc1dfb46f490c
                          • Instruction Fuzzy Hash: 15418A74A01209EFDB14CF64E885BEA7BF6FF49304F544068E91697360EB30AA10CB90
                          Function 00AE1EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00A89CB3: _wcslen.LIBCMT ref: 00A89CBD
                            • Part of subcall function 00AE3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00AE3CCA
                          • SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00AE1F64
                          • GetDlgCtrlID.USER32 ref: 00AE1F6F
                          • GetParent.USER32 ref: 00AE1F8B
                          • SendMessageW.USER32(00000000,?,00000111,?), ref: 00AE1F8E
                          • GetDlgCtrlID.USER32(?), ref: 00AE1F97
                          • GetParent.USER32(?), ref: 00AE1FAB
                          • SendMessageW.USER32(00000000,?,00000111,?), ref: 00AE1FAE
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: MessageSend$CtrlParent$ClassName_wcslen
                          • String ID: ComboBox$ListBox
                          • API String ID: 711023334-1403004172
                          • Opcode ID: 869a3598a4d9ce246c2b7afae85305d7bef2d5f68d05a2c0e47abc348100ded7
                          • Instruction ID: 2680076f29887799beb794f608d82be819ed3d655fff18587d135c222fadddcd
                          • Opcode Fuzzy Hash: 869a3598a4d9ce246c2b7afae85305d7bef2d5f68d05a2c0e47abc348100ded7
                          • Instruction Fuzzy Hash: D321D171940214BFCF04AFA1CC85DFEBBB8EF05310F104156F961A72A1DB359918DBA0
                          Function 00AE1FC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00A89CB3: _wcslen.LIBCMT ref: 00A89CBD
                            • Part of subcall function 00AE3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00AE3CCA
                          • SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00AE2043
                          • GetDlgCtrlID.USER32 ref: 00AE204E
                          • GetParent.USER32 ref: 00AE206A
                          • SendMessageW.USER32(00000000,?,00000111,?), ref: 00AE206D
                          • GetDlgCtrlID.USER32(?), ref: 00AE2076
                          • GetParent.USER32(?), ref: 00AE208A
                          • SendMessageW.USER32(00000000,?,00000111,?), ref: 00AE208D
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: MessageSend$CtrlParent$ClassName_wcslen
                          • String ID: ComboBox$ListBox
                          • API String ID: 711023334-1403004172
                          • Opcode ID: edbda34ff1eb531d8bfaa7414cf0fc9f4400fec5f5687ce6c8e63c812bc4c369
                          • Instruction ID: 8f448849d15e069677618622a396f8f0813c16945f7ce7b376eca1d17046d5cd
                          • Opcode Fuzzy Hash: edbda34ff1eb531d8bfaa7414cf0fc9f4400fec5f5687ce6c8e63c812bc4c369
                          • Instruction Fuzzy Hash: D921F3B1940218BFCF11AFA1CC85EFEBFB8EF09300F104045F951A71A1DA758918DB60
                          Function 00B13A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00B13A9D
                          • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00B13AA0
                          • GetWindowLongW.USER32(?,000000F0), ref: 00B13AC7
                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00B13AEA
                          • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00B13B62
                          • SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00B13BAC
                          • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00B13BC7
                          • SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00B13BE2
                          • SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00B13BF6
                          • SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00B13C13
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: MessageSend$LongWindow
                          • String ID:
                          • API String ID: 312131281-0
                          • Opcode ID: 511b5a2263af9db45be409f2c885d119b076a8419d2bd7c2955e5c9b4d48c123
                          • Instruction ID: bd7e74062b76cdc4631d6d3226109617229da247a9d91b2760b126f3cb2e3884
                          • Opcode Fuzzy Hash: 511b5a2263af9db45be409f2c885d119b076a8419d2bd7c2955e5c9b4d48c123
                          • Instruction Fuzzy Hash: F3615B75900248AFDB10DFA8CC81FEE77F8EB09714F104199FA15A72A1D774AE85DB50
                          Function 00AEB12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
                          Download Yara Rule
                          APIs
                          • GetCurrentThreadId.KERNEL32 ref: 00AEB151
                          • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00AEA1E1,?,00000001), ref: 00AEB165
                          • GetWindowThreadProcessId.USER32(00000000), ref: 00AEB16C
                          • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00AEA1E1,?,00000001), ref: 00AEB17B
                          • GetWindowThreadProcessId.USER32(?,00000000), ref: 00AEB18D
                          • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00AEA1E1,?,00000001), ref: 00AEB1A6
                          • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00AEA1E1,?,00000001), ref: 00AEB1B8
                          • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00AEA1E1,?,00000001), ref: 00AEB1FD
                          • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00AEA1E1,?,00000001), ref: 00AEB212
                          • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00AEA1E1,?,00000001), ref: 00AEB21D
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                          • String ID:
                          • API String ID: 2156557900-0
                          • Opcode ID: 3bb40374342963d48e786b3cc43b9a87dadfe54ea147bf1fff8a3ce3eab12db3
                          • Instruction ID: 87f2008ab10391ec8a6df669d8b0f644966dbc8399be626fb4a394ee4e968b6c
                          • Opcode Fuzzy Hash: 3bb40374342963d48e786b3cc43b9a87dadfe54ea147bf1fff8a3ce3eab12db3
                          • Instruction Fuzzy Hash: A331BB75560344BFDB129F25DC58BAF7BA9BF517A2F648008FA00D72A0DBB49A408F74
                          Function 00AB2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                          Download Yara Rule
                          APIs
                          • _free.LIBCMT ref: 00AB2C94
                            • Part of subcall function 00AB29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00ABD7D1,00000000,00000000,00000000,00000000,?,00ABD7F8,00000000,00000007,00000000,?,00ABDBF5,00000000), ref: 00AB29DE
                            • Part of subcall function 00AB29C8: GetLastError.KERNEL32(00000000,?,00ABD7D1,00000000,00000000,00000000,00000000,?,00ABD7F8,00000000,00000007,00000000,?,00ABDBF5,00000000,00000000), ref: 00AB29F0
                          • _free.LIBCMT ref: 00AB2CA0
                          • _free.LIBCMT ref: 00AB2CAB
                          • _free.LIBCMT ref: 00AB2CB6
                          • _free.LIBCMT ref: 00AB2CC1
                          • _free.LIBCMT ref: 00AB2CCC
                          • _free.LIBCMT ref: 00AB2CD7
                          • _free.LIBCMT ref: 00AB2CE2
                          • _free.LIBCMT ref: 00AB2CED
                          • _free.LIBCMT ref: 00AB2CFB
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: _free$ErrorFreeHeapLast
                          • String ID:
                          • API String ID: 776569668-0
                          • Opcode ID: 50c223c0a47512d6f9cae30164502de825c919affc2e5dcb679888b71b846d1c
                          • Instruction ID: b81bf8882f4cef83c85d38486ea20b9c05f3509535c971f7694da3c79e112ea6
                          • Opcode Fuzzy Hash: 50c223c0a47512d6f9cae30164502de825c919affc2e5dcb679888b71b846d1c
                          • Instruction Fuzzy Hash: 5F114676510108BFCB02EF54DA42EDD3BA9FF45350F5149A6F9485B222DA31EE509B90
                          Function 00AF7DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON
                          Download Yara Rule
                          APIs
                          • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00AF7FAD
                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00AF7FC1
                          • GetFileAttributesW.KERNEL32(?), ref: 00AF7FEB
                          • SetFileAttributesW.KERNEL32(?,00000000), ref: 00AF8005
                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00AF8017
                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00AF8060
                          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00AF80B0
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: CurrentDirectory$AttributesFile
                          • String ID: *.*
                          • API String ID: 769691225-438819550
                          • Opcode ID: 40f605e9f8f7c712e84caa7bcfd3ac2b86eeb4b7d01e8f1156fa11f3f871c8d9
                          • Instruction ID: 285d4c5ac6ff0f111153e589cebee56ef2d021db9216dafebb9d64201b558946
                          • Opcode Fuzzy Hash: 40f605e9f8f7c712e84caa7bcfd3ac2b86eeb4b7d01e8f1156fa11f3f871c8d9
                          • Instruction Fuzzy Hash: B381CE725082099BCB20EF94C844ABEB3E8BF89314F54485FFA85C7250EB34DD49CB92
                          Function 00A85BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON
                          Download Yara Rule
                          APIs
                          • SetWindowLongW.USER32(?,000000EB), ref: 00A85C7A
                            • Part of subcall function 00A85D0A: GetClientRect.USER32(?,?), ref: 00A85D30
                            • Part of subcall function 00A85D0A: GetWindowRect.USER32(?,?), ref: 00A85D71
                            • Part of subcall function 00A85D0A: ScreenToClient.USER32(?,?), ref: 00A85D99
                          • GetDC.USER32 ref: 00AC46F5
                          • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00AC4708
                          • SelectObject.GDI32(00000000,00000000), ref: 00AC4716
                          • SelectObject.GDI32(00000000,00000000), ref: 00AC472B
                          • ReleaseDC.USER32(?,00000000), ref: 00AC4733
                          • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00AC47C4
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                          • String ID: U
                          • API String ID: 4009187628-3372436214
                          • Opcode ID: 7890387852bffeeadd7d036b0d8a5ef72f19ac7c63af7b25a7925bf70e7eea7b
                          • Instruction ID: 13f08f46055dc75eed670ad275f763c1a09d3136d6ad81cf6c0b6d8bdcdb4f53
                          • Opcode Fuzzy Hash: 7890387852bffeeadd7d036b0d8a5ef72f19ac7c63af7b25a7925bf70e7eea7b
                          • Instruction Fuzzy Hash: C971DC31800205DFCF219F64C994FEA3BB6FF4A324F154269ED565A2AAC7308C81DF60
                          Function 00AF359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON
                          Download Yara Rule
                          APIs
                          • LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 00AF35E4
                            • Part of subcall function 00A89CB3: _wcslen.LIBCMT ref: 00A89CBD
                          • LoadStringW.USER32(00B52390,?,00000FFF,?), ref: 00AF360A
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: LoadString$_wcslen
                          • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                          • API String ID: 4099089115-2391861430
                          • Opcode ID: acc6c48e15b0991f5d0e2614210d702044dafb0720462982bbd3143f8b2793b6
                          • Instruction ID: 84998b5e2b64ab291253d393d1bac4436199644691224083246456a3e6341f3b
                          • Opcode Fuzzy Hash: acc6c48e15b0991f5d0e2614210d702044dafb0720462982bbd3143f8b2793b6
                          • Instruction Fuzzy Hash: B951387280020ABADF14FBE0CE46AFEBB78AF14300F144165F205761A1EB311B99DBA1
                          Function 00B18B02 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00A99BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00A99BB2
                            • Part of subcall function 00A9912D: GetCursorPos.USER32(?), ref: 00A99141
                            • Part of subcall function 00A9912D: ScreenToClient.USER32(00000000,?), ref: 00A9915E
                            • Part of subcall function 00A9912D: GetAsyncKeyState.USER32(00000001), ref: 00A99183
                            • Part of subcall function 00A9912D: GetAsyncKeyState.USER32(00000002), ref: 00A9919D
                          • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00B18B6B
                          • ImageList_EndDrag.COMCTL32 ref: 00B18B71
                          • ReleaseCapture.USER32 ref: 00B18B77
                          • SetWindowTextW.USER32(?,00000000), ref: 00B18C12
                          • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00B18C25
                          • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00B18CFF
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                          • String ID: @GUI_DRAGFILE$@GUI_DROPID
                          • API String ID: 1924731296-2107944366
                          • Opcode ID: c4fc0304483ceddf529c331dbf80fe5aec9628a95b55422f7596fce5764f1e3c
                          • Instruction ID: 9fead1dbc1bdf1375c02f1e31a70d72bead530a8547b71a734af6402bcca7c2b
                          • Opcode Fuzzy Hash: c4fc0304483ceddf529c331dbf80fe5aec9628a95b55422f7596fce5764f1e3c
                          • Instruction Fuzzy Hash: 80517C71204300AFD700EF24DD56BAA7BE4FB88715F800AADF956972E1CB719D54CBA2
                          Function 00AFC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON
                          Download Yara Rule
                          APIs
                          • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00AFC272
                          • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00AFC29A
                          • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00AFC2CA
                          • GetLastError.KERNEL32 ref: 00AFC322
                          • SetEvent.KERNEL32(?), ref: 00AFC336
                          • InternetCloseHandle.WININET(00000000), ref: 00AFC341
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                          • String ID:
                          • API String ID: 3113390036-3916222277
                          • Opcode ID: 817b8518391de8d6a81c01b252dd06a9636dd0eecf247cb6c50f8da75494aecf
                          • Instruction ID: c2984343db4b57b7bd34ad1e1904b6bcd2d1f6370b55649710f32be0caf9e040
                          • Opcode Fuzzy Hash: 817b8518391de8d6a81c01b252dd06a9636dd0eecf247cb6c50f8da75494aecf
                          • Instruction Fuzzy Hash: 7F31937150020CAFD7219FA68E88ABBBBFCEB49794B54851DF546D7240DB30DD049B61
                          Function 00AE989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00AC3AAF,?,?,Bad directive syntax error,00B1CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 00AE98BC
                          • LoadStringW.USER32(00000000,?,00AC3AAF,?), ref: 00AE98C3
                            • Part of subcall function 00A89CB3: _wcslen.LIBCMT ref: 00A89CBD
                          • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00AE9987
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: HandleLoadMessageModuleString_wcslen
                          • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                          • API String ID: 858772685-4153970271
                          • Opcode ID: 754de4a4dd8abfe1333d11cc85e447843b4edc78aa61020dc29dc7f96eb94bb4
                          • Instruction ID: cf4f4caf865f645f178607cad1308c1e5c5ba48297445d9e3c25b394652a0afa
                          • Opcode Fuzzy Hash: 754de4a4dd8abfe1333d11cc85e447843b4edc78aa61020dc29dc7f96eb94bb4
                          • Instruction Fuzzy Hash: 21218B3294021AAFCF15AF90CD0AEFE7779FF19700F044469F515660A2EB719A28EB51
                          Function 00AE209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetParent.USER32 ref: 00AE20AB
                          • GetClassNameW.USER32(00000000,?,00000100), ref: 00AE20C0
                          • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00AE214D
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: ClassMessageNameParentSend
                          • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                          • API String ID: 1290815626-3381328864
                          • Opcode ID: e67ceb04e60e382137b78e1bc46428a8eaccfdc828a2a9e5334a1d75a5e2f12e
                          • Instruction ID: 76d1f888f6869c703dc9fbd2690cc86011fe220cde5411045954be26e72063ef
                          • Opcode Fuzzy Hash: e67ceb04e60e382137b78e1bc46428a8eaccfdc828a2a9e5334a1d75a5e2f12e
                          • Instruction Fuzzy Hash: C2112C766C4706BAF6116721DC07EE637DCCB05364B200256F704A60F2FFB15A016714
                          Function 00AB8D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9c424790cac348a14454be649df833163f6625fa79526c29771ca227f02e36df
                          • Instruction ID: 90b35a5ce29e0745b5f6dc5bf96f849258c754789f70bf6f0acfe4fce8e70d69
                          • Opcode Fuzzy Hash: 9c424790cac348a14454be649df833163f6625fa79526c29771ca227f02e36df
                          • Instruction Fuzzy Hash: A8C1D174A04349AFDF11EFACD841BEEBBB8AF1A310F144199E915A7393CB349941CB61
                          Function 00ABCE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: _free$EnvironmentVariable___from_strstr_to_strchr
                          • String ID:
                          • API String ID: 1282221369-0
                          • Opcode ID: 610884864a5ee428ed05713462a48a745cb37a2b55dcd7d5190a777e87c6101f
                          • Instruction ID: 8c195e4fad89231056323bafd89f5aaacf40ce8ebdb3e697cd28dd00d3648680
                          • Opcode Fuzzy Hash: 610884864a5ee428ed05713462a48a745cb37a2b55dcd7d5190a777e87c6101f
                          • Instruction Fuzzy Hash: FD610571A04301AFDB25BFB89981FFA7BADEF05320F0445AEF94597283EA319D019790
                          Function 00B150D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00B15186
                          • ShowWindow.USER32(?,00000000), ref: 00B151C7
                          • ShowWindow.USER32(?,00000005,?,00000000), ref: 00B151CD
                          • SetFocus.USER32(?,?,00000005,?,00000000), ref: 00B151D1
                            • Part of subcall function 00B16FBA: DeleteObject.GDI32(00000000), ref: 00B16FE6
                          • GetWindowLongW.USER32(?,000000F0), ref: 00B1520D
                          • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00B1521A
                          • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00B1524D
                          • SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00B15287
                          • SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00B15296
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
                          • String ID:
                          • API String ID: 3210457359-0
                          • Opcode ID: 5e4cdc0bfacffb8856b69b6ed50ac4eb7edfd87bc02472576d4e4265747785e1
                          • Instruction ID: 8728193f9f9ba54eaa7f485167b4150f3b8dac4d296c9425819cdaef599fa8d3
                          • Opcode Fuzzy Hash: 5e4cdc0bfacffb8856b69b6ed50ac4eb7edfd87bc02472576d4e4265747785e1
                          • Instruction Fuzzy Hash: 2251B431A90A08FEEF319F24CC45BD93BE5EB86321F948195F515A72E0C7B599D0DB80
                          Function 00A98B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON
                          Download Yara Rule
                          APIs
                          • LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00AD6890
                          • ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00AD68A9
                          • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00AD68B9
                          • ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00AD68D1
                          • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00AD68F2
                          • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00A98874,00000000,00000000,00000000,000000FF,00000000), ref: 00AD6901
                          • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00AD691E
                          • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00A98874,00000000,00000000,00000000,000000FF,00000000), ref: 00AD692D
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Icon$DestroyExtractImageLoadMessageSend
                          • String ID:
                          • API String ID: 1268354404-0
                          • Opcode ID: 817be64d3d35708523f4b2567fc6c69cafd0b6eccdc767da8523757f17115ae0
                          • Instruction ID: 8b24ee6fecc4e9434bbe67f7e7a7ad94c9ae6b4f09a76907502cc34aaf6e1c32
                          • Opcode Fuzzy Hash: 817be64d3d35708523f4b2567fc6c69cafd0b6eccdc767da8523757f17115ae0
                          • Instruction Fuzzy Hash: A0517470600209AFDF20CF28CC95BAE7BF6EB58760F144519F906972A0DB74E990DB50
                          Function 00AFC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON
                          Download Yara Rule
                          APIs
                          • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00AFC182
                          • GetLastError.KERNEL32 ref: 00AFC195
                          • SetEvent.KERNEL32(?), ref: 00AFC1A9
                            • Part of subcall function 00AFC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00AFC272
                            • Part of subcall function 00AFC253: GetLastError.KERNEL32 ref: 00AFC322
                            • Part of subcall function 00AFC253: SetEvent.KERNEL32(?), ref: 00AFC336
                            • Part of subcall function 00AFC253: InternetCloseHandle.WININET(00000000), ref: 00AFC341
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
                          • String ID:
                          • API String ID: 337547030-0
                          • Opcode ID: b49c422d4fa8061d4339af2a7e13a22f0c841eca0c225d697623c1bc5313d636
                          • Instruction ID: d5032df0d4e663be10b6b1a22542a5a292e5ad89ae8b14db57c24a8f2395088b
                          • Opcode Fuzzy Hash: b49c422d4fa8061d4339af2a7e13a22f0c841eca0c225d697623c1bc5313d636
                          • Instruction Fuzzy Hash: F9318D7114060DAFDB21AFE6DE44AF6BBF8FF18320B00851DFA5683611DB30E9149BA0
                          Function 00AE25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00AE3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00AE3A57
                            • Part of subcall function 00AE3A3D: GetCurrentThreadId.KERNEL32 ref: 00AE3A5E
                            • Part of subcall function 00AE3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00AE25B3), ref: 00AE3A65
                          • MapVirtualKeyW.USER32(00000025,00000000), ref: 00AE25BD
                          • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00AE25DB
                          • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00AE25DF
                          • MapVirtualKeyW.USER32(00000025,00000000), ref: 00AE25E9
                          • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00AE2601
                          • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00AE2605
                          • MapVirtualKeyW.USER32(00000025,00000000), ref: 00AE260F
                          • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00AE2623
                          • Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00AE2627
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                          • String ID:
                          • API String ID: 2014098862-0
                          • Opcode ID: f85cefd9f3f26655ddf71319ed4e28de45a02c2b0cf5df08dc183b4cad3094f0
                          • Instruction ID: a165cd63ec9510f17e5e4d2cf27826669df9d6746bf2e8aba2f04be89137d2ad
                          • Opcode Fuzzy Hash: f85cefd9f3f26655ddf71319ed4e28de45a02c2b0cf5df08dc183b4cad3094f0
                          • Instruction Fuzzy Hash: D001D4313D0354BBFB1067699C8EF993F99DB4EB52F604011F318AF0D5CDE224448A69
                          Function 00AE1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00AE1449,?,?,00000000), ref: 00AE180C
                          • HeapAlloc.KERNEL32(00000000,?,00AE1449,?,?,00000000), ref: 00AE1813
                          • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00AE1449,?,?,00000000), ref: 00AE1828
                          • GetCurrentProcess.KERNEL32(?,00000000,?,00AE1449,?,?,00000000), ref: 00AE1830
                          • DuplicateHandle.KERNEL32(00000000,?,00AE1449,?,?,00000000), ref: 00AE1833
                          • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00AE1449,?,?,00000000), ref: 00AE1843
                          • GetCurrentProcess.KERNEL32(00AE1449,00000000,?,00AE1449,?,?,00000000), ref: 00AE184B
                          • DuplicateHandle.KERNEL32(00000000,?,00AE1449,?,?,00000000), ref: 00AE184E
                          • CreateThread.KERNEL32(00000000,00000000,00AE1874,00000000,00000000,00000000), ref: 00AE1868
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                          • String ID:
                          • API String ID: 1957940570-0
                          • Opcode ID: 6ea89ef34c2a53c2314a838de8d95348326a0c57da3546bf38bbf7956cafc706
                          • Instruction ID: 605e8968f4f7f7fadcfeb4a6a7389ca6b35c393ad60edc59d3c484314930b441
                          • Opcode Fuzzy Hash: 6ea89ef34c2a53c2314a838de8d95348326a0c57da3546bf38bbf7956cafc706
                          • Instruction Fuzzy Hash: D501BFB52C0344BFE710AB65DC4DF977FACEB89B11F508411FA05DB191CA709810CB20
                          Function 00B0A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00AED4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 00AED501
                            • Part of subcall function 00AED4DC: Process32FirstW.KERNEL32(00000000,?), ref: 00AED50F
                            • Part of subcall function 00AED4DC: CloseHandle.KERNEL32(00000000), ref: 00AED5DC
                          • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00B0A16D
                          • GetLastError.KERNEL32 ref: 00B0A180
                          • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00B0A1B3
                          • TerminateProcess.KERNEL32(00000000,00000000), ref: 00B0A268
                          • GetLastError.KERNEL32(00000000), ref: 00B0A273
                          • CloseHandle.KERNEL32(00000000), ref: 00B0A2C4
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                          • String ID: SeDebugPrivilege
                          • API String ID: 2533919879-2896544425
                          • Opcode ID: cbaf2eac452bcc4a39b905c2e307caa5075e92c8cc77a028f02cf956aecd113d
                          • Instruction ID: c6e9c73e9b9b8445aafd6d10074f7e9e783c2db2fcd412b4f3c1b846419e135e
                          • Opcode Fuzzy Hash: cbaf2eac452bcc4a39b905c2e307caa5075e92c8cc77a028f02cf956aecd113d
                          • Instruction Fuzzy Hash: 81616A30204342AFE720DF19C594F16BBE1AF54318F54889CE4668B6A3CB72ED49CB92
                          Function 00B13886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00B13925
                          • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00B1393A
                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00B13954
                          • _wcslen.LIBCMT ref: 00B13999
                          • SendMessageW.USER32(?,00001057,00000000,?), ref: 00B139C6
                          • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00B139F4
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: MessageSend$Window_wcslen
                          • String ID: SysListView32
                          • API String ID: 2147712094-78025650
                          • Opcode ID: d1789386db441fcf889065c141258ef34a3aafc26127b3370eb0862ee0fa74c9
                          • Instruction ID: 0ca923eeb6146bb31e5fa3705616ec77a841181a60ff88a38c0d6fe665e046cf
                          • Opcode Fuzzy Hash: d1789386db441fcf889065c141258ef34a3aafc26127b3370eb0862ee0fa74c9
                          • Instruction Fuzzy Hash: 6941C431A00218ABEF219F64CC45FEA7BE9EF08750F500566F959E7281E7719E80CB90
                          Function 00AEBC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00AEBCFD
                          • IsMenu.USER32(00000000), ref: 00AEBD1D
                          • CreatePopupMenu.USER32 ref: 00AEBD53
                          • GetMenuItemCount.USER32(00C363D8), ref: 00AEBDA4
                          • InsertMenuItemW.USER32(00C363D8,?,00000001,00000030), ref: 00AEBDCC
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Menu$Item$CountCreateInfoInsertPopup
                          • String ID: 0$2
                          • API String ID: 93392585-3793063076
                          • Opcode ID: 38e84baeb3ff4f7e475dc65e6af821107e88c9151232d626889f6753f2fe8978
                          • Instruction ID: 0bbdb9e15fe1df37dfc9136a7a0886d2fcbb256ec644c70a7e0a61cca36f8f8a
                          • Opcode Fuzzy Hash: 38e84baeb3ff4f7e475dc65e6af821107e88c9151232d626889f6753f2fe8978
                          • Instruction Fuzzy Hash: CE519C70A102899BDF20CFAADDC8BAFBBF9AF55314F248229E411D7291D7709941CB71
                          Function 00AEC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                          Download Yara Rule
                          APIs
                          • LoadIconW.USER32(00000000,00007F03), ref: 00AEC913
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: IconLoad
                          • String ID: blank$info$question$stop$warning
                          • API String ID: 2457776203-404129466
                          • Opcode ID: f094d8ad83e019ac2dd21fe353c605cd1ed63c468d9c801c3ab1a9251c2c9fac
                          • Instruction ID: e9ea3da781bcf42dfab73aab87d442adde9d37f858d1ed34d91da4132a09d3ca
                          • Opcode Fuzzy Hash: f094d8ad83e019ac2dd21fe353c605cd1ed63c468d9c801c3ab1a9251c2c9fac
                          • Instruction Fuzzy Hash: F5112C32689346BAE7019B55DD83CEE77ECDF16374B60006AF900A72D3E7B45E016269
                          Function 00AEDE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
                          • String ID: 0.0.0.0
                          • API String ID: 642191829-3771769585
                          • Opcode ID: dddbe30444d2514a735d0b6fcad27718d63c5c62860ec423a80e0e7fd59f0121
                          • Instruction ID: c342bbfbc3919013d245e5d08d1b4309a1c8c9e38a5b16d4849cd6d84185a3d6
                          • Opcode Fuzzy Hash: dddbe30444d2514a735d0b6fcad27718d63c5c62860ec423a80e0e7fd59f0121
                          • Instruction Fuzzy Hash: 0811D371904215AFCB20AB61DD4AEEF7BBCDF56711F0001A9F545EB0D1EFB18E818AA0
                          Function 00B19F86 Relevance: 12.3, APIs: 8, Instructions: 260windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00A99BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00A99BB2
                          • GetSystemMetrics.USER32(0000000F), ref: 00B19FC7
                          • GetSystemMetrics.USER32(0000000F), ref: 00B19FE7
                          • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00B1A224
                          • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00B1A242
                          • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00B1A263
                          • ShowWindow.USER32(00000003,00000000), ref: 00B1A282
                          • InvalidateRect.USER32(?,00000000,00000001), ref: 00B1A2A7
                          • DefDlgProcW.USER32(?,00000005,?,?), ref: 00B1A2CA
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                          • String ID:
                          • API String ID: 1211466189-0
                          • Opcode ID: 283a1de3c9da73ee6ae14ca0fffb4911aa75b8fa884640890be8bc6b67f0eac5
                          • Instruction ID: 557a9be006253e1ceb831bfa6da6a7099ac61fd0020efa2140779c4fbde84fa8
                          • Opcode Fuzzy Hash: 283a1de3c9da73ee6ae14ca0fffb4911aa75b8fa884640890be8bc6b67f0eac5
                          • Instruction Fuzzy Hash: 36B1B731601215EBCF14CF68C9857EE7BF2FF48701F5880A9EC49AB295DB31A980CB91
                          Function 00AEED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: _wcslen$LocalTime
                          • String ID:
                          • API String ID: 952045576-0
                          • Opcode ID: b5729f8759112dcf4c64d9f938e3adf026942de542abcde844c992d712b5b36b
                          • Instruction ID: a92afc3b3ddc2db6d58a36d4efdbc4d7af36c1a384196ebea148f2d7b586efa7
                          • Opcode Fuzzy Hash: b5729f8759112dcf4c64d9f938e3adf026942de542abcde844c992d712b5b36b
                          • Instruction Fuzzy Hash: C241B265C10258B6DB11EBF5CC8AACFB7ACAF46310F508462F518E3161FB34E255C7A5
                          Function 00A9F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON
                          Download Yara Rule
                          APIs
                          • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00AD682C,00000004,00000000,00000000), ref: 00A9F953
                          • ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00AD682C,00000004,00000000,00000000), ref: 00ADF3D1
                          • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00AD682C,00000004,00000000,00000000), ref: 00ADF454
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: ShowWindow
                          • String ID:
                          • API String ID: 1268545403-0
                          • Opcode ID: 31fea9b5cb9831b3a10c7b703678aa0b312a6129384cbcc38afa92b41ef5fada
                          • Instruction ID: 89beb3174bdbe663bad00a75c7a4601b4b1429d39857e2da9e993c3597ed6fa5
                          • Opcode Fuzzy Hash: 31fea9b5cb9831b3a10c7b703678aa0b312a6129384cbcc38afa92b41ef5fada
                          • Instruction Fuzzy Hash: D741F831718680BECF399B2DCD8876B7FE2AB56314F54843DE497D7660CA71A880CB11
                          Function 00B12D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                          Download Yara Rule
                          APIs
                          • DeleteObject.GDI32(00000000), ref: 00B12D1B
                          • GetDC.USER32(00000000), ref: 00B12D23
                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00B12D2E
                          • ReleaseDC.USER32(00000000,00000000), ref: 00B12D3A
                          • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00B12D76
                          • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00B12D87
                          • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00B15A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00B12DC2
                          • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00B12DE1
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                          • String ID:
                          • API String ID: 3864802216-0
                          • Opcode ID: 8b58bb1c28b99336d496936f5065bda119660b7bdde84234f4b81686f183adba
                          • Instruction ID: 4ea0c0e766f9ff87952661941d78c4f005ec3ebd9c9a632aa1ee4943a8821dc1
                          • Opcode Fuzzy Hash: 8b58bb1c28b99336d496936f5065bda119660b7bdde84234f4b81686f183adba
                          • Instruction Fuzzy Hash: F0316B72241214BFEB158F50DC8AFEB3FA9EB09715F4480A5FE089B291CA759C50CBA4
                          Function 00AE5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: _memcmp
                          • String ID:
                          • API String ID: 2931989736-0
                          • Opcode ID: 2a82d3c0362c2cfee96e1c051ecbbb9b3cf9dcc925cdd04d78b967983ac98a36
                          • Instruction ID: c4249a8884e0308e8c64560a4b23ec1d0b8d76208525fd85b31c9377fd0275c9
                          • Opcode Fuzzy Hash: 2a82d3c0362c2cfee96e1c051ecbbb9b3cf9dcc925cdd04d78b967983ac98a36
                          • Instruction Fuzzy Hash: 7B219871E409457796149A326E92FFB33ACAE11388F580020FD045F5C1F761ED50C1F5
                          Function 00B04FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID: NULL Pointer assignment$Not an Object type
                          • API String ID: 0-572801152
                          • Opcode ID: 1ef8327a3305c29b19722276bb3a27c0cbfc1c36b4a77d9bd8ff0c39ee8a01c7
                          • Instruction ID: 70cafdfd61bc3f623b0edaa95ca9333e16721f6d1ebc5b91e48326115c868b65
                          • Opcode Fuzzy Hash: 1ef8327a3305c29b19722276bb3a27c0cbfc1c36b4a77d9bd8ff0c39ee8a01c7
                          • Instruction Fuzzy Hash: BFD17D75A0060A9FDF20CF98C881AAEBBF5FF48344F1484A9E915AB691E770DD45CF90
                          Function 00AC1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON
                          Download Yara Rule
                          APIs
                          • GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,00AC17FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 00AC15CE
                          • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00AC17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00AC1651
                          • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00AC17FB,?,00AC17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00AC16E4
                          • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00AC17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00AC16FB
                            • Part of subcall function 00AB3820: RtlAllocateHeap.NTDLL(00000000,?,00B51444,?,00A9FDF5,?,?,00A8A976,00000010,00B51440,00A813FC,?,00A813C6,?,00A81129), ref: 00AB3852
                          • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00AC17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00AC1777
                          • __freea.LIBCMT ref: 00AC17A2
                          • __freea.LIBCMT ref: 00AC17AE
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
                          • String ID:
                          • API String ID: 2829977744-0
                          • Opcode ID: 1ae1371ac1f310c2194e0c5de66d62454a6f9198de54e8a769ee33d5e9bc7106
                          • Instruction ID: 6ffaa93b93273f3a45bb86edc5de0d70dc46750a9a48aa35e5d07896af5be96e
                          • Opcode Fuzzy Hash: 1ae1371ac1f310c2194e0c5de66d62454a6f9198de54e8a769ee33d5e9bc7106
                          • Instruction Fuzzy Hash: 23919272F0021A9ADF208F64C991FEE7BB5AF4A710F1A465DE801E7242DB35DD41CBA0
                          Function 00B04523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Variant$ClearInit
                          • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                          • API String ID: 2610073882-625585964
                          • Opcode ID: 21e4ecfd7dc24634b6f76d1e2b3be1d2fc30b4fc5389e2e4aafd1fd908884011
                          • Instruction ID: e924d1cfdfd3667b2cecfe3025e582b8c767575d4673d534f7b8e892b0b56f69
                          • Opcode Fuzzy Hash: 21e4ecfd7dc24634b6f76d1e2b3be1d2fc30b4fc5389e2e4aafd1fd908884011
                          • Instruction Fuzzy Hash: 4B9171B1A00215ABDF20CFA5D884FAE7BF8EF46714F108599F615AB281D7709D45CFA0
                          Function 00AF1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                          Download Yara Rule
                          APIs
                          • SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 00AF125C
                          • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00AF1284
                          • SafeArrayUnaccessData.OLEAUT32(00000001), ref: 00AF12A8
                          • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00AF12D8
                          • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00AF135F
                          • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00AF13C4
                          • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00AF1430
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: ArraySafe$Data$Access$UnaccessVartype
                          • String ID:
                          • API String ID: 2550207440-0
                          • Opcode ID: 034d2239e80d2831b745c60463b99156eba8eac40b1350fc0cadf87c68a84408
                          • Instruction ID: 2b8016729c61b2b6cd2ae7ae0f9c5a8b58c9c77f86a96d8ad3d7fc6309ad911b
                          • Opcode Fuzzy Hash: 034d2239e80d2831b745c60463b99156eba8eac40b1350fc0cadf87c68a84408
                          • Instruction Fuzzy Hash: 3A919B75A00219EFDB009FE8C884BBEB7B5FF45325F108029FA51EB291D774A941CB90
                          Function 00A9948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: ObjectSelect$BeginCreatePath
                          • String ID:
                          • API String ID: 3225163088-0
                          • Opcode ID: 75b6758c37a516b77df585e0b808d3b8d2aa1d1857e3bae9695e266779e4e0a8
                          • Instruction ID: 05adddf305d93eb692145fb58f4191380a02fe1da68225f99a2aa5e782af5267
                          • Opcode Fuzzy Hash: 75b6758c37a516b77df585e0b808d3b8d2aa1d1857e3bae9695e266779e4e0a8
                          • Instruction Fuzzy Hash: B7912571A40219AFCF15CFA9C888AEFBBB8FF49320F14805AE515B7251D774AA41CB60
                          Function 00B03947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON
                          Download Yara Rule
                          APIs
                          • VariantInit.OLEAUT32(?), ref: 00B0396B
                          • CharUpperBuffW.USER32(?,?), ref: 00B03A7A
                          • _wcslen.LIBCMT ref: 00B03A8A
                          • VariantClear.OLEAUT32(?), ref: 00B03C1F
                            • Part of subcall function 00AF0CDF: VariantInit.OLEAUT32(00000000), ref: 00AF0D1F
                            • Part of subcall function 00AF0CDF: VariantCopy.OLEAUT32(?,?), ref: 00AF0D28
                            • Part of subcall function 00AF0CDF: VariantClear.OLEAUT32(?), ref: 00AF0D34
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
                          • String ID: AUTOIT.ERROR$Incorrect Parameter format
                          • API String ID: 4137639002-1221869570
                          • Opcode ID: a8d0330efa1b973a7899c1ca1e61321992df2f33dd9a5e26f150229c90eb1837
                          • Instruction ID: ffd7055cab0d4932fa257945345eba5d30f400fc0d4f122fbaf54107ae8a8fe8
                          • Opcode Fuzzy Hash: a8d0330efa1b973a7899c1ca1e61321992df2f33dd9a5e26f150229c90eb1837
                          • Instruction Fuzzy Hash: 6C916D756083059FC704EF24C58496ABBE8FF89714F14886DF48A97391DB30EE45CB92
                          Function 00B04BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00AE000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00ADFF41,80070057,?,?,?,00AE035E), ref: 00AE002B
                            • Part of subcall function 00AE000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00ADFF41,80070057,?,?), ref: 00AE0046
                            • Part of subcall function 00AE000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00ADFF41,80070057,?,?), ref: 00AE0054
                            • Part of subcall function 00AE000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00ADFF41,80070057,?), ref: 00AE0064
                          • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00B04C51
                          • _wcslen.LIBCMT ref: 00B04D59
                          • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00B04DCF
                          • CoTaskMemFree.OLE32(?), ref: 00B04DDA
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
                          • String ID: NULL Pointer assignment
                          • API String ID: 614568839-2785691316
                          • Opcode ID: 69863e8fd24fd2d9a7fb778132130fd242e086a0110f96377122c0284bd292ff
                          • Instruction ID: c089354ce97d44ef83dda7543df6dcda61e58c972502c2e73f3831b6964c32f5
                          • Opcode Fuzzy Hash: 69863e8fd24fd2d9a7fb778132130fd242e086a0110f96377122c0284bd292ff
                          • Instruction Fuzzy Hash: 1E9108B1D002199FDF14EFA4D891AEEBBB8FF08310F1085AAE515A7291DB709E44CF60
                          Function 00B120FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetMenu.USER32(?), ref: 00B12183
                          • GetMenuItemCount.USER32(00000000), ref: 00B121B5
                          • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00B121DD
                          • _wcslen.LIBCMT ref: 00B12213
                          • GetMenuItemID.USER32(?,?), ref: 00B1224D
                          • GetSubMenu.USER32(?,?), ref: 00B1225B
                            • Part of subcall function 00AE3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00AE3A57
                            • Part of subcall function 00AE3A3D: GetCurrentThreadId.KERNEL32 ref: 00AE3A5E
                            • Part of subcall function 00AE3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00AE25B3), ref: 00AE3A65
                          • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00B122E3
                            • Part of subcall function 00AEE97B: Sleep.KERNEL32 ref: 00AEE9F3
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
                          • String ID:
                          • API String ID: 4196846111-0
                          • Opcode ID: e2e4562f3985414ac8d8198bfa94c4e931fdee5e6a5be163462b9ad06a6d2e00
                          • Instruction ID: 428a61531886a0d090a21dd661f797baf87ab8c82afc2ff2e61a53cda697754b
                          • Opcode Fuzzy Hash: e2e4562f3985414ac8d8198bfa94c4e931fdee5e6a5be163462b9ad06a6d2e00
                          • Instruction Fuzzy Hash: E6718E75A00205AFCB14EF64C985AEEBBF5EF48310F548499E916EB341DB34ED918B90
                          Function 00B17E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON
                          Download Yara Rule
                          APIs
                          • IsWindow.USER32(00C36338), ref: 00B17F37
                          • IsWindowEnabled.USER32(00C36338), ref: 00B17F43
                          • SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 00B1801E
                          • SendMessageW.USER32(00C36338,000000B0,?,?), ref: 00B18051
                          • IsDlgButtonChecked.USER32(?,?), ref: 00B18089
                          • GetWindowLongW.USER32(00C36338,000000EC), ref: 00B180AB
                          • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00B180C3
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                          • String ID:
                          • API String ID: 4072528602-0
                          • Opcode ID: 4f900cc3f5fba26b45ce6f1cf165a0b3afbb412b39a02d648be82b4e7a590ebb
                          • Instruction ID: a1a2a3acbe649f9ca54a9358354fcd4493c7c5a70f833c317597be6049a95809
                          • Opcode Fuzzy Hash: 4f900cc3f5fba26b45ce6f1cf165a0b3afbb412b39a02d648be82b4e7a590ebb
                          • Instruction Fuzzy Hash: 76718C75688244AFEB219F64C884FEB7BF5FF09300F944499E94597261CF31AC86CB50
                          Function 00AEAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetParent.USER32(?), ref: 00AEAEF9
                          • GetKeyboardState.USER32(?), ref: 00AEAF0E
                          • SetKeyboardState.USER32(?), ref: 00AEAF6F
                          • PostMessageW.USER32(?,00000101,00000010,?), ref: 00AEAF9D
                          • PostMessageW.USER32(?,00000101,00000011,?), ref: 00AEAFBC
                          • PostMessageW.USER32(?,00000101,00000012,?), ref: 00AEAFFD
                          • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00AEB020
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: MessagePost$KeyboardState$Parent
                          • String ID:
                          • API String ID: 87235514-0
                          • Opcode ID: ba8c6f9fecfc001594a1366413411907ebc897a0444972a422d9ff3a7f848319
                          • Instruction ID: 3dbdad5f087ea29f9fa104131b5a580390b5cf2aaf67f49517f0515b1fcd7677
                          • Opcode Fuzzy Hash: ba8c6f9fecfc001594a1366413411907ebc897a0444972a422d9ff3a7f848319
                          • Instruction Fuzzy Hash: 2C51D0A06147D53DFB36833A8C49BBBBEE95B06304F088489E1D9468C2C798FCC8D761
                          Function 00AEACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetParent.USER32(00000000), ref: 00AEAD19
                          • GetKeyboardState.USER32(?), ref: 00AEAD2E
                          • SetKeyboardState.USER32(?), ref: 00AEAD8F
                          • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00AEADBB
                          • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00AEADD8
                          • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00AEAE17
                          • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00AEAE38
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: MessagePost$KeyboardState$Parent
                          • String ID:
                          • API String ID: 87235514-0
                          • Opcode ID: e7ad555341498913255d94c54d13815c8b22b13a9a0a411a60532afb442631dd
                          • Instruction ID: fb12c8d31b1959c96cba565b666ca97158e4b4c7c0d193f33b8faa075e596704
                          • Opcode Fuzzy Hash: e7ad555341498913255d94c54d13815c8b22b13a9a0a411a60532afb442631dd
                          • Instruction Fuzzy Hash: 185107A16047E53DFB3383368C95BBABEA95F56300F088488E1D9468C3D794FC88D762
                          Function 00AB542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • GetConsoleCP.KERNEL32(00AC3CD6,?,?,?,?,?,?,?,?,00AB5BA3,?,?,00AC3CD6,?,?), ref: 00AB5470
                          • __fassign.LIBCMT ref: 00AB54EB
                          • __fassign.LIBCMT ref: 00AB5506
                          • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00AC3CD6,00000005,00000000,00000000), ref: 00AB552C
                          • WriteFile.KERNEL32(?,00AC3CD6,00000000,00AB5BA3,00000000,?,?,?,?,?,?,?,?,?,00AB5BA3,?), ref: 00AB554B
                          • WriteFile.KERNEL32(?,?,00000001,00AB5BA3,00000000,?,?,?,?,?,?,?,?,?,00AB5BA3,?), ref: 00AB5584
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                          • String ID:
                          • API String ID: 1324828854-0
                          • Opcode ID: fa206fdd3fc7ee432d339159fceb2e3a9c49637bd79aec5c25fd4a0983ab85f0
                          • Instruction ID: f066c3551422a2f8f85cb259e97f9cba160f0bd7057ff639023a0b1fbe1ce307
                          • Opcode Fuzzy Hash: fa206fdd3fc7ee432d339159fceb2e3a9c49637bd79aec5c25fd4a0983ab85f0
                          • Instruction Fuzzy Hash: A751BF71E00649AFDB20CFA8D885BEEBBF9EF09301F14415AE955E7292D7309A51CB60
                          Function 00AA2D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                          Download Yara Rule
                          APIs
                          • _ValidateLocalCookies.LIBCMT ref: 00AA2D4B
                          • ___except_validate_context_record.LIBVCRUNTIME ref: 00AA2D53
                          • _ValidateLocalCookies.LIBCMT ref: 00AA2DE1
                          • __IsNonwritableInCurrentImage.LIBCMT ref: 00AA2E0C
                          • _ValidateLocalCookies.LIBCMT ref: 00AA2E61
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                          • String ID: csm
                          • API String ID: 1170836740-1018135373
                          • Opcode ID: f364b4f7cbfa69832d9600beae3845694824d17409871ef0639f5791381c6564
                          • Instruction ID: a27f7aecd0757d635e92c0fd1b71d632f79d56c5594d406691bf2b13e19bd828
                          • Opcode Fuzzy Hash: f364b4f7cbfa69832d9600beae3845694824d17409871ef0639f5791381c6564
                          • Instruction Fuzzy Hash: 7B419134A01209ABCF10DF6CC845BAEBBB5BF46324F148155E8146B3E2DB35EE65CB90
                          Function 00B010B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B0304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00B0307A
                            • Part of subcall function 00B0304E: _wcslen.LIBCMT ref: 00B0309B
                          • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00B01112
                          • WSAGetLastError.WSOCK32 ref: 00B01121
                          • WSAGetLastError.WSOCK32 ref: 00B011C9
                          • closesocket.WSOCK32(00000000), ref: 00B011F9
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
                          • String ID:
                          • API String ID: 2675159561-0
                          • Opcode ID: 28f7e58d1beb436bb77a438190dc4603ae59e685b0ef43ae1c8014a078c844ff
                          • Instruction ID: 1f199bc151f6ded3ae336795f167eccd753475120e141b9509c1d88307ea698d
                          • Opcode Fuzzy Hash: 28f7e58d1beb436bb77a438190dc4603ae59e685b0ef43ae1c8014a078c844ff
                          • Instruction Fuzzy Hash: 5241D431600204AFDB189F18C885BAABFE9FF45364F148499F916AB2D1CB70ED41CBE1
                          Function 00AECF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00AEDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00AECF22,?), ref: 00AEDDFD
                            • Part of subcall function 00AEDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00AECF22,?), ref: 00AEDE16
                          • lstrcmpiW.KERNEL32(?,?), ref: 00AECF45
                          • MoveFileW.KERNEL32(?,?), ref: 00AECF7F
                          • _wcslen.LIBCMT ref: 00AED005
                          • _wcslen.LIBCMT ref: 00AED01B
                          • SHFileOperationW.SHELL32(?), ref: 00AED061
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
                          • String ID: \*.*
                          • API String ID: 3164238972-1173974218
                          • Opcode ID: 263831deb5bf0131bcc677008a724b29a93534d833894c63ce08835ed37eea54
                          • Instruction ID: 630c379226dab82280476a5adb9bb0ed34fa9da337709ac16b8dd744e3fdd157
                          • Opcode Fuzzy Hash: 263831deb5bf0131bcc677008a724b29a93534d833894c63ce08835ed37eea54
                          • Instruction Fuzzy Hash: D04166719452585FDF12EFA5CA81ADEB7B9AF08380F0000E6E505EB142EB34AB89CB50
                          Function 00B12DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00B12E1C
                          • GetWindowLongW.USER32(?,000000F0), ref: 00B12E4F
                          • GetWindowLongW.USER32(?,000000F0), ref: 00B12E84
                          • SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00B12EB6
                          • SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00B12EE0
                          • GetWindowLongW.USER32(?,000000F0), ref: 00B12EF1
                          • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00B12F0B
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: LongWindow$MessageSend
                          • String ID:
                          • API String ID: 2178440468-0
                          • Opcode ID: 81873ccef01359d34b1cdbc889ed0cb849a4c38e3b76feb794657f5c0584c1c7
                          • Instruction ID: 77902a1c814d46a161814715da69112ae71d8bc077161537370991ef7349f97a
                          • Opcode Fuzzy Hash: 81873ccef01359d34b1cdbc889ed0cb849a4c38e3b76feb794657f5c0584c1c7
                          • Instruction Fuzzy Hash: A8311232644250AFEB21CF58DC85FA53BE1FB9A711F9541A4F9108F2B2CB71ACA1DB41
                          Function 00AE7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                          Download Yara Rule
                          APIs
                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00AE7769
                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00AE778F
                          • SysAllocString.OLEAUT32(00000000), ref: 00AE7792
                          • SysAllocString.OLEAUT32(?), ref: 00AE77B0
                          • SysFreeString.OLEAUT32(?), ref: 00AE77B9
                          • StringFromGUID2.OLE32(?,?,00000028), ref: 00AE77DE
                          • SysAllocString.OLEAUT32(?), ref: 00AE77EC
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                          • String ID:
                          • API String ID: 3761583154-0
                          • Opcode ID: 35ba9e41d4fcb80e283c9e32e80c1c689aa3c3967eb6f4f9a673306ce70a7588
                          • Instruction ID: 84bb08ac18b8dc18ce65f7d0c89e6bfbd3949054e2b3476f448f9838ec28f384
                          • Opcode Fuzzy Hash: 35ba9e41d4fcb80e283c9e32e80c1c689aa3c3967eb6f4f9a673306ce70a7588
                          • Instruction Fuzzy Hash: 1D219076608219AFDF10DFA9CC88CFF77ACEB097647448025FA15DB250DA70DC428764
                          Function 00AE77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                          Download Yara Rule
                          APIs
                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00AE7842
                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00AE7868
                          • SysAllocString.OLEAUT32(00000000), ref: 00AE786B
                          • SysAllocString.OLEAUT32 ref: 00AE788C
                          • SysFreeString.OLEAUT32 ref: 00AE7895
                          • StringFromGUID2.OLE32(?,?,00000028), ref: 00AE78AF
                          • SysAllocString.OLEAUT32(?), ref: 00AE78BD
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                          • String ID:
                          • API String ID: 3761583154-0
                          • Opcode ID: 9a8a64ae4f524b9746d338c73b62f54546c05dc074707a9bd2dd8df83a1bf81c
                          • Instruction ID: eb428820d84f8d62cfa07c556135f6b935c922cd7f65c13209f9166b80628179
                          • Opcode Fuzzy Hash: 9a8a64ae4f524b9746d338c73b62f54546c05dc074707a9bd2dd8df83a1bf81c
                          • Instruction Fuzzy Hash: 4821AF76608214AFEF10AFA9DC88DAE77ECEB193607508125F915CB2A1DA70DC81CB64
                          Function 00AF04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                          Download Yara Rule
                          APIs
                          • GetStdHandle.KERNEL32(0000000C), ref: 00AF04F2
                          • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00AF052E
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: CreateHandlePipe
                          • String ID: nul
                          • API String ID: 1424370930-2873401336
                          • Opcode ID: f8a4e94e81c2bd6d9eedaa15f8cb8d0c1d57e7942e27c82f6cfb083be23b9c5b
                          • Instruction ID: cf5a795d7368619755e09b2de4a500693898e33b10ff1d0b08a81421ad8ad00d
                          • Opcode Fuzzy Hash: f8a4e94e81c2bd6d9eedaa15f8cb8d0c1d57e7942e27c82f6cfb083be23b9c5b
                          • Instruction Fuzzy Hash: BA216075500309ABDF209FA9DC44EAA7BB4AF44764F208A19FAA1D72E1D7B0D940CF60
                          Function 00AF05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                          Download Yara Rule
                          APIs
                          • GetStdHandle.KERNEL32(000000F6), ref: 00AF05C6
                          • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00AF0601
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: CreateHandlePipe
                          • String ID: nul
                          • API String ID: 1424370930-2873401336
                          • Opcode ID: 3cb54f6b65b03e851ec099d0b02fa1968b5cbfed21e389d913a0ed84a343990c
                          • Instruction ID: 9c3ea0ed3394fa2f867e2547f34b14bcc45af6e81a789f9dda77291a1a07a7e7
                          • Opcode Fuzzy Hash: 3cb54f6b65b03e851ec099d0b02fa1968b5cbfed21e389d913a0ed84a343990c
                          • Instruction Fuzzy Hash: 2321A6755003199BDB208FA88C04EAA7BE4AF95760F204B19FAA1E72D1DBF09960CB50
                          Function 00B140AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00A8600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00A8604C
                            • Part of subcall function 00A8600E: GetStockObject.GDI32(00000011), ref: 00A86060
                            • Part of subcall function 00A8600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00A8606A
                          • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00B14112
                          • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00B1411F
                          • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00B1412A
                          • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00B14139
                          • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00B14145
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: MessageSend$CreateObjectStockWindow
                          • String ID: Msctls_Progress32
                          • API String ID: 1025951953-3636473452
                          • Opcode ID: 6b25d1206ab618c745eca03cf022429a10d589f70d423fd37611b0a4be0c7688
                          • Instruction ID: b15544229e22a3b1cf830a8621630e5c4b61ace8272b9ee0962aa6c5693e0d84
                          • Opcode Fuzzy Hash: 6b25d1206ab618c745eca03cf022429a10d589f70d423fd37611b0a4be0c7688
                          • Instruction Fuzzy Hash: CB11B2B2140219BEEF119F64CC85EE77FADEF09798F008110BB18A6050CB729C61DBA4
                          Function 00ABD7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00ABD7A3: _free.LIBCMT ref: 00ABD7CC
                          • _free.LIBCMT ref: 00ABD82D
                            • Part of subcall function 00AB29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00ABD7D1,00000000,00000000,00000000,00000000,?,00ABD7F8,00000000,00000007,00000000,?,00ABDBF5,00000000), ref: 00AB29DE
                            • Part of subcall function 00AB29C8: GetLastError.KERNEL32(00000000,?,00ABD7D1,00000000,00000000,00000000,00000000,?,00ABD7F8,00000000,00000007,00000000,?,00ABDBF5,00000000,00000000), ref: 00AB29F0
                          • _free.LIBCMT ref: 00ABD838
                          • _free.LIBCMT ref: 00ABD843
                          • _free.LIBCMT ref: 00ABD897
                          • _free.LIBCMT ref: 00ABD8A2
                          • _free.LIBCMT ref: 00ABD8AD
                          • _free.LIBCMT ref: 00ABD8B8
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: _free$ErrorFreeHeapLast
                          • String ID:
                          • API String ID: 776569668-0
                          • Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                          • Instruction ID: 7627fd8b8bcd8941fe5ba718860ee3779f140c146e87d6a7afa717973869af4d
                          • Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                          • Instruction Fuzzy Hash: 75111971940B44BBDA21BFB0CE47FCB7BDCAF44700F404C26B29DAA493EA65B5458760
                          Function 00AEDA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00AEDA74
                          • LoadStringW.USER32(00000000), ref: 00AEDA7B
                          • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00AEDA91
                          • LoadStringW.USER32(00000000), ref: 00AEDA98
                          • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00AEDADC
                          Strings
                          • %s (%d) : ==> %s: %s %s, xrefs: 00AEDAB9
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: HandleLoadModuleString$Message
                          • String ID: %s (%d) : ==> %s: %s %s
                          • API String ID: 4072794657-3128320259
                          • Opcode ID: dd6d765ffd23e42e18eeb817ebee24edf15613813ed4c132a0b94322fc60e90c
                          • Instruction ID: 2e4d3e51758aa231a855a3f2bf5cdcbf1c297741e10022ec7a318b1867509af5
                          • Opcode Fuzzy Hash: dd6d765ffd23e42e18eeb817ebee24edf15613813ed4c132a0b94322fc60e90c
                          • Instruction Fuzzy Hash: E50186F6540208BFEB509BA09D89EE7377CE708701F8044A1B706E7041EA749E844F74
                          Function 00AF096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON
                          Download Yara Rule
                          APIs
                          • InterlockedExchange.KERNEL32(00C2FBE8,00C2FBE8), ref: 00AF097B
                          • EnterCriticalSection.KERNEL32(00C2FBC8,00000000), ref: 00AF098D
                          • TerminateThread.KERNEL32(?,000001F6), ref: 00AF099B
                          • WaitForSingleObject.KERNEL32(?,000003E8), ref: 00AF09A9
                          • CloseHandle.KERNEL32(?), ref: 00AF09B8
                          • InterlockedExchange.KERNEL32(00C2FBE8,000001F6), ref: 00AF09C8
                          • LeaveCriticalSection.KERNEL32(00C2FBC8), ref: 00AF09CF
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                          • String ID:
                          • API String ID: 3495660284-0
                          • Opcode ID: d4bda4307dfd8225ac81e3488e2a2616df72073150d6d2584b05e4b350e12ae9
                          • Instruction ID: 361feb85cf4f31612c2f9905d5574ac0df9effc2aa8d9a28d04e8e07098a81bf
                          • Opcode Fuzzy Hash: d4bda4307dfd8225ac81e3488e2a2616df72073150d6d2584b05e4b350e12ae9
                          • Instruction Fuzzy Hash: 05F01D31482612BBD7515B94EE88AE67E35BF01702F905015F201518A1DB749465CF90
                          Function 00B01C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON
                          Download Yara Rule
                          APIs
                          • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00B01DC0
                          • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00B01DE1
                          • WSAGetLastError.WSOCK32 ref: 00B01DF2
                          • htons.WSOCK32(?,?,?,?,?), ref: 00B01EDB
                          • inet_ntoa.WSOCK32(?), ref: 00B01E8C
                            • Part of subcall function 00AE39E8: _strlen.LIBCMT ref: 00AE39F2
                            • Part of subcall function 00B03224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,00AFEC0C), ref: 00B03240
                          • _strlen.LIBCMT ref: 00B01F35
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
                          • String ID:
                          • API String ID: 3203458085-0
                          • Opcode ID: afcfc4d0c0e319df47abe9715ca384d60fc79b1d07981262771ffb1c266683fd
                          • Instruction ID: 907a98c9cb0bf6bc556f8d0a19b85cddd49738e80c1616358ffb25461ff1f2a6
                          • Opcode Fuzzy Hash: afcfc4d0c0e319df47abe9715ca384d60fc79b1d07981262771ffb1c266683fd
                          • Instruction Fuzzy Hash: C0B1EE30204341AFD728EF28C885E2A7BE5EF85318F54898CF4565B2E2DB31ED42CB91
                          Function 00A85D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON
                          Download Yara Rule
                          APIs
                          • GetClientRect.USER32(?,?), ref: 00A85D30
                          • GetWindowRect.USER32(?,?), ref: 00A85D71
                          • ScreenToClient.USER32(?,?), ref: 00A85D99
                          • GetClientRect.USER32(?,?), ref: 00A85ED7
                          • GetWindowRect.USER32(?,?), ref: 00A85EF8
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Rect$Client$Window$Screen
                          • String ID:
                          • API String ID: 1296646539-0
                          • Opcode ID: 4c233fb6629d74862b0a701bd72164863af2e2690482cc56f11ed31ca63cde6b
                          • Instruction ID: a296f5ab2ebc63c359e720453230cc4568dea249bef8ae05a6ff688dd7ebf28f
                          • Opcode Fuzzy Hash: 4c233fb6629d74862b0a701bd72164863af2e2690482cc56f11ed31ca63cde6b
                          • Instruction Fuzzy Hash: DEB15835A00A4ADBDB14DFB9C880BEAB7F1FF58310F14841AECA9D7250DB34AA51DB54
                          Function 00AB01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON
                          Download Yara Rule
                          APIs
                          • __allrem.LIBCMT ref: 00AB00BA
                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AB00D6
                          • __allrem.LIBCMT ref: 00AB00ED
                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AB010B
                          • __allrem.LIBCMT ref: 00AB0122
                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AB0140
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                          • String ID:
                          • API String ID: 1992179935-0
                          • Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
                          • Instruction ID: c40d3176f160e4d1aa8a065752494190d0be2c4929efa6c321be3b223aa06877
                          • Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
                          • Instruction Fuzzy Hash: 0A81C472A007069FE728AB68DD41FAB73EDAF42364F24462EF551D76C2E7B0D9008790
                          Function 00AB61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                          Download Yara Rule
                          APIs
                          • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00AA82D9,00AA82D9,?,?,?,00AB644F,00000001,00000001,8BE85006), ref: 00AB6258
                          • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00AB644F,00000001,00000001,8BE85006,?,?,?), ref: 00AB62DE
                          • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00AB63D8
                          • __freea.LIBCMT ref: 00AB63E5
                            • Part of subcall function 00AB3820: RtlAllocateHeap.NTDLL(00000000,?,00B51444,?,00A9FDF5,?,?,00A8A976,00000010,00B51440,00A813FC,?,00A813C6,?,00A81129), ref: 00AB3852
                          • __freea.LIBCMT ref: 00AB63EE
                          • __freea.LIBCMT ref: 00AB6413
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: ByteCharMultiWide__freea$AllocateHeap
                          • String ID:
                          • API String ID: 1414292761-0
                          • Opcode ID: a36dfd9f7c267c8a35026dabae8843c3ff91ac0ef5b1734827786e8a4b91b463
                          • Instruction ID: e15b9b5736a8dc993ab518367dae161aa0cbe93eefd0493466eb608c9497cf49
                          • Opcode Fuzzy Hash: a36dfd9f7c267c8a35026dabae8843c3ff91ac0ef5b1734827786e8a4b91b463
                          • Instruction Fuzzy Hash: E551BF72A00216ABEB258F64DD81EEF7BADEB44750F154629FC05DB142EB38DC54C6A0
                          Function 00B0BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00A89CB3: _wcslen.LIBCMT ref: 00A89CBD
                            • Part of subcall function 00B0C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B0B6AE,?,?), ref: 00B0C9B5
                            • Part of subcall function 00B0C998: _wcslen.LIBCMT ref: 00B0C9F1
                            • Part of subcall function 00B0C998: _wcslen.LIBCMT ref: 00B0CA68
                            • Part of subcall function 00B0C998: _wcslen.LIBCMT ref: 00B0CA9E
                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B0BCCA
                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00B0BD25
                          • RegCloseKey.ADVAPI32(00000000), ref: 00B0BD6A
                          • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00B0BD99
                          • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00B0BDF3
                          • RegCloseKey.ADVAPI32(?), ref: 00B0BDFF
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
                          • String ID:
                          • API String ID: 1120388591-0
                          • Opcode ID: f618e1341612f9d9de25ac77afb7b7f9a1b7036680dca3f642829a14b3fde604
                          • Instruction ID: bfef971cf8a59749b392cbe099a489505d3302fa8fdf688503875b14c8b6dfa4
                          • Opcode Fuzzy Hash: f618e1341612f9d9de25ac77afb7b7f9a1b7036680dca3f642829a14b3fde604
                          • Instruction Fuzzy Hash: 1481C430208241EFD714DF24C885E6ABBE5FF84308F1489ACF4598B2A2DB31ED45CB92
                          Function 00ADF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VariantInit.OLEAUT32(00000035), ref: 00ADF7B9
                          • SysAllocString.OLEAUT32(00000001), ref: 00ADF860
                          • VariantCopy.OLEAUT32(00ADFA64,00000000), ref: 00ADF889
                          • VariantClear.OLEAUT32(00ADFA64), ref: 00ADF8AD
                          • VariantCopy.OLEAUT32(00ADFA64,00000000), ref: 00ADF8B1
                          • VariantClear.OLEAUT32(?), ref: 00ADF8BB
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Variant$ClearCopy$AllocInitString
                          • String ID:
                          • API String ID: 3859894641-0
                          • Opcode ID: 8c3024e5a9792dff622c09dc58c1aab861d285fdae632426337179d88f9b1426
                          • Instruction ID: b8c84c0dbe44eaee2a14ef51fd4ab6fa1c41c7981546c64fbed2b833c6b4f750
                          • Opcode Fuzzy Hash: 8c3024e5a9792dff622c09dc58c1aab861d285fdae632426337179d88f9b1426
                          • Instruction Fuzzy Hash: DE51C231A50310BECF24AB65D8A5B3AB3E8EF45710B248467E907DF391DB708D40CBA6
                          Function 00AF910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00A87620: _wcslen.LIBCMT ref: 00A87625
                            • Part of subcall function 00A86B57: _wcslen.LIBCMT ref: 00A86B6A
                          • GetOpenFileNameW.COMDLG32(00000058), ref: 00AF94E5
                          • _wcslen.LIBCMT ref: 00AF9506
                          • _wcslen.LIBCMT ref: 00AF952D
                          • GetSaveFileNameW.COMDLG32(00000058), ref: 00AF9585
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: _wcslen$FileName$OpenSave
                          • String ID: X
                          • API String ID: 83654149-3081909835
                          • Opcode ID: f6ca1be2485bba6bf626cf0aa3408f529fb8cad35d2d8c3453c547c294d7a379
                          • Instruction ID: 1ab59cdafdf72a0c5e6b07afcb10d17dc82c285870e0fc96e0b1b5a3dffb7b48
                          • Opcode Fuzzy Hash: f6ca1be2485bba6bf626cf0aa3408f529fb8cad35d2d8c3453c547c294d7a379
                          • Instruction Fuzzy Hash: 12E1BE716083018FD724EF64C981B6BB7E4BF85314F04896DF9999B2A2DB31ED05CB92
                          Function 00A9920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00A99BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00A99BB2
                          • BeginPaint.USER32(?,?,?), ref: 00A99241
                          • GetWindowRect.USER32(?,?), ref: 00A992A5
                          • ScreenToClient.USER32(?,?), ref: 00A992C2
                          • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00A992D3
                          • EndPaint.USER32(?,?,?,?,?), ref: 00A99321
                          • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00AD71EA
                            • Part of subcall function 00A99339: BeginPath.GDI32(00000000), ref: 00A99357
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
                          • String ID:
                          • API String ID: 3050599898-0
                          • Opcode ID: 9fd3a12844867f5b1613da075d0c29b5eceb05cc9f1432b3f1db015d4bd30d54
                          • Instruction ID: 0aaae6c153c77d77c89dd1fac1154679ba30404478267c87f6536bedd8b11ca5
                          • Opcode Fuzzy Hash: 9fd3a12844867f5b1613da075d0c29b5eceb05cc9f1432b3f1db015d4bd30d54
                          • Instruction Fuzzy Hash: 9D418E70204300AFDB21DF28C885FAB7BF8EB56321F14066DF9558B2B1DB719846DB61
                          Function 00AF07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON
                          Download Yara Rule
                          APIs
                          • InterlockedExchange.KERNEL32(?,000001F5), ref: 00AF080C
                          • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00AF0847
                          • EnterCriticalSection.KERNEL32(?), ref: 00AF0863
                          • LeaveCriticalSection.KERNEL32(?), ref: 00AF08DC
                          • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00AF08F3
                          • InterlockedExchange.KERNEL32(?,000001F6), ref: 00AF0921
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
                          • String ID:
                          • API String ID: 3368777196-0
                          • Opcode ID: 1a0f7c64df1e41d85a852338bca244240f2ed4cb8d2f2f611691b018554d9656
                          • Instruction ID: 6423b650f4bdd81d1de55846323c92d5b5a7fdb15cd712697b960d6420d9cf20
                          • Opcode Fuzzy Hash: 1a0f7c64df1e41d85a852338bca244240f2ed4cb8d2f2f611691b018554d9656
                          • Instruction Fuzzy Hash: 2B415971A00209AFDF14AF94DC85AAA77B8FF04310F1480A5ED00AB297DB30DE64DBA4
                          Function 00B181DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON
                          Download Yara Rule
                          APIs
                          • ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00ADF3AB,00000000,?,?,00000000,?,00AD682C,00000004,00000000,00000000), ref: 00B1824C
                          • EnableWindow.USER32(?,00000000), ref: 00B18272
                          • ShowWindow.USER32(FFFFFFFF,00000000), ref: 00B182D1
                          • ShowWindow.USER32(?,00000004), ref: 00B182E5
                          • EnableWindow.USER32(?,00000001), ref: 00B1830B
                          • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00B1832F
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Window$Show$Enable$MessageSend
                          • String ID:
                          • API String ID: 642888154-0
                          • Opcode ID: 9eb161576aa122233e778abd93b8c5735db7aa5f597dfea22672cb43aacef142
                          • Instruction ID: c2c1a99d1786e1c9f2797adc249fbbc96541d1c84396b6f178d6509a1695d069
                          • Opcode Fuzzy Hash: 9eb161576aa122233e778abd93b8c5735db7aa5f597dfea22672cb43aacef142
                          • Instruction Fuzzy Hash: 8A41B234601644EFDB22CF18D899BE47BE0FB4A715F5841E9F5184B2A2CB71AC81CF90
                          Function 00AE4C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON
                          Download Yara Rule
                          APIs
                          • IsWindowVisible.USER32(?), ref: 00AE4C95
                          • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00AE4CB2
                          • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00AE4CEA
                          • _wcslen.LIBCMT ref: 00AE4D08
                          • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00AE4D10
                          • _wcsstr.LIBVCRUNTIME ref: 00AE4D1A
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
                          • String ID:
                          • API String ID: 72514467-0
                          • Opcode ID: 5b59c9af64a9ce9d97ab3e0e7b81af8d400303ee24b38ad3cc75d61e384f66c2
                          • Instruction ID: 28eadf9c1aa6a141ad4e89bddae15ed639b47a8997e4fa5e9467c5744639a5ae
                          • Opcode Fuzzy Hash: 5b59c9af64a9ce9d97ab3e0e7b81af8d400303ee24b38ad3cc75d61e384f66c2
                          • Instruction Fuzzy Hash: C921C9716042447FEB155B3A9D49E7B7FACDF49750F108029F805CB191DE65DC4196A0
                          Function 00AF581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00A83AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A83A97,?,?,00A82E7F,?,?,?,00000000), ref: 00A83AC2
                          • _wcslen.LIBCMT ref: 00AF587B
                          • CoInitialize.OLE32(00000000), ref: 00AF5995
                          • CoCreateInstance.OLE32(00B1FCF8,00000000,00000001,00B1FB68,?), ref: 00AF59AE
                          • CoUninitialize.OLE32 ref: 00AF59CC
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
                          • String ID: .lnk
                          • API String ID: 3172280962-24824748
                          • Opcode ID: f2982e31b4c69858720ba3ff7d09a7539d4775937a9dc4c5bd2ccf35576ff670
                          • Instruction ID: d425a1a16560f935cb02dae4504f06f652ac21328d55d758e547e0223683ff4c
                          • Opcode Fuzzy Hash: f2982e31b4c69858720ba3ff7d09a7539d4775937a9dc4c5bd2ccf35576ff670
                          • Instruction Fuzzy Hash: 9CD17471A087059FC718EF64C58492ABBE1FF89710F14885DFA8A9B361DB31EC45CB92
                          Function 00AE175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00AE0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00AE0FCA
                            • Part of subcall function 00AE0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00AE0FD6
                            • Part of subcall function 00AE0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00AE0FE5
                            • Part of subcall function 00AE0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00AE0FEC
                            • Part of subcall function 00AE0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00AE1002
                          • GetLengthSid.ADVAPI32(?,00000000,00AE1335), ref: 00AE17AE
                          • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00AE17BA
                          • HeapAlloc.KERNEL32(00000000), ref: 00AE17C1
                          • CopySid.ADVAPI32(00000000,00000000,?), ref: 00AE17DA
                          • GetProcessHeap.KERNEL32(00000000,00000000,00AE1335), ref: 00AE17EE
                          • HeapFree.KERNEL32(00000000), ref: 00AE17F5
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                          • String ID:
                          • API String ID: 3008561057-0
                          • Opcode ID: 12e4c4722c1c92fab6fbc71cc2f0c107dc39fb726de4470648b4e202a8632fb4
                          • Instruction ID: c3ba629bd7b4458a00da76b2ff7d42c035f21ca432366961c7feffd39e327245
                          • Opcode Fuzzy Hash: 12e4c4722c1c92fab6fbc71cc2f0c107dc39fb726de4470648b4e202a8632fb4
                          • Instruction Fuzzy Hash: 51118B32684215FFDB109FA5CC49FEE7BB9EB46755F608018F981A7210DB36A944CF60
                          Function 00AE14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON
                          Download Yara Rule
                          APIs
                          • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00AE14FF
                          • OpenProcessToken.ADVAPI32(00000000), ref: 00AE1506
                          • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00AE1515
                          • CloseHandle.KERNEL32(00000004), ref: 00AE1520
                          • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00AE154F
                          • DestroyEnvironmentBlock.USERENV(00000000), ref: 00AE1563
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                          • String ID:
                          • API String ID: 1413079979-0
                          • Opcode ID: 83920c9b7897d048b4356cc22c68426079c3debc72a956854f4563c64e8865bb
                          • Instruction ID: 945887c71a6d70925096ce95ec89b4994816fffcb644aba296a4dd3df7d57272
                          • Opcode Fuzzy Hash: 83920c9b7897d048b4356cc22c68426079c3debc72a956854f4563c64e8865bb
                          • Instruction Fuzzy Hash: 6F1129B2540259ABDF118F98ED49FDE7BB9EF48744F048015FA05A21A0C7758E60DB60
                          Function 00AA3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • GetLastError.KERNEL32(?,?,00AA3379,00AA2FE5), ref: 00AA3390
                          • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00AA339E
                          • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00AA33B7
                          • SetLastError.KERNEL32(00000000,?,00AA3379,00AA2FE5), ref: 00AA3409
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: ErrorLastValue___vcrt_
                          • String ID:
                          • API String ID: 3852720340-0
                          • Opcode ID: 1ebd5adaa1846b87de893f44b898eb5016335ba632c02ba1b3ab8ebbe6cbdd2c
                          • Instruction ID: 6c8d6fb14b0c67852ee7375bd3d4fadcdca05d0821f8ec4240137f9be1e236f0
                          • Opcode Fuzzy Hash: 1ebd5adaa1846b87de893f44b898eb5016335ba632c02ba1b3ab8ebbe6cbdd2c
                          • Instruction Fuzzy Hash: 1701473760E311BFAEA62B747D856672E94EB0B7793300229F4208B2F0EF114E015154
                          Function 00AB2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • GetLastError.KERNEL32(?,?,00AB5686,00AC3CD6,?,00000000,?,00AB5B6A,?,?,?,?,?,00AAE6D1,?,00B48A48), ref: 00AB2D78
                          • _free.LIBCMT ref: 00AB2DAB
                          • _free.LIBCMT ref: 00AB2DD3
                          • SetLastError.KERNEL32(00000000,?,?,?,?,00AAE6D1,?,00B48A48,00000010,00A84F4A,?,?,00000000,00AC3CD6), ref: 00AB2DE0
                          • SetLastError.KERNEL32(00000000,?,?,?,?,00AAE6D1,?,00B48A48,00000010,00A84F4A,?,?,00000000,00AC3CD6), ref: 00AB2DEC
                          • _abort.LIBCMT ref: 00AB2DF2
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: ErrorLast$_free$_abort
                          • String ID:
                          • API String ID: 3160817290-0
                          • Opcode ID: fd5f3b9ba71b4d8319908ecb37fdab7a8dcc7ddbd7bec3fe2676eef5d097d542
                          • Instruction ID: fc5930b48c97609acc16879e1a26d36a835b27104895df6986ab3881421357a5
                          • Opcode Fuzzy Hash: fd5f3b9ba71b4d8319908ecb37fdab7a8dcc7ddbd7bec3fe2676eef5d097d542
                          • Instruction Fuzzy Hash: 32F0C83654560027D6123738BD0AFEA2B6DBFC67A1F24451AF824931D7EE3489014360
                          Function 00B18A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00A99639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00A99693
                            • Part of subcall function 00A99639: SelectObject.GDI32(?,00000000), ref: 00A996A2
                            • Part of subcall function 00A99639: BeginPath.GDI32(?), ref: 00A996B9
                            • Part of subcall function 00A99639: SelectObject.GDI32(?,00000000), ref: 00A996E2
                          • MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00B18A4E
                          • LineTo.GDI32(?,00000003,00000000), ref: 00B18A62
                          • MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00B18A70
                          • LineTo.GDI32(?,00000000,00000003), ref: 00B18A80
                          • EndPath.GDI32(?), ref: 00B18A90
                          • StrokePath.GDI32(?), ref: 00B18AA0
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                          • String ID:
                          • API String ID: 43455801-0
                          • Opcode ID: 2bbfb1e3c53164749ed2953778e1006540d263323ffda9cbb104f7d9253ebba0
                          • Instruction ID: 84d33a33dad3f9b984e26e50338a38f40026862de4b134c3f8943c8ec6edfae0
                          • Opcode Fuzzy Hash: 2bbfb1e3c53164749ed2953778e1006540d263323ffda9cbb104f7d9253ebba0
                          • Instruction Fuzzy Hash: 3B11F776040108FFDB129F94DC88FEA7FACEB08350F40C462BA199A1A1CB719D55DBA0
                          Function 00AE51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                          Download Yara Rule
                          APIs
                          • GetDC.USER32(00000000), ref: 00AE5218
                          • GetDeviceCaps.GDI32(00000000,00000058), ref: 00AE5229
                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00AE5230
                          • ReleaseDC.USER32(00000000,00000000), ref: 00AE5238
                          • MulDiv.KERNEL32(000009EC,?,00000000), ref: 00AE524F
                          • MulDiv.KERNEL32(000009EC,00000001,?), ref: 00AE5261
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: CapsDevice$Release
                          • String ID:
                          • API String ID: 1035833867-0
                          • Opcode ID: 261d303609e92646e519b46b81605d9c0a9ed2c6f305f5d72ddbc819b889ee1d
                          • Instruction ID: 8fa66d471bd509ebbdff77d62cd3610dad0281bd6ea62a542d527ecc60670c79
                          • Opcode Fuzzy Hash: 261d303609e92646e519b46b81605d9c0a9ed2c6f305f5d72ddbc819b889ee1d
                          • Instruction Fuzzy Hash: 85014475E40714BBEB105BB69C49A9EBF78EF48751F148065FA05E7281DA709900CB60
                          Function 00A81BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                          Download Yara Rule
                          APIs
                          • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00A81BF4
                          • MapVirtualKeyW.USER32(00000010,00000000), ref: 00A81BFC
                          • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00A81C07
                          • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00A81C12
                          • MapVirtualKeyW.USER32(00000011,00000000), ref: 00A81C1A
                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 00A81C22
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Virtual
                          • String ID:
                          • API String ID: 4278518827-0
                          • Opcode ID: 580f707b4b934048841ed907b1f485c34641248c53dbebaa8d6ba2310df5f25b
                          • Instruction ID: cbda5377ca47c1bfd8ac3a91766ede3dec1dcee5a3b9916193161a64f873b013
                          • Opcode Fuzzy Hash: 580f707b4b934048841ed907b1f485c34641248c53dbebaa8d6ba2310df5f25b
                          • Instruction Fuzzy Hash: 7D0167B0942B5ABDE3008F6A8C85B52FFA8FF19354F00411BA15C4BA42C7F5A864CBE5
                          Function 00AEEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                          Download Yara Rule
                          APIs
                          • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00AEEB30
                          • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00AEEB46
                          • GetWindowThreadProcessId.USER32(?,?), ref: 00AEEB55
                          • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00AEEB64
                          • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00AEEB6E
                          • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00AEEB75
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                          • String ID:
                          • API String ID: 839392675-0
                          • Opcode ID: 6576059906f0f0cd4a84e9046b05536280f522b40756dfb6f9dca5dfb1630777
                          • Instruction ID: b271a851385e8b2faa98fbd964a4a30fe020b89b791adaa439d2e83a19ea91bf
                          • Opcode Fuzzy Hash: 6576059906f0f0cd4a84e9046b05536280f522b40756dfb6f9dca5dfb1630777
                          • Instruction Fuzzy Hash: D1F03072680158BBE72157529C0DEEF3E7CEFCAB11F408158F611E3091DBA05A01C6B5
                          Function 00AD7439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetClientRect.USER32(?), ref: 00AD7452
                          • SendMessageW.USER32(?,00001328,00000000,?), ref: 00AD7469
                          • GetWindowDC.USER32(?), ref: 00AD7475
                          • GetPixel.GDI32(00000000,?,?), ref: 00AD7484
                          • ReleaseDC.USER32(?,00000000), ref: 00AD7496
                          • GetSysColor.USER32(00000005), ref: 00AD74B0
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: ClientColorMessagePixelRectReleaseSendWindow
                          • String ID:
                          • API String ID: 272304278-0
                          • Opcode ID: b38f9855ba293a30a5336b2b6d546b377c80f7fefec4a9ef9b4d7cffc8320c97
                          • Instruction ID: c057263c196369b13403357d72787c84363ecad1ca5dcfe7d57b0f11d230bd01
                          • Opcode Fuzzy Hash: b38f9855ba293a30a5336b2b6d546b377c80f7fefec4a9ef9b4d7cffc8320c97
                          • Instruction Fuzzy Hash: 3D015231440215EFEB525FA4DC09BEA7FB6FB04321FA080A4F916A31A0CF311E51AB10
                          Function 00AE1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                          Download Yara Rule
                          APIs
                          • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00AE187F
                          • UnloadUserProfile.USERENV(?,?), ref: 00AE188B
                          • CloseHandle.KERNEL32(?), ref: 00AE1894
                          • CloseHandle.KERNEL32(?), ref: 00AE189C
                          • GetProcessHeap.KERNEL32(00000000,?), ref: 00AE18A5
                          • HeapFree.KERNEL32(00000000), ref: 00AE18AC
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                          • String ID:
                          • API String ID: 146765662-0
                          • Opcode ID: b4f788314fb77d54bc259720de87107d5748ad6600741d9f32dac8c3703c5ca4
                          • Instruction ID: 4be6d73b956bb1e9806e65697dddec0260e8a4c621bf1fd74b49d0d4793515ed
                          • Opcode Fuzzy Hash: b4f788314fb77d54bc259720de87107d5748ad6600741d9f32dac8c3703c5ca4
                          • Instruction Fuzzy Hash: F3E0E536484211BBDB015FA1ED0C98ABF3AFF49B22B90C220F225920B0CF729430DF50
                          Function 00AEC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00A87620: _wcslen.LIBCMT ref: 00A87625
                          • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00AEC6EE
                          • _wcslen.LIBCMT ref: 00AEC735
                          • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00AEC79C
                          • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00AEC7CA
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: ItemMenu$Info_wcslen$Default
                          • String ID: 0
                          • API String ID: 1227352736-4108050209
                          • Opcode ID: 80dca43d494263e4d75f397a3d7d84184777a87e3286de9d99864bf1f3cab5e7
                          • Instruction ID: 660a953d7a0b320aadf56da785d76a41a008da4b58761126d6bbbcaa5a8bcb66
                          • Opcode Fuzzy Hash: 80dca43d494263e4d75f397a3d7d84184777a87e3286de9d99864bf1f3cab5e7
                          • Instruction Fuzzy Hash: C851D5716043809BD715EF2AC985B6BBBE8AF49324F040A2DF995D31E0DB70DD46CB52
                          Function 00B0AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON
                          Download Yara Rule
                          APIs
                          • ShellExecuteExW.SHELL32(0000003C), ref: 00B0AEA3
                            • Part of subcall function 00A87620: _wcslen.LIBCMT ref: 00A87625
                          • GetProcessId.KERNEL32(00000000), ref: 00B0AF38
                          • CloseHandle.KERNEL32(00000000), ref: 00B0AF67
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: CloseExecuteHandleProcessShell_wcslen
                          • String ID: <$@
                          • API String ID: 146682121-1426351568
                          • Opcode ID: 125e05754528d6fcf7adc50c8c174afc1df8b0c7d4696e5a31d95004240bc361
                          • Instruction ID: 56afc1410e5147de94487d5ee8ef4c2c17128ad85e3371ce3c7c858a4f086e82
                          • Opcode Fuzzy Hash: 125e05754528d6fcf7adc50c8c174afc1df8b0c7d4696e5a31d95004240bc361
                          • Instruction Fuzzy Hash: EC715971A00615DFCB14EF54C584A9EBBF0FF08314F1488A9E856AB7A2CB74ED45CBA1
                          Function 00AE719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00AE7206
                          • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00AE723C
                          • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00AE724D
                          • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00AE72CF
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: ErrorMode$AddressCreateInstanceProc
                          • String ID: DllGetClassObject
                          • API String ID: 753597075-1075368562
                          • Opcode ID: 9ec3080c5e5b77d83bb63d750cd83e654426c3683c04b362721175ac20281e82
                          • Instruction ID: c3922e3cb985681aad3096665498e6778f6c3ab11f6f9bdc5fbf80c3b67838e8
                          • Opcode Fuzzy Hash: 9ec3080c5e5b77d83bb63d750cd83e654426c3683c04b362721175ac20281e82
                          • Instruction Fuzzy Hash: 46416D71A04245EFDB15CF55C884AEE7BB9EF45310F2480A9BE099F24AD7B1DE44CBA0
                          Function 00B13D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B13E35
                          • IsMenu.USER32(?), ref: 00B13E4A
                          • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00B13E92
                          • DrawMenuBar.USER32 ref: 00B13EA5
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Menu$Item$DrawInfoInsert
                          • String ID: 0
                          • API String ID: 3076010158-4108050209
                          • Opcode ID: 61c9628eb7d476b52fbd754df7a1a3f5c9689485a9de5c05ff097c97d8a0fc2c
                          • Instruction ID: 3d8acdc41e2394227b1372015beef4b777dc578685be406fa8b57af6e3a2fbd7
                          • Opcode Fuzzy Hash: 61c9628eb7d476b52fbd754df7a1a3f5c9689485a9de5c05ff097c97d8a0fc2c
                          • Instruction Fuzzy Hash: 13414A76A00309EFDB10DF54D884AEABBF9FF49750F4441A9E905A7290E730AE85CF60
                          Function 00AE1DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00A89CB3: _wcslen.LIBCMT ref: 00A89CBD
                            • Part of subcall function 00AE3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00AE3CCA
                          • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00AE1E66
                          • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00AE1E79
                          • SendMessageW.USER32(?,00000189,?,00000000), ref: 00AE1EA9
                            • Part of subcall function 00A86B57: _wcslen.LIBCMT ref: 00A86B6A
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: MessageSend$_wcslen$ClassName
                          • String ID: ComboBox$ListBox
                          • API String ID: 2081771294-1403004172
                          • Opcode ID: 3a9de5e3656bbe52bf3c3a41da3217f3d5bae648db8b8741f9fcb140e3cd2b15
                          • Instruction ID: ddf55f4979181445febf193b3d9ba4a558a62e0427d5071bab85bddea01ddba0
                          • Opcode Fuzzy Hash: 3a9de5e3656bbe52bf3c3a41da3217f3d5bae648db8b8741f9fcb140e3cd2b15
                          • Instruction Fuzzy Hash: 76217871A40144BFDB14ABB6CD4ACFFBBB8EF41350B144519F821A31E1DB384E0A8720
                          Function 00B12F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00B12F8D
                          • LoadLibraryW.KERNEL32(?), ref: 00B12F94
                          • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00B12FA9
                          • DestroyWindow.USER32(?), ref: 00B12FB1
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: MessageSend$DestroyLibraryLoadWindow
                          • String ID: SysAnimate32
                          • API String ID: 3529120543-1011021900
                          • Opcode ID: f72ecb5bb3c94583cc91ce673ab36cef24a78f71b15a41fea925d61aa8ffe2a7
                          • Instruction ID: a62f8c2378ad97cc13f2f64dee9748f72c69ca538c8d0d82ec1b363fe06f2523
                          • Opcode Fuzzy Hash: f72ecb5bb3c94583cc91ce673ab36cef24a78f71b15a41fea925d61aa8ffe2a7
                          • Instruction Fuzzy Hash: 46216A71204209ABEB104F64DC84EFB77F9EB59364F904658FA50D71A0D771DCA29760
                          Function 00AA4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00AA4D1E,00AB28E9,?,00AA4CBE,00AB28E9,00B488B8,0000000C,00AA4E15,00AB28E9,00000002), ref: 00AA4D8D
                          • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00AA4DA0
                          • FreeLibrary.KERNEL32(00000000,?,?,?,00AA4D1E,00AB28E9,?,00AA4CBE,00AB28E9,00B488B8,0000000C,00AA4E15,00AB28E9,00000002,00000000), ref: 00AA4DC3
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: AddressFreeHandleLibraryModuleProc
                          • String ID: CorExitProcess$mscoree.dll
                          • API String ID: 4061214504-1276376045
                          • Opcode ID: fc197995f3da20a1f803a7987253a4c56e285cfcc2e2fcab4076fb21c4b68aa7
                          • Instruction ID: ae363e3fd7d1776cc4225d9d09a9a4993c8a094c497185fad772ec176909b36b
                          • Opcode Fuzzy Hash: fc197995f3da20a1f803a7987253a4c56e285cfcc2e2fcab4076fb21c4b68aa7
                          • Instruction Fuzzy Hash: 70F03C35A80218BBDB119F94DC49BEEBFA5EF49751F4040A4B809A32A0CF719E50CB90
                          Function 00ADD3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryA.KERNEL32 ref: 00ADD3AD
                          • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00ADD3BF
                          • FreeLibrary.KERNEL32(00000000), ref: 00ADD3E5
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Library$AddressFreeLoadProc
                          • String ID: GetSystemWow64DirectoryW$X64
                          • API String ID: 145871493-2590602151
                          • Opcode ID: 1d3aeaf93421fbfebbf30a953d8abcb8fdc008619497b41d4c4a9b2ca64c658f
                          • Instruction ID: 00ac5bcf8a6b975e3fa6ad3c1578dd68f903f9adb1895c06e5ea1ad3f4063d93
                          • Opcode Fuzzy Hash: 1d3aeaf93421fbfebbf30a953d8abcb8fdc008619497b41d4c4a9b2ca64c658f
                          • Instruction Fuzzy Hash: DCF055314C5A20ABD73017148C18EED7B70AF00702BA4C087F807FA318DF30CE808682
                          Function 00A84E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00A84EDD,?,00B51418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00A84E9C
                          • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00A84EAE
                          • FreeLibrary.KERNEL32(00000000,?,?,00A84EDD,?,00B51418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00A84EC0
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Library$AddressFreeLoadProc
                          • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                          • API String ID: 145871493-3689287502
                          • Opcode ID: 1a367b8077c281265af25e17abe02863e92dcfe061aec8b9d04cb172ab391529
                          • Instruction ID: 03b7434c5cdd4181407a344d5b23d4ce28abeddab8d04186398b51f886fe1501
                          • Opcode Fuzzy Hash: 1a367b8077c281265af25e17abe02863e92dcfe061aec8b9d04cb172ab391529
                          • Instruction Fuzzy Hash: 92E0CD35A855236BD3312B256C18BDF6A94AF85F627454115FC04F3114DF64CD0141A0
                          Function 00A84E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00AC3CDE,?,00B51418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00A84E62
                          • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00A84E74
                          • FreeLibrary.KERNEL32(00000000,?,?,00AC3CDE,?,00B51418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00A84E87
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Library$AddressFreeLoadProc
                          • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                          • API String ID: 145871493-1355242751
                          • Opcode ID: 1ef6c721cced8e3ec2ee4b20b2c810f8ec374ab6d6e020bf6cc5bc539804f888
                          • Instruction ID: 3b20489445cc3f30b94d434c12b42f6d28f98ba7531ff156146d258488b92e85
                          • Opcode Fuzzy Hash: 1ef6c721cced8e3ec2ee4b20b2c810f8ec374ab6d6e020bf6cc5bc539804f888
                          • Instruction Fuzzy Hash: 1BD012355826226756222B256C18ECB6E58AF89F513454565F905F3124CF60CE2186D0
                          Function 00AF2947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON
                          Download Yara Rule
                          APIs
                          • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00AF2C05
                          • DeleteFileW.KERNEL32(?), ref: 00AF2C87
                          • CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00AF2C9D
                          • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00AF2CAE
                          • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00AF2CC0
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: File$Delete$Copy
                          • String ID:
                          • API String ID: 3226157194-0
                          • Opcode ID: 28ee241a167218895055f9f533db8b56fea35b276748cccd3e4505568c40602e
                          • Instruction ID: 777463fde0cdc58254c19feea553f5b1f66282cbc349eba5df0bec708d5f58fb
                          • Opcode Fuzzy Hash: 28ee241a167218895055f9f533db8b56fea35b276748cccd3e4505568c40602e
                          • Instruction Fuzzy Hash: 03B11C71D0011DABDF11EBE4CD85EEEBBBDEF49350F1040A6FA09A7191EB309A448B61
                          Function 00B0A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON
                          Download Yara Rule
                          APIs
                          • GetCurrentProcessId.KERNEL32 ref: 00B0A427
                          • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00B0A435
                          • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00B0A468
                          • CloseHandle.KERNEL32(?), ref: 00B0A63D
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Process$CloseCountersCurrentHandleOpen
                          • String ID:
                          • API String ID: 3488606520-0
                          • Opcode ID: e41cd924810e932e462354c39ce61b9144555b9f187cb9526d9aefc5b92dd6fb
                          • Instruction ID: 6740545734124a24a559615ceb5a9feff304adcd197dfbc20c04f007c715b5b4
                          • Opcode Fuzzy Hash: e41cd924810e932e462354c39ce61b9144555b9f187cb9526d9aefc5b92dd6fb
                          • Instruction Fuzzy Hash: C4A19071604300AFE720EF24D986F2ABBE5AF84714F14885DF55A9B3D2DB71EC418B92
                          Function 00ABBB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00B23700), ref: 00ABBB91
                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00B5121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00ABBC09
                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00B51270,000000FF,?,0000003F,00000000,?), ref: 00ABBC36
                          • _free.LIBCMT ref: 00ABBB7F
                            • Part of subcall function 00AB29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00ABD7D1,00000000,00000000,00000000,00000000,?,00ABD7F8,00000000,00000007,00000000,?,00ABDBF5,00000000), ref: 00AB29DE
                            • Part of subcall function 00AB29C8: GetLastError.KERNEL32(00000000,?,00ABD7D1,00000000,00000000,00000000,00000000,?,00ABD7F8,00000000,00000007,00000000,?,00ABDBF5,00000000,00000000), ref: 00AB29F0
                          • _free.LIBCMT ref: 00ABBD4B
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                          • String ID:
                          • API String ID: 1286116820-0
                          • Opcode ID: 690f7413eb9191a55b5f0d05da1f9360a0fad64e64525a74a45aa0cfbc6ad75d
                          • Instruction ID: f3527f4070bf68312789e1537eb3cbe652da78a144b99fb68cad82030efbd2ce
                          • Opcode Fuzzy Hash: 690f7413eb9191a55b5f0d05da1f9360a0fad64e64525a74a45aa0cfbc6ad75d
                          • Instruction Fuzzy Hash: 1151F971910209EFCB10DF69DD81AEEBBBCEF45310F1046AAE414D71A2EFB19E408B60
                          Function 00AEE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00AEDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00AECF22,?), ref: 00AEDDFD
                            • Part of subcall function 00AEDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00AECF22,?), ref: 00AEDE16
                            • Part of subcall function 00AEE199: GetFileAttributesW.KERNEL32(?,00AECF95), ref: 00AEE19A
                          • lstrcmpiW.KERNEL32(?,?), ref: 00AEE473
                          • MoveFileW.KERNEL32(?,?), ref: 00AEE4AC
                          • _wcslen.LIBCMT ref: 00AEE5EB
                          • _wcslen.LIBCMT ref: 00AEE603
                          • SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00AEE650
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
                          • String ID:
                          • API String ID: 3183298772-0
                          • Opcode ID: 7981b746887fc97c421dd940dd5d0c72fb31a6563c3b62fafa66ff6b69ed98f8
                          • Instruction ID: de06c2eb19446bfea6a7a9181b1722f4a6bd2ddcc23ef07ad9ea2a6257e9e7fa
                          • Opcode Fuzzy Hash: 7981b746887fc97c421dd940dd5d0c72fb31a6563c3b62fafa66ff6b69ed98f8
                          • Instruction Fuzzy Hash: 9F5184B24083859BC724EBA5DD819EFB3ECAF85340F00491EF589D3191EF75A68C8766
                          Function 00B0B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00A89CB3: _wcslen.LIBCMT ref: 00A89CBD
                            • Part of subcall function 00B0C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B0B6AE,?,?), ref: 00B0C9B5
                            • Part of subcall function 00B0C998: _wcslen.LIBCMT ref: 00B0C9F1
                            • Part of subcall function 00B0C998: _wcslen.LIBCMT ref: 00B0CA68
                            • Part of subcall function 00B0C998: _wcslen.LIBCMT ref: 00B0CA9E
                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B0BAA5
                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00B0BB00
                          • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00B0BB63
                          • RegCloseKey.ADVAPI32(?,?), ref: 00B0BBA6
                          • RegCloseKey.ADVAPI32(00000000), ref: 00B0BBB3
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
                          • String ID:
                          • API String ID: 826366716-0
                          • Opcode ID: 57dc7a22487f33c6967ea564a76f57acde8d283ca3b660a4f81a4e58086a23ff
                          • Instruction ID: 93e404fe81816cd3c5a98c9758be9507c0c2a2a515c94e3ac7f241104bc384d0
                          • Opcode Fuzzy Hash: 57dc7a22487f33c6967ea564a76f57acde8d283ca3b660a4f81a4e58086a23ff
                          • Instruction Fuzzy Hash: 4961AF31208241EFD714DF24C494E2ABBE5FF84308F54899DF49A8B2A2DB31ED45CB92
                          Function 00AE8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON
                          Download Yara Rule
                          APIs
                          • VariantInit.OLEAUT32(?), ref: 00AE8BCD
                          • VariantClear.OLEAUT32 ref: 00AE8C3E
                          • VariantClear.OLEAUT32 ref: 00AE8C9D
                          • VariantClear.OLEAUT32(?), ref: 00AE8D10
                          • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00AE8D3B
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Variant$Clear$ChangeInitType
                          • String ID:
                          • API String ID: 4136290138-0
                          • Opcode ID: ea9952aa76042f6bb8bf0c24e7f720ac5bbdeae056f448a7159cecdc353fe54a
                          • Instruction ID: 2a62e9bb59bad4a7a9b58f7c504b4cb91ef708d4312242c51507de3f9a22b46c
                          • Opcode Fuzzy Hash: ea9952aa76042f6bb8bf0c24e7f720ac5bbdeae056f448a7159cecdc353fe54a
                          • Instruction Fuzzy Hash: 26518CB5A00219EFCB10CF59C894AAAB7F5FF89310B118559F909DB350E734E911CF90
                          Function 00AF8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON
                          Download Yara Rule
                          APIs
                          • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00AF8BAE
                          • GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00AF8BDA
                          • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00AF8C32
                          • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00AF8C57
                          • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00AF8C5F
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: PrivateProfile$SectionWrite$String
                          • String ID:
                          • API String ID: 2832842796-0
                          • Opcode ID: 3c8be385c11a789a31ca20a7e2c69a17c5edfcebb06657975ac36427046783b2
                          • Instruction ID: 85b0b36b29dbc306cdd12570d54f391fd2b8a8f47cad396897cb45ecd2d8a32e
                          • Opcode Fuzzy Hash: 3c8be385c11a789a31ca20a7e2c69a17c5edfcebb06657975ac36427046783b2
                          • Instruction Fuzzy Hash: 8A514C35A002199FCB05EF64C981E6DBBF5FF49314F088458E94AAB362DB35ED51CBA0
                          Function 00B08EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryW.KERNEL32(?,00000000,?), ref: 00B08F40
                          • GetProcAddress.KERNEL32(00000000,?), ref: 00B08FD0
                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 00B08FEC
                          • GetProcAddress.KERNEL32(00000000,?), ref: 00B09032
                          • FreeLibrary.KERNEL32(00000000), ref: 00B09052
                            • Part of subcall function 00A9F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00AF1043,?,75C0E610), ref: 00A9F6E6
                            • Part of subcall function 00A9F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00ADFA64,00000000,00000000,?,?,00AF1043,?,75C0E610,?,00ADFA64), ref: 00A9F70D
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
                          • String ID:
                          • API String ID: 666041331-0
                          • Opcode ID: a8ea8fbb1f1de1e226b2c96c3288f3f4a8cc030eede75cc9dd71c5bace279d27
                          • Instruction ID: 462e5ac9dc48093d5ad9e7cd186fefb6bfc01131696cfe2d3ae22e2a6997c01f
                          • Opcode Fuzzy Hash: a8ea8fbb1f1de1e226b2c96c3288f3f4a8cc030eede75cc9dd71c5bace279d27
                          • Instruction Fuzzy Hash: 30513E35604205DFC715EF64C5948ADBFF1FF49314B0880A9E84AAB3A2DB31EE85CB91
                          Function 00B16B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON
                          Download Yara Rule
                          APIs
                          • SetWindowLongW.USER32(00000002,000000F0,?), ref: 00B16C33
                          • SetWindowLongW.USER32(?,000000EC,?), ref: 00B16C4A
                          • SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00B16C73
                          • ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00AFAB79,00000000,00000000), ref: 00B16C98
                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00B16CC7
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Window$Long$MessageSendShow
                          • String ID:
                          • API String ID: 3688381893-0
                          • Opcode ID: 733e076b760cbf200ced192820f32e513d17b1f33f62c3a4fc2a4e9753298a09
                          • Instruction ID: e32fdaecfa1e3d0a2c549cc5c7590e1504b196778a0ff515192a2c72dafa1d9b
                          • Opcode Fuzzy Hash: 733e076b760cbf200ced192820f32e513d17b1f33f62c3a4fc2a4e9753298a09
                          • Instruction Fuzzy Hash: E241D435A04104AFD724CF28CC99FEA7FE5EB09350F9542A8F895A72E0D771AD81CA80
                          Function 00AB2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: _free
                          • String ID:
                          • API String ID: 269201875-0
                          • Opcode ID: 27eeac6136b17cc5f5c70c5f5d6cf43338e8c4f4cf0653c2be2b446e535ebb9a
                          • Instruction ID: 0e0716294fe24a09a67ce261fa2431c79917d66b3a784acd8ae7a07252fd72d9
                          • Opcode Fuzzy Hash: 27eeac6136b17cc5f5c70c5f5d6cf43338e8c4f4cf0653c2be2b446e535ebb9a
                          • Instruction Fuzzy Hash: A941D372A00200AFCB24DF78C981B9DB7F9EF89714F15456AE515EB396DB31AD01CB80
                          Function 00A9912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON
                          Download Yara Rule
                          APIs
                          • GetCursorPos.USER32(?), ref: 00A99141
                          • ScreenToClient.USER32(00000000,?), ref: 00A9915E
                          • GetAsyncKeyState.USER32(00000001), ref: 00A99183
                          • GetAsyncKeyState.USER32(00000002), ref: 00A9919D
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: AsyncState$ClientCursorScreen
                          • String ID:
                          • API String ID: 4210589936-0
                          • Opcode ID: e237c95fe0b4c058997f1355cf9a760d3a666157be8a9d14a60a06210216e2f8
                          • Instruction ID: 4836c946d6df03d26a5bb94cf34bf39c8524d3f578cda88aa508efb0cfaf3499
                          • Opcode Fuzzy Hash: e237c95fe0b4c058997f1355cf9a760d3a666157be8a9d14a60a06210216e2f8
                          • Instruction Fuzzy Hash: 90414F71A0851AFBDF199F68C844BEEB7B5FB05320F20831AF429A72E0D7305990CB91
                          Function 00AF3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetInputState.USER32 ref: 00AF38CB
                          • TranslateAcceleratorW.USER32(?,00000000,?), ref: 00AF3922
                          • TranslateMessage.USER32(?), ref: 00AF394B
                          • DispatchMessageW.USER32(?), ref: 00AF3955
                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00AF3966
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Message$Translate$AcceleratorDispatchInputPeekState
                          • String ID:
                          • API String ID: 2256411358-0
                          • Opcode ID: 89e302939c1342fa42bd672d286b904e558a0850f5a21c0ec907b47bfd5c07cb
                          • Instruction ID: cb9eb31274cbb6fef1c34ba3b7246e09af8607833cc6378fe40ae862fd2fa509
                          • Opcode Fuzzy Hash: 89e302939c1342fa42bd672d286b904e558a0850f5a21c0ec907b47bfd5c07cb
                          • Instruction Fuzzy Hash: 71311E7250434A9EEF35CBB4D8A8BB63BE8DB15341F04459DF662C3190E7F49A85CB11
                          Function 00AFCF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON
                          Download Yara Rule
                          APIs
                          • InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,00AFC21E,00000000), ref: 00AFCF38
                          • InternetReadFile.WININET(?,00000000,?,?), ref: 00AFCF6F
                          • GetLastError.KERNEL32(?,00000000,?,?,?,00AFC21E,00000000), ref: 00AFCFB4
                          • SetEvent.KERNEL32(?,?,00000000,?,?,?,00AFC21E,00000000), ref: 00AFCFC8
                          • SetEvent.KERNEL32(?,?,00000000,?,?,?,00AFC21E,00000000), ref: 00AFCFF2
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: EventInternet$AvailableDataErrorFileLastQueryRead
                          • String ID:
                          • API String ID: 3191363074-0
                          • Opcode ID: cdf0d77c2a681c1a42108ee3a9cc5022bbf9aa4ba7a1aca7bf807cbc610a2ebc
                          • Instruction ID: 5b709dfc957fbc4d7c34ab07e0da4f5fbbe16cb2c1fdc879a9204121187b1e71
                          • Opcode Fuzzy Hash: cdf0d77c2a681c1a42108ee3a9cc5022bbf9aa4ba7a1aca7bf807cbc610a2ebc
                          • Instruction Fuzzy Hash: 54314F7160430DAFDB20DFE6CA849BABBF9EB14364B10842EF616D3141DB30AE40DB60
                          Function 00AE1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON
                          Download Yara Rule
                          APIs
                          • GetWindowRect.USER32(?,?), ref: 00AE1915
                          • PostMessageW.USER32(00000001,00000201,00000001), ref: 00AE19C1
                          • Sleep.KERNEL32(00000000,?,?,?), ref: 00AE19C9
                          • PostMessageW.USER32(00000001,00000202,00000000), ref: 00AE19DA
                          • Sleep.KERNEL32(00000000,?,?,?,?), ref: 00AE19E2
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: MessagePostSleep$RectWindow
                          • String ID:
                          • API String ID: 3382505437-0
                          • Opcode ID: 3971b212f5ec276a9e7a16d2f2a676acc1f8fa73716be0172895381254c3082b
                          • Instruction ID: d789a68f0eed2b5f351014072024aef0e1938ef186b1bbfa7281cec5964bfa68
                          • Opcode Fuzzy Hash: 3971b212f5ec276a9e7a16d2f2a676acc1f8fa73716be0172895381254c3082b
                          • Instruction Fuzzy Hash: 9C31B471A00269EFCB04CFA9CD99ADE7BB5EB44315F108225F921A72D1C7709D54CB90
                          Function 00B15706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00B15745
                          • SendMessageW.USER32(?,00001074,?,00000001), ref: 00B1579D
                          • _wcslen.LIBCMT ref: 00B157AF
                          • _wcslen.LIBCMT ref: 00B157BA
                          • SendMessageW.USER32(?,00001002,00000000,?), ref: 00B15816
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: MessageSend$_wcslen
                          • String ID:
                          • API String ID: 763830540-0
                          • Opcode ID: f6e49acb1a137e0454f8cf7509379a56cac75674a6f0afce038b436edcf33bce
                          • Instruction ID: a97766e1fbfe3f1bad3007c4c7a7bfeb4663ad3fdcf1ba95977bcf69f3b52584
                          • Opcode Fuzzy Hash: f6e49acb1a137e0454f8cf7509379a56cac75674a6f0afce038b436edcf33bce
                          • Instruction Fuzzy Hash: EE218071904618DADB309F64CC85AEEBBB8EB85324F508296E929AB2C4D77099C5CF50
                          Function 00B00930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                          Download Yara Rule
                          APIs
                          • IsWindow.USER32(00000000), ref: 00B00951
                          • GetForegroundWindow.USER32 ref: 00B00968
                          • GetDC.USER32(00000000), ref: 00B009A4
                          • GetPixel.GDI32(00000000,?,00000003), ref: 00B009B0
                          • ReleaseDC.USER32(00000000,00000003), ref: 00B009E8
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Window$ForegroundPixelRelease
                          • String ID:
                          • API String ID: 4156661090-0
                          • Opcode ID: f07b92292e6324ec8d8498fbea986a9a6684b01e2577853344dede085c937d50
                          • Instruction ID: 6e8ea8a6a847f00cabeee0e35aa0d6dcf6991a29e057cc597bd81afae73b44c0
                          • Opcode Fuzzy Hash: f07b92292e6324ec8d8498fbea986a9a6684b01e2577853344dede085c937d50
                          • Instruction Fuzzy Hash: FF219075600204AFD704EF69D984AAEBBF9EF49700F04806CF94AE73A2CB70AD04CB50
                          Function 00ABCDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                          Download Yara Rule
                          APIs
                          • GetEnvironmentStringsW.KERNEL32 ref: 00ABCDC6
                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00ABCDE9
                            • Part of subcall function 00AB3820: RtlAllocateHeap.NTDLL(00000000,?,00B51444,?,00A9FDF5,?,?,00A8A976,00000010,00B51440,00A813FC,?,00A813C6,?,00A81129), ref: 00AB3852
                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00ABCE0F
                          • _free.LIBCMT ref: 00ABCE22
                          • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00ABCE31
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                          • String ID:
                          • API String ID: 336800556-0
                          • Opcode ID: 6014825eea41aeb24d223e3f978a11d6aa36e864b36e6420e48e76078a166447
                          • Instruction ID: 3eaa0d68974c7e756c7d314b79a04b5c5f0ff7f80a29480bdac3de7ffa9d2314
                          • Opcode Fuzzy Hash: 6014825eea41aeb24d223e3f978a11d6aa36e864b36e6420e48e76078a166447
                          • Instruction Fuzzy Hash: 4F018472601215BFA7211BB66C88DFB6E6DEEC6BB13154129F905DB202EE61CD0191B0
                          Function 00A99639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON
                          Download Yara Rule
                          APIs
                          • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00A99693
                          • SelectObject.GDI32(?,00000000), ref: 00A996A2
                          • BeginPath.GDI32(?), ref: 00A996B9
                          • SelectObject.GDI32(?,00000000), ref: 00A996E2
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: ObjectSelect$BeginCreatePath
                          • String ID:
                          • API String ID: 3225163088-0
                          • Opcode ID: ac18532dc8eb660fdbf408b971bf60ff1929c6c276c7a5db71d9cf67f5f88f04
                          • Instruction ID: 59adc968cde40dea268567ddd64219d2c079fabb4b2bc9ceafe1156b6de5d7a4
                          • Opcode Fuzzy Hash: ac18532dc8eb660fdbf408b971bf60ff1929c6c276c7a5db71d9cf67f5f88f04
                          • Instruction Fuzzy Hash: 4F217F70902305FBDF119F6CEC087EA3BB9BB11356F50465AF511A71A0DBB05892CBA4
                          Function 00AE5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: _memcmp
                          • String ID:
                          • API String ID: 2931989736-0
                          • Opcode ID: 377e10da8d06425eafaeddf0fa78b9be2ce0be3a80790b6c427b05b3fb55d81e
                          • Instruction ID: a11453c039b6fbb4b989f382362dada0e7f7fd78b213e447bcc2e93a89c2377d
                          • Opcode Fuzzy Hash: 377e10da8d06425eafaeddf0fa78b9be2ce0be3a80790b6c427b05b3fb55d81e
                          • Instruction Fuzzy Hash: 88019671A45645FA96089622AE52FFB739CDB21398F404420FD04AF281F761ED60C2F0
                          Function 00A9990C Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                          Download Yara Rule
                          APIs
                          • GetSysColor.USER32(00000008), ref: 00A998CC
                          • SetTextColor.GDI32(?,?), ref: 00A998D6
                          • SetBkMode.GDI32(?,00000001), ref: 00A998E9
                          • GetStockObject.GDI32(00000005), ref: 00A998F1
                          • GetWindowLongW.USER32(?,000000EB), ref: 00A99952
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Color$LongModeObjectStockTextWindow
                          • String ID:
                          • API String ID: 1860813098-0
                          • Opcode ID: 6358800a50537e99923de9cfcb0af1dfaf62842f354182060d461b4106a7d4ea
                          • Instruction ID: 11c7452de585697ac1dca59cbe677ca6e47f5e589b730769b18a0f3ec656a5cf
                          • Opcode Fuzzy Hash: 6358800a50537e99923de9cfcb0af1dfaf62842f354182060d461b4106a7d4ea
                          • Instruction Fuzzy Hash: 79110632286250BFCF224F69EC59AEA3FA4EB13321B08815DF5929B1B1DA310851CB51
                          Function 00AB2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • GetLastError.KERNEL32(?,?,?,00AAF2DE,00AB3863,00B51444,?,00A9FDF5,?,?,00A8A976,00000010,00B51440,00A813FC,?,00A813C6), ref: 00AB2DFD
                          • _free.LIBCMT ref: 00AB2E32
                          • _free.LIBCMT ref: 00AB2E59
                          • SetLastError.KERNEL32(00000000,00A81129), ref: 00AB2E66
                          • SetLastError.KERNEL32(00000000,00A81129), ref: 00AB2E6F
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: ErrorLast$_free
                          • String ID:
                          • API String ID: 3170660625-0
                          • Opcode ID: 787991e857f8ca1b2660bc6d28eaaea9e216a3864a12fa37e449647718f08da9
                          • Instruction ID: 35894d302398b84493de645329ef39f3fd855a18afdc696d5bf4970ff4919902
                          • Opcode Fuzzy Hash: 787991e857f8ca1b2660bc6d28eaaea9e216a3864a12fa37e449647718f08da9
                          • Instruction Fuzzy Hash: 3F01F4362456006BCA1327366D45FEB2E7DBBD67A1B24442AF825A31D3EE34CC014320
                          Function 00AE000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                          Download Yara Rule
                          APIs
                          • CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00ADFF41,80070057,?,?,?,00AE035E), ref: 00AE002B
                          • ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00ADFF41,80070057,?,?), ref: 00AE0046
                          • lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00ADFF41,80070057,?,?), ref: 00AE0054
                          • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00ADFF41,80070057,?), ref: 00AE0064
                          • CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00ADFF41,80070057,?,?), ref: 00AE0070
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: From$Prog$FreeStringTasklstrcmpi
                          • String ID:
                          • API String ID: 3897988419-0
                          • Opcode ID: 0d11e1540472c3dd245ccb32b05ac71a8fbee63e164217a040798684927339b7
                          • Instruction ID: f20db1bef8667e29c516852707c903b8e5389cbb580180434945a47bf55ecc38
                          • Opcode Fuzzy Hash: 0d11e1540472c3dd245ccb32b05ac71a8fbee63e164217a040798684927339b7
                          • Instruction Fuzzy Hash: 6C018B72640204BFDB109F6AEC44FAA7EADEB44792F148124F905D3210EBB1DD808BA0
                          Function 00AEE97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                          Download Yara Rule
                          APIs
                          • QueryPerformanceCounter.KERNEL32(?), ref: 00AEE997
                          • QueryPerformanceFrequency.KERNEL32(?), ref: 00AEE9A5
                          • Sleep.KERNEL32(00000000), ref: 00AEE9AD
                          • QueryPerformanceCounter.KERNEL32(?), ref: 00AEE9B7
                          • Sleep.KERNEL32 ref: 00AEE9F3
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: PerformanceQuery$CounterSleep$Frequency
                          • String ID:
                          • API String ID: 2833360925-0
                          • Opcode ID: c6bb8ba3378e481de85ac1c9ac6fb43325b1935ed0103866f977cf493c5576e4
                          • Instruction ID: 9978ca1550389634ed1fad4e8d9a2865eb5022575d19cfd641aa41f5d464bff0
                          • Opcode Fuzzy Hash: c6bb8ba3378e481de85ac1c9ac6fb43325b1935ed0103866f977cf493c5576e4
                          • Instruction Fuzzy Hash: 8B015731C41629EBCF00EBE6DC49AEDFBB8FB08700F404546E502B2242CF309660CBA1
                          Function 00AE10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00AE1114
                          • GetLastError.KERNEL32(?,00000000,00000000,?,?,00AE0B9B,?,?,?), ref: 00AE1120
                          • GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00AE0B9B,?,?,?), ref: 00AE112F
                          • HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00AE0B9B,?,?,?), ref: 00AE1136
                          • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00AE114D
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                          • String ID:
                          • API String ID: 842720411-0
                          • Opcode ID: 3147ee3ac9c5c2bd7422c81bc6e132186575f61bd5756130fcd68f37b67b3ff5
                          • Instruction ID: 2bbc37d7a0953b9ec9a16f757ebf9183139287088e0b232f8f45a324179e90bd
                          • Opcode Fuzzy Hash: 3147ee3ac9c5c2bd7422c81bc6e132186575f61bd5756130fcd68f37b67b3ff5
                          • Instruction Fuzzy Hash: 88018C79240315BFDB125FA5DC49EAA3F6EEF8A3A4B608418FA41D3360DF71DC108A60
                          Function 00AE0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00AE0FCA
                          • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00AE0FD6
                          • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00AE0FE5
                          • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00AE0FEC
                          • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00AE1002
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: HeapInformationToken$AllocErrorLastProcess
                          • String ID:
                          • API String ID: 44706859-0
                          • Opcode ID: b64adef362e4bab5f3eaab3a91ced02045238b115df6a276cce20604c8ea956a
                          • Instruction ID: 0599f8858e6bd5347f3068577427488947c367306394a18f483f199cae4ca098
                          • Opcode Fuzzy Hash: b64adef362e4bab5f3eaab3a91ced02045238b115df6a276cce20604c8ea956a
                          • Instruction Fuzzy Hash: D6F04F39180351BBD7214FA59C4DF963F6EEF89761F518414FA46D7291CE70DC508A60
                          Function 00AE1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00AE102A
                          • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00AE1036
                          • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00AE1045
                          • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00AE104C
                          • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00AE1062
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: HeapInformationToken$AllocErrorLastProcess
                          • String ID:
                          • API String ID: 44706859-0
                          • Opcode ID: 4aeb1997a1a636d2aff7b484af1c9da893cedb78fa7d61cc77091d96370af5f9
                          • Instruction ID: 564541ce1ac2ac51411ab834aa1f08228160ff6cabc7d4de2e99bc39917d3ad9
                          • Opcode Fuzzy Hash: 4aeb1997a1a636d2aff7b484af1c9da893cedb78fa7d61cc77091d96370af5f9
                          • Instruction Fuzzy Hash: 74F0CD39280311FBDB211FA5EC4CF963FAEEF89761FA14424FA05D7250CE30D8408A60
                          Function 00AF030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON
                          Download Yara Rule
                          APIs
                          • CloseHandle.KERNEL32(?,?,?,?,00AF017D,?,00AF32FC,?,00000001,00AC2592,?), ref: 00AF0324
                          • CloseHandle.KERNEL32(?,?,?,?,00AF017D,?,00AF32FC,?,00000001,00AC2592,?), ref: 00AF0331
                          • CloseHandle.KERNEL32(?,?,?,?,00AF017D,?,00AF32FC,?,00000001,00AC2592,?), ref: 00AF033E
                          • CloseHandle.KERNEL32(?,?,?,?,00AF017D,?,00AF32FC,?,00000001,00AC2592,?), ref: 00AF034B
                          • CloseHandle.KERNEL32(?,?,?,?,00AF017D,?,00AF32FC,?,00000001,00AC2592,?), ref: 00AF0358
                          • CloseHandle.KERNEL32(?,?,?,?,00AF017D,?,00AF32FC,?,00000001,00AC2592,?), ref: 00AF0365
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: CloseHandle
                          • String ID:
                          • API String ID: 2962429428-0
                          • Opcode ID: d9593229e84e15a2f6edf8c374911def4f3f5a89c2381d8640e0f97a7bda893b
                          • Instruction ID: f3962c675dcbc38231aef31e14269b8b59f208155ebec106a536f0771987399d
                          • Opcode Fuzzy Hash: d9593229e84e15a2f6edf8c374911def4f3f5a89c2381d8640e0f97a7bda893b
                          • Instruction Fuzzy Hash: 5A01A272800B199FC7309FA6D880822FBF5BF503153158A3FE29652932C771A954CF80
                          Function 00ABD73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • _free.LIBCMT ref: 00ABD752
                            • Part of subcall function 00AB29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00ABD7D1,00000000,00000000,00000000,00000000,?,00ABD7F8,00000000,00000007,00000000,?,00ABDBF5,00000000), ref: 00AB29DE
                            • Part of subcall function 00AB29C8: GetLastError.KERNEL32(00000000,?,00ABD7D1,00000000,00000000,00000000,00000000,?,00ABD7F8,00000000,00000007,00000000,?,00ABDBF5,00000000,00000000), ref: 00AB29F0
                          • _free.LIBCMT ref: 00ABD764
                          • _free.LIBCMT ref: 00ABD776
                          • _free.LIBCMT ref: 00ABD788
                          • _free.LIBCMT ref: 00ABD79A
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: _free$ErrorFreeHeapLast
                          • String ID:
                          • API String ID: 776569668-0
                          • Opcode ID: 18c80108d629e7fe1d5309067675945611ef12208ee26f28c49dbf5c0bbc2e88
                          • Instruction ID: 20f656032480a47cf80a2ef982af7c4d2efd118698702652951830a41b47ff0f
                          • Opcode Fuzzy Hash: 18c80108d629e7fe1d5309067675945611ef12208ee26f28c49dbf5c0bbc2e88
                          • Instruction Fuzzy Hash: 86F0F936545208BB8665EB68FAC6DDA7BDDBB85B10BA40C06F048E7503DF20FC808B64
                          Function 00AE5C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                          Download Yara Rule
                          APIs
                          • GetDlgItem.USER32(?,000003E9), ref: 00AE5C58
                          • GetWindowTextW.USER32(00000000,?,00000100), ref: 00AE5C6F
                          • MessageBeep.USER32(00000000), ref: 00AE5C87
                          • KillTimer.USER32(?,0000040A), ref: 00AE5CA3
                          • EndDialog.USER32(?,00000001), ref: 00AE5CBD
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: BeepDialogItemKillMessageTextTimerWindow
                          • String ID:
                          • API String ID: 3741023627-0
                          • Opcode ID: 3be428d2854df06d5dda760e51af0f9d5f936e609a7603b1b762336383a5293e
                          • Instruction ID: 35eb5401d913a36790158649032d779e4bf98ea1cbba9c16deb413e846fb6748
                          • Opcode Fuzzy Hash: 3be428d2854df06d5dda760e51af0f9d5f936e609a7603b1b762336383a5293e
                          • Instruction Fuzzy Hash: 1D018630940B44ABEB245B21ED5EFE67BB8BF44B09F505559A583A20E1DBF0A984CB90
                          Function 00AB22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                          Download Yara Rule
                          APIs
                          • _free.LIBCMT ref: 00AB22BE
                            • Part of subcall function 00AB29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00ABD7D1,00000000,00000000,00000000,00000000,?,00ABD7F8,00000000,00000007,00000000,?,00ABDBF5,00000000), ref: 00AB29DE
                            • Part of subcall function 00AB29C8: GetLastError.KERNEL32(00000000,?,00ABD7D1,00000000,00000000,00000000,00000000,?,00ABD7F8,00000000,00000007,00000000,?,00ABDBF5,00000000,00000000), ref: 00AB29F0
                          • _free.LIBCMT ref: 00AB22D0
                          • _free.LIBCMT ref: 00AB22E3
                          • _free.LIBCMT ref: 00AB22F4
                          • _free.LIBCMT ref: 00AB2305
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: _free$ErrorFreeHeapLast
                          • String ID:
                          • API String ID: 776569668-0
                          • Opcode ID: 8ff7de0e92afed6589cb73576f91dd91daa362b7576854a7c87f63cb4a56c767
                          • Instruction ID: b7c7aaae89790982571653bfa834a917163902f45d34f81bec36f163914356ea
                          • Opcode Fuzzy Hash: 8ff7de0e92afed6589cb73576f91dd91daa362b7576854a7c87f63cb4a56c767
                          • Instruction Fuzzy Hash: F3F0D075411310AB8652BF58BD01B983F69B76DB52B050E87F418D7272CF310551ABA5
                          Function 00A995C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                          Download Yara Rule
                          APIs
                          • EndPath.GDI32(?), ref: 00A995D4
                          • StrokeAndFillPath.GDI32(?,?,00AD71F7,00000000,?,?,?), ref: 00A995F0
                          • SelectObject.GDI32(?,00000000), ref: 00A99603
                          • DeleteObject.GDI32 ref: 00A99616
                          • StrokePath.GDI32(?), ref: 00A99631
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Path$ObjectStroke$DeleteFillSelect
                          • String ID:
                          • API String ID: 2625713937-0
                          • Opcode ID: de202c6e1d781feaa2e184da267d79593bac477b83590b1b0779b204224063ee
                          • Instruction ID: b5e9c7c09017a837f53f73ce343db84a60272f37f7cd810b4bb4348146307445
                          • Opcode Fuzzy Hash: de202c6e1d781feaa2e184da267d79593bac477b83590b1b0779b204224063ee
                          • Instruction Fuzzy Hash: 91F0F630145304EBDB125F6DED1C7AA3FA1AB05322F448658E565960F1CF3089A6DF64
                          Function 00AB0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: __freea$_free
                          • String ID: a/p$am/pm
                          • API String ID: 3432400110-3206640213
                          • Opcode ID: 7bf1b06f2f6966e2bc6ed0fab9c062e2b45689bd28c5047deb3cca05287d77cf
                          • Instruction ID: e4034135509b6f9786048d5b00188adbf8412ca66a444d5ddcace7d1e96a6233
                          • Opcode Fuzzy Hash: 7bf1b06f2f6966e2bc6ed0fab9c062e2b45689bd28c5047deb3cca05287d77cf
                          • Instruction Fuzzy Hash: A2D1E431900205DADB649F68C865BFEB7F9FF05300FA84269E5019F653E7759D80CB91
                          Function 00B07B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00AA0242: EnterCriticalSection.KERNEL32(00B5070C,00B51884,?,?,00A9198B,00B52518,?,?,?,00A812F9,00000000), ref: 00AA024D
                            • Part of subcall function 00AA0242: LeaveCriticalSection.KERNEL32(00B5070C,?,00A9198B,00B52518,?,?,?,00A812F9,00000000), ref: 00AA028A
                            • Part of subcall function 00A89CB3: _wcslen.LIBCMT ref: 00A89CBD
                            • Part of subcall function 00AA00A3: __onexit.LIBCMT ref: 00AA00A9
                          • __Init_thread_footer.LIBCMT ref: 00B07BFB
                            • Part of subcall function 00AA01F8: EnterCriticalSection.KERNEL32(00B5070C,?,?,00A98747,00B52514), ref: 00AA0202
                            • Part of subcall function 00AA01F8: LeaveCriticalSection.KERNEL32(00B5070C,?,00A98747,00B52514), ref: 00AA0235
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
                          • String ID: 5$G$Variable must be of type 'Object'.
                          • API String ID: 535116098-3733170431
                          • Opcode ID: db3d57c0307efd016ad9d581974cd5e01f570d105b878e50e58d737fc8e76103
                          • Instruction ID: 1bc5020ea696218fdb24db6883e53b68234fb66ecc0808c30185cabd7b6b1ea4
                          • Opcode Fuzzy Hash: db3d57c0307efd016ad9d581974cd5e01f570d105b878e50e58d737fc8e76103
                          • Instruction Fuzzy Hash: B1919BB0A44209AFDB14EF94D9909AEBBF1FF45300F148199F8069B291DB71AE45CB91
                          Function 00AE2716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00AEB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00AE21D0,?,?,00000034,00000800,?,00000034), ref: 00AEB42D
                          • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00AE2760
                            • Part of subcall function 00AEB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00AE21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00AEB3F8
                            • Part of subcall function 00AEB32A: GetWindowThreadProcessId.USER32(?,?), ref: 00AEB355
                            • Part of subcall function 00AEB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00AE2194,00000034,?,?,00001004,00000000,00000000), ref: 00AEB365
                            • Part of subcall function 00AEB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00AE2194,00000034,?,?,00001004,00000000,00000000), ref: 00AEB37B
                          • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00AE27CD
                          • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00AE281A
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                          • String ID: @
                          • API String ID: 4150878124-2766056989
                          • Opcode ID: ca7d2252fdd29c0735d04e8f9d1d248e7a5134b1c29d3a57dd5e633ce5d09dc6
                          • Instruction ID: 5bf0e9eeb71c61454d5ed0347c20b5523b7bc21362d68c2290c67235c525883f
                          • Opcode Fuzzy Hash: ca7d2252fdd29c0735d04e8f9d1d248e7a5134b1c29d3a57dd5e633ce5d09dc6
                          • Instruction Fuzzy Hash: 92412C72900218AFDB10DFA5CD46BEEBBB8EF09700F108095FA55B7181DB706E45CBA1
                          Function 00AB172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON
                          Download Yara Rule
                          APIs
                          • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00AB1769
                          • _free.LIBCMT ref: 00AB1834
                          • _free.LIBCMT ref: 00AB183E
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: _free$FileModuleName
                          • String ID: C:\Users\user\Desktop\file.exe
                          • API String ID: 2506810119-4010620828
                          • Opcode ID: 1afdc9d994c085854c8444e96d12148a2686b6ed4991b84952c65adf0598e0db
                          • Instruction ID: 572627929f8a7f4d4da0b61099c63c3f7207513984cc4ba181db879b6bd95fc2
                          • Opcode Fuzzy Hash: 1afdc9d994c085854c8444e96d12148a2686b6ed4991b84952c65adf0598e0db
                          • Instruction Fuzzy Hash: 1E316D71A40258AFDB21DF999995EDEBBFCEB85310F9441A6F804D7212DA708E80CB90
                          Function 00AEC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetMenuItemInfoW.USER32(00000004,?,00000000,?), ref: 00AEC306
                          • DeleteMenu.USER32(?,00000007,00000000), ref: 00AEC34C
                          • DeleteMenu.USER32(?,?,00000000,?,00000000,00000000,00B51990,00C363D8), ref: 00AEC395
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Menu$Delete$InfoItem
                          • String ID: 0
                          • API String ID: 135850232-4108050209
                          • Opcode ID: dbc3dc96af4dcaab8a7965aa3b344d003ae26940c094baaab35a6797f5c856cc
                          • Instruction ID: a77b9f7111cf031f37d61865d5dfa5127be0c1312d5f41c4037338b5286eb6b5
                          • Opcode Fuzzy Hash: dbc3dc96af4dcaab8a7965aa3b344d003ae26940c094baaab35a6797f5c856cc
                          • Instruction Fuzzy Hash: 6B4191712043829FD724DF26D885F5AFBE8AF85320F14861DF9A59B2D2D730E905CB62
                          Function 00B14416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
                          Download Yara Rule
                          APIs
                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00B1CC08,00000000,?,?,?,?), ref: 00B144AA
                          • GetWindowLongW.USER32 ref: 00B144C7
                          • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00B144D7
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Window$Long
                          • String ID: SysTreeView32
                          • API String ID: 847901565-1698111956
                          • Opcode ID: 51aa60eca69fdbe60b021d3f57c38c2c4945bdf8c4ffd53c01b2fddfbbbcfbac
                          • Instruction ID: 44f242a32ee8d0e22b552f9a6c6be3451fa650e9a7a828fb41cd85ecda9dae71
                          • Opcode Fuzzy Hash: 51aa60eca69fdbe60b021d3f57c38c2c4945bdf8c4ffd53c01b2fddfbbbcfbac
                          • Instruction Fuzzy Hash: 58317C71250205ABDB209E38DC45BEA7BE9EB18324F608755F979932E0DB70AC909B50
                          Function 00B0304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B0335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00B03077,?,?), ref: 00B03378
                          • inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00B0307A
                          • _wcslen.LIBCMT ref: 00B0309B
                          • htons.WSOCK32(00000000,?,?,00000000), ref: 00B03106
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: ByteCharMultiWide_wcslenhtonsinet_addr
                          • String ID: 255.255.255.255
                          • API String ID: 946324512-2422070025
                          • Opcode ID: 04f91f8924de47d29e179b19293d36fc3a821e45801c64ce38f868b0dea1e897
                          • Instruction ID: e40f5f661f350d4fd51d0ccb3644e9b235ed9f1d6b0945cd9094bba93f40cc3c
                          • Opcode Fuzzy Hash: 04f91f8924de47d29e179b19293d36fc3a821e45801c64ce38f868b0dea1e897
                          • Instruction Fuzzy Hash: ED31C4352002059FC710CF28C5C9FAABBE8EF54714F288099E8159B3D2DB72DE45C761
                          Function 00B13EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00B13F40
                          • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00B13F54
                          • SendMessageW.USER32(?,00001002,00000000,?), ref: 00B13F78
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: MessageSend$Window
                          • String ID: SysMonthCal32
                          • API String ID: 2326795674-1439706946
                          • Opcode ID: 3d3cb17fc51caa721973bc06375b6be3224704b9e2e288b4f2dba7329aefed1b
                          • Instruction ID: 1daa0874d5ac77f5e9d657999ec622ff43715d739d6257b9b142316557688d2f
                          • Opcode Fuzzy Hash: 3d3cb17fc51caa721973bc06375b6be3224704b9e2e288b4f2dba7329aefed1b
                          • Instruction Fuzzy Hash: F721BF32640219BFDF218F54CC86FEA3BB9EB48714F110254FA157B1D0DAB1A991CB90
                          Function 00B14653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00B14705
                          • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00B14713
                          • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00B1471A
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: MessageSend$DestroyWindow
                          • String ID: msctls_updown32
                          • API String ID: 4014797782-2298589950
                          • Opcode ID: 498bf55fe75f71717402195efd37039113af744455116bf1d4c42c9d3b84bb06
                          • Instruction ID: 239a2e4aa15faedb6d7430cda1cf2dba060e17c543c7b8ddbe46fb20c63c92c6
                          • Opcode Fuzzy Hash: 498bf55fe75f71717402195efd37039113af744455116bf1d4c42c9d3b84bb06
                          • Instruction Fuzzy Hash: 6D2130B5600209AFEB11DF68DCC1DA737EDEB5A7A4B540499FA009B291CB71EC51CB60
                          Function 00AE95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: _wcslen
                          • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                          • API String ID: 176396367-2734436370
                          • Opcode ID: e7b66c27e754e014e295a99e471b8bc05dda7cc071a0a998bd548639a58d846b
                          • Instruction ID: 0a11f6d79302de643d296d36d6927ab008341e42472fa58e6954daee4d474c90
                          • Opcode Fuzzy Hash: e7b66c27e754e014e295a99e471b8bc05dda7cc071a0a998bd548639a58d846b
                          • Instruction Fuzzy Hash: F5215772204791A6D731BB269D02FBBB3E89F91300F60442AF94997081EB95ED85C3A5
                          Function 00B137B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00B13840
                          • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00B13850
                          • MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00B13876
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: MessageSend$MoveWindow
                          • String ID: Listbox
                          • API String ID: 3315199576-2633736733
                          • Opcode ID: ac895b39d2a53753877b5ef28811454bd14f5a07b5f2bca876406ebf754b425d
                          • Instruction ID: 80757cc722409ec062b4cabc88a1c84a2143462fe1a9365187eea6da09cb1b23
                          • Opcode Fuzzy Hash: ac895b39d2a53753877b5ef28811454bd14f5a07b5f2bca876406ebf754b425d
                          • Instruction Fuzzy Hash: F321AC72600218BBEF218F54CC81FEB3BEEEF89B50F508164F9009B190DA719C9287A0
                          Function 00AF49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON
                          Download Yara Rule
                          APIs
                          • SetErrorMode.KERNEL32(00000001), ref: 00AF4A08
                          • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00AF4A5C
                          • SetErrorMode.KERNEL32(00000000,?,?,00B1CC08), ref: 00AF4AD0
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: ErrorMode$InformationVolume
                          • String ID: %lu
                          • API String ID: 2507767853-685833217
                          • Opcode ID: 2048e27342b9b4796913cb25efd91d21077720e1547bebc80bbabda65d2e5660
                          • Instruction ID: 3b607f0b0b279553a4e2d8874e1bf37e2ccfc11ebf271021d8b29a095b762fca
                          • Opcode Fuzzy Hash: 2048e27342b9b4796913cb25efd91d21077720e1547bebc80bbabda65d2e5660
                          • Instruction Fuzzy Hash: 09312375A40109AFDB10EF54C985EAA7BF8EF09308F148099F509DB252DB71ED45CBA1
                          Function 00B141EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00B1424F
                          • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00B14264
                          • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00B14271
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: MessageSend
                          • String ID: msctls_trackbar32
                          • API String ID: 3850602802-1010561917
                          • Opcode ID: c7820a4f6b46011e5e969d9265e9be110c87da91633ce427f273d9c06323f389
                          • Instruction ID: 0b01477a86a320ca22bf44b4dae4edaea86c8a86b8379dbd8754208dd15bf91e
                          • Opcode Fuzzy Hash: c7820a4f6b46011e5e969d9265e9be110c87da91633ce427f273d9c06323f389
                          • Instruction Fuzzy Hash: 7F11CE31290208BEEF205E28CC06FEB3BECEB95B64F114524FA55E60A0D671DCA19B60
                          Function 00AE2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00A86B57: _wcslen.LIBCMT ref: 00A86B6A
                            • Part of subcall function 00AE2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00AE2DC5
                            • Part of subcall function 00AE2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00AE2DD6
                            • Part of subcall function 00AE2DA7: GetCurrentThreadId.KERNEL32 ref: 00AE2DDD
                            • Part of subcall function 00AE2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00AE2DE4
                          • GetFocus.USER32 ref: 00AE2F78
                            • Part of subcall function 00AE2DEE: GetParent.USER32(00000000), ref: 00AE2DF9
                          • GetClassNameW.USER32(?,?,00000100), ref: 00AE2FC3
                          • EnumChildWindows.USER32(?,00AE303B), ref: 00AE2FEB
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
                          • String ID: %s%d
                          • API String ID: 1272988791-1110647743
                          • Opcode ID: 97401648eb29ba1abb402a51c7226c1b1da4f4d402c9321214c549b27bc14bcf
                          • Instruction ID: efc6d72d272da244775d9d9215a0d75c7888983d80aa7422ca570cef7e8a4bf9
                          • Opcode Fuzzy Hash: 97401648eb29ba1abb402a51c7226c1b1da4f4d402c9321214c549b27bc14bcf
                          • Instruction Fuzzy Hash: 1611B4756002456BDF147F758DC9FEE37AAAF94314F048075FA099B152DE309A458B60
                          Function 00B15882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00B158C1
                          • SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00B158EE
                          • DrawMenuBar.USER32(?), ref: 00B158FD
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Menu$InfoItem$Draw
                          • String ID: 0
                          • API String ID: 3227129158-4108050209
                          • Opcode ID: 4544eb67c2b2dbeae685acc5a62a83acae3a95f4f993c10f87d598cba4939ce3
                          • Instruction ID: 046e64ad28a38bc30aadede0fcce2de28980be1b8d52025721961c323494180f
                          • Opcode Fuzzy Hash: 4544eb67c2b2dbeae685acc5a62a83acae3a95f4f993c10f87d598cba4939ce3
                          • Instruction Fuzzy Hash: 5B015B31600218EFDB219F11DC85BEEBBB9FB85360F5080A9E849D6251DB308A84DF21
                          Function 00AE007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e0051a6ffd701ccdb0d8792e8e576e7049d2213f790995b51572fdc369250294
                          • Instruction ID: dfa12a2a89c6d37102d49b105bc21cd143ea9de57d89c873192da0f136634068
                          • Opcode Fuzzy Hash: e0051a6ffd701ccdb0d8792e8e576e7049d2213f790995b51572fdc369250294
                          • Instruction Fuzzy Hash: 9FC14875A0024AAFCB14CFA9C894EAEB7B5FF48304F218598E505EF251D771EE81DB90
                          Function 00AB3E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: __alldvrm$_strrchr
                          • String ID:
                          • API String ID: 1036877536-0
                          • Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
                          • Instruction ID: 3d6c98627804c329d5ec1f2aed55f3a2956d35f265b81b4dec48013c2291fb28
                          • Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
                          • Instruction Fuzzy Hash: C2A11772E003869FEB15DF28C8917FABBF9EF6A350F14426DE5959B283C2388941C750
                          Function 00B0342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Variant$ClearInitInitializeUninitialize
                          • String ID:
                          • API String ID: 1998397398-0
                          • Opcode ID: 2eb5b93b5be3dc53679a8770480fd4be470ec536072e67bebdd4414821224e25
                          • Instruction ID: bdcabf6bbb7c368e807613c973552bbd64aac075157f06bda63c00c7e5fb02fe
                          • Opcode Fuzzy Hash: 2eb5b93b5be3dc53679a8770480fd4be470ec536072e67bebdd4414821224e25
                          • Instruction Fuzzy Hash: 6FA13F756043009FC714EF28C585A2EBBE9FF88714F148899F99A9B3A2DB31ED05CB51
                          Function 00AE0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON
                          Download Yara Rule
                          APIs
                          • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00B1FC08,?), ref: 00AE05F0
                          • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00B1FC08,?), ref: 00AE0608
                          • CLSIDFromProgID.OLE32(?,?,00000000,00B1CC40,000000FF,?,00000000,00000800,00000000,?,00B1FC08,?), ref: 00AE062D
                          • _memcmp.LIBVCRUNTIME ref: 00AE064E
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: FromProg$FreeTask_memcmp
                          • String ID:
                          • API String ID: 314563124-0
                          • Opcode ID: c110d143f78d168531444312f48d7a33d9c3653483257f419ed1632c68c9be90
                          • Instruction ID: 59a3fde26617507f2eeb5e8e5a027645a068ab680247ba57fe7d6e2b604dcbdc
                          • Opcode Fuzzy Hash: c110d143f78d168531444312f48d7a33d9c3653483257f419ed1632c68c9be90
                          • Instruction Fuzzy Hash: AE811B71A00109EFCB04DF95C984EEEB7B9FF89315F208598E516AB250DB71AE46CF60
                          Function 00AC1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: _free
                          • String ID:
                          • API String ID: 269201875-0
                          • Opcode ID: 3189e001a86a630f3f5a0c0df8f4c6591796c7368d0b36f894f8995dc50192db
                          • Instruction ID: 7a6cb4d290ab3c359244fecce8d3914ba924e65367c814c7b7814af62eb2cf05
                          • Opcode Fuzzy Hash: 3189e001a86a630f3f5a0c0df8f4c6591796c7368d0b36f894f8995dc50192db
                          • Instruction Fuzzy Hash: 26412B75B00500ABDB296BF98E45FFE3AA9EF43370F16462DF419D7293E73448415261
                          Function 00B16278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
                          Download Yara Rule
                          APIs
                          • GetWindowRect.USER32(?,?), ref: 00B162E2
                          • ScreenToClient.USER32(?,?), ref: 00B16315
                          • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00B16382
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Window$ClientMoveRectScreen
                          • String ID:
                          • API String ID: 3880355969-0
                          • Opcode ID: 84f78ea3ed68394db6ce4601be8e84092659de1787d082b18d77b387e4e20329
                          • Instruction ID: 02d9bb15993257b216982d689c1f4f18d5fce2879ec0b66276d4357bd66456af
                          • Opcode Fuzzy Hash: 84f78ea3ed68394db6ce4601be8e84092659de1787d082b18d77b387e4e20329
                          • Instruction Fuzzy Hash: E4510A74A00209EFDB14DF68D980AEE7BF5EB45360F5085A9F8259B290DB70ED81CB90
                          Function 00B01AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON
                          Download Yara Rule
                          APIs
                          • socket.WSOCK32(00000002,00000002,00000011), ref: 00B01AFD
                          • WSAGetLastError.WSOCK32 ref: 00B01B0B
                          • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00B01B8A
                          • WSAGetLastError.WSOCK32 ref: 00B01B94
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: ErrorLast$socket
                          • String ID:
                          • API String ID: 1881357543-0
                          • Opcode ID: f7c9238930ad61d36ead07b064793d5cde1c7fff05bab8acf3bd9ed667f8d9bd
                          • Instruction ID: 7ce4c115fbeeddc879471a7638306e1573c42455ed6bcee579dccb6d26265317
                          • Opcode Fuzzy Hash: f7c9238930ad61d36ead07b064793d5cde1c7fff05bab8acf3bd9ed667f8d9bd
                          • Instruction Fuzzy Hash: 8F41A034640200AFE724AF24C986F697BE5EB44718F54C498FA1A9F7D2D772DD418B90
                          Function 00ABB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1f034f40f7dc4ed038bd624d78a31cb885113cc0817b04253a5712e5b681e413
                          • Instruction ID: 03d99683938e3ae80aa54c49b9e01be04bffa54306d26d7d183028b0d9fd28dd
                          • Opcode Fuzzy Hash: 1f034f40f7dc4ed038bd624d78a31cb885113cc0817b04253a5712e5b681e413
                          • Instruction Fuzzy Hash: D441F771A10704AFD7249F78CD41BEABBEDEB89710F10862EF156DB283D7B1994187A0
                          Function 00AF56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                          Download Yara Rule
                          APIs
                          • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00AF5783
                          • GetLastError.KERNEL32(?,00000000), ref: 00AF57A9
                          • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00AF57CE
                          • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00AF57FA
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: CreateHardLink$DeleteErrorFileLast
                          • String ID:
                          • API String ID: 3321077145-0
                          • Opcode ID: 62055b8c2a6b1be29b1c3f52483061b644ca4990450da27e457380c3e7c93ce5
                          • Instruction ID: 0078210baf9718f1a0def4a1369c98950d4ce570610a233f0b35da1128776dc6
                          • Opcode Fuzzy Hash: 62055b8c2a6b1be29b1c3f52483061b644ca4990450da27e457380c3e7c93ce5
                          • Instruction Fuzzy Hash: AC412C35600610DFCB15EF55C544A5DBBE1AF49720B18C888E95A5B362CB30FD40CB91
                          Function 00ABD8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00AA6D71,00000000,00000000,00AA82D9,?,00AA82D9,?,00000001,00AA6D71,8BE85006,00000001,00AA82D9,00AA82D9), ref: 00ABD910
                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00ABD999
                          • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00ABD9AB
                          • __freea.LIBCMT ref: 00ABD9B4
                            • Part of subcall function 00AB3820: RtlAllocateHeap.NTDLL(00000000,?,00B51444,?,00A9FDF5,?,?,00A8A976,00000010,00B51440,00A813FC,?,00A813C6,?,00A81129), ref: 00AB3852
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                          • String ID:
                          • API String ID: 2652629310-0
                          • Opcode ID: a6b8f3ed7c547935e78faf7eb58da2931c04f026c1305df016a9ca446ab76c4c
                          • Instruction ID: 848f9a95a4ee5198f7e16b12227cef35be603173b7e6d5f7dd8701b95e046ff2
                          • Opcode Fuzzy Hash: a6b8f3ed7c547935e78faf7eb58da2931c04f026c1305df016a9ca446ab76c4c
                          • Instruction Fuzzy Hash: 9431BC72A0020AABDF249F64DC41EEE7BA9EB41710F154268FC04D7292EB36CD50CBA0
                          Function 00B152C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(?,00001024,00000000,?), ref: 00B15352
                          • GetWindowLongW.USER32(?,000000F0), ref: 00B15375
                          • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00B15382
                          • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00B153A8
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: LongWindow$InvalidateMessageRectSend
                          • String ID:
                          • API String ID: 3340791633-0
                          • Opcode ID: f638550ef3d39fe2c2482048902e994f99ccdd7937ce8c8e5a5f5ce4fd2b213a
                          • Instruction ID: 30447c887dbc950920c002c5c8517420af647d544b993bb995aa25595780482d
                          • Opcode Fuzzy Hash: f638550ef3d39fe2c2482048902e994f99ccdd7937ce8c8e5a5f5ce4fd2b213a
                          • Instruction Fuzzy Hash: 4231C634A55A0CEFEB349E14EC45BE837E5EB85390FD44182FA22971E1C7B09DC0AB49
                          Function 00AEAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON
                          Download Yara Rule
                          APIs
                          • GetKeyboardState.USER32(?,75A4C0D0,?,00008000), ref: 00AEABF1
                          • SetKeyboardState.USER32(00000080,?,00008000), ref: 00AEAC0D
                          • PostMessageW.USER32(00000000,00000101,00000000), ref: 00AEAC74
                          • SendInput.USER32(00000001,?,0000001C,75A4C0D0,?,00008000), ref: 00AEACC6
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: KeyboardState$InputMessagePostSend
                          • String ID:
                          • API String ID: 432972143-0
                          • Opcode ID: 074fd6b7ecff42f864e17cb8d1103f05cac38f80aa425a1294c9049b23548b94
                          • Instruction ID: 431399e90c4e3fc0ba18830e5eed54065d647db6c11c810a0098c6bbef7faf5b
                          • Opcode Fuzzy Hash: 074fd6b7ecff42f864e17cb8d1103f05cac38f80aa425a1294c9049b23548b94
                          • Instruction Fuzzy Hash: 02310730A407986FEF35CBA68C057FE7BB5ABE9310F28831AE485931D1C375A9858753
                          Function 00B17674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON
                          Download Yara Rule
                          APIs
                          • ClientToScreen.USER32(?,?), ref: 00B1769A
                          • GetWindowRect.USER32(?,?), ref: 00B17710
                          • PtInRect.USER32(?,?,00B18B89), ref: 00B17720
                          • MessageBeep.USER32(00000000), ref: 00B1778C
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Rect$BeepClientMessageScreenWindow
                          • String ID:
                          • API String ID: 1352109105-0
                          • Opcode ID: f4c277ba797cd8294015431adffaa5d04caf088dde41e56f9630dbf087cb9ef1
                          • Instruction ID: aa768605f9d3ace40fb2d1a48a6e977063e0f39faef666e6a8a9304286d65367
                          • Opcode Fuzzy Hash: f4c277ba797cd8294015431adffaa5d04caf088dde41e56f9630dbf087cb9ef1
                          • Instruction Fuzzy Hash: 00415C74645214DFCB12CF58C894FE9BBF5FB49315F9581E8E4249B2A1CB30AD82CB90
                          Function 00B116DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                          Download Yara Rule
                          APIs
                          • GetForegroundWindow.USER32 ref: 00B116EB
                            • Part of subcall function 00AE3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00AE3A57
                            • Part of subcall function 00AE3A3D: GetCurrentThreadId.KERNEL32 ref: 00AE3A5E
                            • Part of subcall function 00AE3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00AE25B3), ref: 00AE3A65
                          • GetCaretPos.USER32(?), ref: 00B116FF
                          • ClientToScreen.USER32(00000000,?), ref: 00B1174C
                          • GetForegroundWindow.USER32 ref: 00B11752
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                          • String ID:
                          • API String ID: 2759813231-0
                          • Opcode ID: 22d285651f354046bb8acbee78ee73d68763d9f413df2702cf9bfd5f418500ee
                          • Instruction ID: fe2998b1408d215ccf8b39ec7f13314db4f6090f6b29ad75e9ec2570412a37b4
                          • Opcode Fuzzy Hash: 22d285651f354046bb8acbee78ee73d68763d9f413df2702cf9bfd5f418500ee
                          • Instruction Fuzzy Hash: 95314FB1D00249AFDB00EFA9C985CEEBBF9EF48304B5080A9E515E7251DB31DE45CBA1
                          Function 00AEDF95 Relevance: 6.1, APIs: 4, Instructions: 87COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00A87620: _wcslen.LIBCMT ref: 00A87625
                          • _wcslen.LIBCMT ref: 00AEDFCB
                          • _wcslen.LIBCMT ref: 00AEDFE2
                          • _wcslen.LIBCMT ref: 00AEE00D
                          • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00AEE018
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: _wcslen$ExtentPoint32Text
                          • String ID:
                          • API String ID: 3763101759-0
                          • Opcode ID: 41597d088d2b48cd9adfd580e155b33d2bf093156247fce5a5e11cd5f9e57aa7
                          • Instruction ID: 1aa2b32dcfb2eb96864cf138d7928c7be2ba0669b1b2f5e431d9c60f125b631c
                          • Opcode Fuzzy Hash: 41597d088d2b48cd9adfd580e155b33d2bf093156247fce5a5e11cd5f9e57aa7
                          • Instruction Fuzzy Hash: DC219571940214EFCB10EFA9DA81BAEB7F8EF8A750F144065F805BB285D7709E41CBA1
                          Function 00AED4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON
                          Download Yara Rule
                          APIs
                          • CreateToolhelp32Snapshot.KERNEL32 ref: 00AED501
                          • Process32FirstW.KERNEL32(00000000,?), ref: 00AED50F
                          • Process32NextW.KERNEL32(00000000,?), ref: 00AED52F
                          • CloseHandle.KERNEL32(00000000), ref: 00AED5DC
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                          • String ID:
                          • API String ID: 420147892-0
                          • Opcode ID: 04286c35aee12d17553033f64fb6c3feaae8c29f7aa72a631696002ca8d9d7bd
                          • Instruction ID: debf30f4b40d667d9fcafc999303fabec5d79a929a5b28caddced2258c6a4f65
                          • Opcode Fuzzy Hash: 04286c35aee12d17553033f64fb6c3feaae8c29f7aa72a631696002ca8d9d7bd
                          • Instruction Fuzzy Hash: E131AB71108340AFD300EF64C985ABFBBF8EF99354F54092DF585971A1EB719A48CBA2
                          Function 00B18FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00A99BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00A99BB2
                          • GetCursorPos.USER32(?), ref: 00B19001
                          • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00AD7711,?,?,?,?,?), ref: 00B19016
                          • GetCursorPos.USER32(?), ref: 00B1905E
                          • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00AD7711,?,?,?), ref: 00B19094
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Cursor$LongMenuPopupProcTrackWindow
                          • String ID:
                          • API String ID: 2864067406-0
                          • Opcode ID: 1c71b671e93c4cef063449697ea06dc9a3c663114ca004df00f61f9d368b4790
                          • Instruction ID: 8257312b48e8a22c385b67a91147fa22e0e1ec8f93ae8f1f205b40177bbca1cd
                          • Opcode Fuzzy Hash: 1c71b671e93c4cef063449697ea06dc9a3c663114ca004df00f61f9d368b4790
                          • Instruction Fuzzy Hash: 5D219F35600158EFCB25CF98CC69FEA7BF9EB49361F9440A9F90547261C7319D90DB60
                          Function 00AED2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                          Download Yara Rule
                          APIs
                          • GetFileAttributesW.KERNEL32(?,00B1CB68), ref: 00AED2FB
                          • GetLastError.KERNEL32 ref: 00AED30A
                          • CreateDirectoryW.KERNEL32(?,00000000), ref: 00AED319
                          • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00B1CB68), ref: 00AED376
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: CreateDirectory$AttributesErrorFileLast
                          • String ID:
                          • API String ID: 2267087916-0
                          • Opcode ID: a8e85f408d67f3f42803662d087c0a040f2c94f90ceba1a413b198f01a7f5cff
                          • Instruction ID: a286d5f5618841d99346c8e3eaea8ebcf66f8391cbca1c610bd319b7fd01a2b5
                          • Opcode Fuzzy Hash: a8e85f408d67f3f42803662d087c0a040f2c94f90ceba1a413b198f01a7f5cff
                          • Instruction Fuzzy Hash: 2321B2745083429F8710EF29C9818AFBBE4EE5A324F504A1DF499DB2E1DB30D945CB93
                          Function 00AE1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00AE1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00AE102A
                            • Part of subcall function 00AE1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00AE1036
                            • Part of subcall function 00AE1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00AE1045
                            • Part of subcall function 00AE1014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00AE104C
                            • Part of subcall function 00AE1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00AE1062
                          • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00AE15BE
                          • _memcmp.LIBVCRUNTIME ref: 00AE15E1
                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00AE1617
                          • HeapFree.KERNEL32(00000000), ref: 00AE161E
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                          • String ID:
                          • API String ID: 1592001646-0
                          • Opcode ID: e90cc562b945d52d2a1a2918d5caaf9c93c5eeaf7263fb0cf13c2d95be007bd5
                          • Instruction ID: b41f2110c9f47ef8485a03d9e48d6862dbb7cbffffe2ca4195aa633f5abc11f6
                          • Opcode Fuzzy Hash: e90cc562b945d52d2a1a2918d5caaf9c93c5eeaf7263fb0cf13c2d95be007bd5
                          • Instruction Fuzzy Hash: 27218E71E40219EFDF10DFA6C949BEEB7B8EF44354F188459E445AB241E731AE05CBA0
                          Function 00B12782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                          Download Yara Rule
                          APIs
                          • GetWindowLongW.USER32(?,000000EC), ref: 00B1280A
                          • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00B12824
                          • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00B12832
                          • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00B12840
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Window$Long$AttributesLayered
                          • String ID:
                          • API String ID: 2169480361-0
                          • Opcode ID: a524b54fafd34917a48c273c64e0ae8d91d1c79e51bfc464c60b3578671c933e
                          • Instruction ID: e96ddc2b66a01df7f8c6ff5e9b9c1bee5d8285b886ab23315a6a812cd68f065d
                          • Opcode Fuzzy Hash: a524b54fafd34917a48c273c64e0ae8d91d1c79e51bfc464c60b3578671c933e
                          • Instruction Fuzzy Hash: CA21B031205511AFD7149B24D845FEA7B96EF86324F548198F826CB6E2CB71FC92CBD0
                          Function 00AE78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00AE8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00AE790A,?,000000FF,?,00AE8754,00000000,?,0000001C,?,?), ref: 00AE8D8C
                            • Part of subcall function 00AE8D7D: lstrcpyW.KERNEL32(00000000,?,?,00AE790A,?,000000FF,?,00AE8754,00000000,?,0000001C,?,?,00000000), ref: 00AE8DB2
                            • Part of subcall function 00AE8D7D: lstrcmpiW.KERNEL32(00000000,?,00AE790A,?,000000FF,?,00AE8754,00000000,?,0000001C,?,?), ref: 00AE8DE3
                          • lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00AE8754,00000000,?,0000001C,?,?,00000000), ref: 00AE7923
                          • lstrcpyW.KERNEL32(00000000,?,?,00AE8754,00000000,?,0000001C,?,?,00000000), ref: 00AE7949
                          • lstrcmpiW.KERNEL32(00000002,cdecl,?,00AE8754,00000000,?,0000001C,?,?,00000000), ref: 00AE7984
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: lstrcmpilstrcpylstrlen
                          • String ID: cdecl
                          • API String ID: 4031866154-3896280584
                          • Opcode ID: 29ec32684cea1473b2422265b8a943cf8f6dad848e99e95f5f48eca809497d6c
                          • Instruction ID: 7aa42df7300fdfca5fdd56fbf71b466edbc2bf60f84d5fec1028422d81d58ff4
                          • Opcode Fuzzy Hash: 29ec32684cea1473b2422265b8a943cf8f6dad848e99e95f5f48eca809497d6c
                          • Instruction Fuzzy Hash: 8611D33A200382AFCB159F36DC45E7A77E9FF85750B50802AF946C72A5EF319811D7A1
                          Function 00B17CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                          Download Yara Rule
                          APIs
                          • GetWindowLongW.USER32(?,000000F0), ref: 00B17D0B
                          • SetWindowLongW.USER32(00000000,000000F0,?), ref: 00B17D2A
                          • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00B17D42
                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00AFB7AD,00000000), ref: 00B17D6B
                            • Part of subcall function 00A99BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00A99BB2
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Window$Long
                          • String ID:
                          • API String ID: 847901565-0
                          • Opcode ID: 35124e5a348ab933d3758287120625fad6ef116b5deaef6c20757f4c862fee83
                          • Instruction ID: a2af15a61b500a88f66be275ba0ce47d3d8d5ee949e6583356e55ce1c3fd7829
                          • Opcode Fuzzy Hash: 35124e5a348ab933d3758287120625fad6ef116b5deaef6c20757f4c862fee83
                          • Instruction Fuzzy Hash: 7311AE71284618AFCB108F28DC04AE63BE5EF45364B5187A4F835C72E0DB3089A1CB80
                          Function 00B15660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(?,00001060,?,00000004), ref: 00B156BB
                          • _wcslen.LIBCMT ref: 00B156CD
                          • _wcslen.LIBCMT ref: 00B156D8
                          • SendMessageW.USER32(?,00001002,00000000,?), ref: 00B15816
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: MessageSend_wcslen
                          • String ID:
                          • API String ID: 455545452-0
                          • Opcode ID: b6b3440077730e70a61baa3fb3169d8ca1d964c2be5be6619249ab367649466a
                          • Instruction ID: ff6d657b61007254bb3865baeb91a2b5a2cc3c7ad277c5d632a060197f0b8959
                          • Opcode Fuzzy Hash: b6b3440077730e70a61baa3fb3169d8ca1d964c2be5be6619249ab367649466a
                          • Instruction Fuzzy Hash: 6D11E131600608DADB309F65CCC1AEE77ECEF95364B9040A6F915D7185EB708AC0CBA0
                          Function 00AB1D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: bf90775317aa70d4b6ff21a1facef713cdce0bc5b4dae3608c8bf002c3204855
                          • Instruction ID: 09a7772be6a12e7c23c3f72df18619116cdbae3eb82430631556e523cb747f92
                          • Opcode Fuzzy Hash: bf90775317aa70d4b6ff21a1facef713cdce0bc5b4dae3608c8bf002c3204855
                          • Instruction Fuzzy Hash: 9701ADB220961A7EF62126786CD0FE76B6CDF817B8FB00326F525A21D3DB608C105160
                          Function 00AE1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(?,000000B0,?,?), ref: 00AE1A47
                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00AE1A59
                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00AE1A6F
                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00AE1A8A
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: MessageSend
                          • String ID:
                          • API String ID: 3850602802-0
                          • Opcode ID: 1b26749355b095b9e1af9a9f4e0fca13616586657272f000c5e0746286dc6c87
                          • Instruction ID: ce0c25d109c77da81e7175077db278790737dbf50564bd3a4dbcf329394a7dd3
                          • Opcode Fuzzy Hash: 1b26749355b095b9e1af9a9f4e0fca13616586657272f000c5e0746286dc6c87
                          • Instruction Fuzzy Hash: EB11093AD41229FFEB11DBA5CD85FADBB78EB08750F2000A1EA05B7290D6716E50DB94
                          Function 00AEE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                          Download Yara Rule
                          APIs
                          • GetCurrentThreadId.KERNEL32 ref: 00AEE1FD
                          • MessageBoxW.USER32(?,?,?,?), ref: 00AEE230
                          • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00AEE246
                          • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00AEE24D
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                          • String ID:
                          • API String ID: 2880819207-0
                          • Opcode ID: 1ddf2ef8e9f63da237eed4d914bdad5294d7da642e0316b54c32619cf78c0d80
                          • Instruction ID: c1253d33ac23d696940bb0aa0c3c8d53a9d6b7b0b54f6a3d9d0ef77237cec715
                          • Opcode Fuzzy Hash: 1ddf2ef8e9f63da237eed4d914bdad5294d7da642e0316b54c32619cf78c0d80
                          • Instruction Fuzzy Hash: 6111C876904254BBCB01DFAD9C05BDE7FADEB45311F148655F925E3291DAB08D048BA0
                          Function 00AAD1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON
                          Download Yara Rule
                          APIs
                          • CreateThread.KERNEL32(00000000,?,00AACFF9,00000000,00000004,00000000), ref: 00AAD218
                          • GetLastError.KERNEL32 ref: 00AAD224
                          • __dosmaperr.LIBCMT ref: 00AAD22B
                          • ResumeThread.KERNEL32(00000000), ref: 00AAD249
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Thread$CreateErrorLastResume__dosmaperr
                          • String ID:
                          • API String ID: 173952441-0
                          • Opcode ID: 0af6841e362be37951f5f4d1ec708c05b82ba3d035dad04fa60538608a88eb50
                          • Instruction ID: 3a4623f1bddd6842abcb7fc45820452edfdafc96f4517f0514a0487463300b7f
                          • Opcode Fuzzy Hash: 0af6841e362be37951f5f4d1ec708c05b82ba3d035dad04fa60538608a88eb50
                          • Instruction Fuzzy Hash: 1701C076845204BBDB216BA5DC09BEE7E69EF83330F104229F926935D0DF708905C6A0
                          Function 00B19EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00A99BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00A99BB2
                          • GetClientRect.USER32(?,?), ref: 00B19F31
                          • GetCursorPos.USER32(?), ref: 00B19F3B
                          • ScreenToClient.USER32(?,?), ref: 00B19F46
                          • DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00B19F7A
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Client$CursorLongProcRectScreenWindow
                          • String ID:
                          • API String ID: 4127811313-0
                          • Opcode ID: 879d0b406c0ca5eea2b0d55fefd3c30cab0250300cba4865a8bdf5592b6b65d4
                          • Instruction ID: 7762cc8d0b2d46326bc0ae461edc1d0160ea906a8a3f5af722259166ea4821e3
                          • Opcode Fuzzy Hash: 879d0b406c0ca5eea2b0d55fefd3c30cab0250300cba4865a8bdf5592b6b65d4
                          • Instruction Fuzzy Hash: 71115A3290025ABBDB10DF68C8999EE7BF9FB05311F904495F911E3140D730BAC2CBA1
                          Function 00A8600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                          Download Yara Rule
                          APIs
                          • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00A8604C
                          • GetStockObject.GDI32(00000011), ref: 00A86060
                          • SendMessageW.USER32(00000000,00000030,00000000), ref: 00A8606A
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: CreateMessageObjectSendStockWindow
                          • String ID:
                          • API String ID: 3970641297-0
                          • Opcode ID: 876f515731628bc48a96007c20cc38fc7a70436c2e40502da481693acb2a8cf8
                          • Instruction ID: ac67d790e2e12b8246c83db20d512fc323702d02894a086cfd661ed20879adbf
                          • Opcode Fuzzy Hash: 876f515731628bc48a96007c20cc38fc7a70436c2e40502da481693acb2a8cf8
                          • Instruction Fuzzy Hash: 2F116D72501508BFEF125FA49C54FEABF79EF083A5F048215FA1452150DB329C60DBA5
                          Function 00AA3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • ___BuildCatchObject.LIBVCRUNTIME ref: 00AA3B56
                            • Part of subcall function 00AA3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00AA3AD2
                            • Part of subcall function 00AA3AA3: ___AdjustPointer.LIBCMT ref: 00AA3AED
                          • _UnwindNestedFrames.LIBCMT ref: 00AA3B6B
                          • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00AA3B7C
                          • CallCatchBlock.LIBVCRUNTIME ref: 00AA3BA4
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                          • String ID:
                          • API String ID: 737400349-0
                          • Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                          • Instruction ID: 5f1ebb6a4ea588ae01599e41dc7aec32c2d817bf2e2b74d4386c2a8ea009a06f
                          • Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                          • Instruction Fuzzy Hash: 5C011732100148BBDF126F95DD42EEB7B6AEF8A754F044018FE4857161C772E9619BA0
                          Function 00AB3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00A813C6,00000000,00000000,?,00AB301A,00A813C6,00000000,00000000,00000000,?,00AB328B,00000006,FlsSetValue), ref: 00AB30A5
                          • GetLastError.KERNEL32(?,00AB301A,00A813C6,00000000,00000000,00000000,?,00AB328B,00000006,FlsSetValue,00B22290,FlsSetValue,00000000,00000364,?,00AB2E46), ref: 00AB30B1
                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00AB301A,00A813C6,00000000,00000000,00000000,?,00AB328B,00000006,FlsSetValue,00B22290,FlsSetValue,00000000), ref: 00AB30BF
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: LibraryLoad$ErrorLast
                          • String ID:
                          • API String ID: 3177248105-0
                          • Opcode ID: 2870e7d44bba079c35e9cfe09bf5380bf00a93da77b916b0db196def42a5e3ba
                          • Instruction ID: e1c07bd83d07ac288309b3d3ef2456d27420a2131ca39aa4f69f4a4da7b1e125
                          • Opcode Fuzzy Hash: 2870e7d44bba079c35e9cfe09bf5380bf00a93da77b916b0db196def42a5e3ba
                          • Instruction Fuzzy Hash: 5B01D437745322ABCF315B78AC44AD77B9CAF05B61B604620F906E7141CB21D901C6E0
                          Function 00AE7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON
                          Download Yara Rule
                          APIs
                          • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00AE747F
                          • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00AE7497
                          • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00AE74AC
                          • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00AE74CA
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Type$Register$FileLoadModuleNameUser
                          • String ID:
                          • API String ID: 1352324309-0
                          • Opcode ID: 764085c5ec43042e0e8ea2dd415e7ecd11bf52d30f63d934a536000a6dbaed4e
                          • Instruction ID: 39cbc3574eef8e176509798ee2b37470017d370202f64fca66082844cb399140
                          • Opcode Fuzzy Hash: 764085c5ec43042e0e8ea2dd415e7ecd11bf52d30f63d934a536000a6dbaed4e
                          • Instruction Fuzzy Hash: 2911C0B5249354AFE720CF19EC08F9A7FFCEB00B00F508569AA16DB191DBB0E904DB60
                          Function 00AEB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON
                          Download Yara Rule
                          APIs
                          • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00AEACD3,?,00008000), ref: 00AEB0C4
                          • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00AEACD3,?,00008000), ref: 00AEB0E9
                          • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00AEACD3,?,00008000), ref: 00AEB0F3
                          • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00AEACD3,?,00008000), ref: 00AEB126
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: CounterPerformanceQuerySleep
                          • String ID:
                          • API String ID: 2875609808-0
                          • Opcode ID: dec7312deb7b900406594f4e9b68e1d21c17dbdad4085167d556d7ebe8a70672
                          • Instruction ID: b7eccab7837ed9a258d33b4b84e0ed9e21c3b09144b269af3ff5823fdab6d9ae
                          • Opcode Fuzzy Hash: dec7312deb7b900406594f4e9b68e1d21c17dbdad4085167d556d7ebe8a70672
                          • Instruction Fuzzy Hash: F8113931D51668E7CF00AFEAE9986EFBF78FF09721F108186D941B3181CB3056509B61
                          Function 00B17E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                          Download Yara Rule
                          APIs
                          • GetWindowRect.USER32(?,?), ref: 00B17E33
                          • ScreenToClient.USER32(?,?), ref: 00B17E4B
                          • ScreenToClient.USER32(?,?), ref: 00B17E6F
                          • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00B17E8A
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: ClientRectScreen$InvalidateWindow
                          • String ID:
                          • API String ID: 357397906-0
                          • Opcode ID: e17b4ebabd5a93e2478db96bf53c98214831750bcb6a71a6bdeb3a00bdd731d9
                          • Instruction ID: cb7138445afde10a599c7e10b8bf7ce63e16626ca6aa0ae5705a5cd50520c748
                          • Opcode Fuzzy Hash: e17b4ebabd5a93e2478db96bf53c98214831750bcb6a71a6bdeb3a00bdd731d9
                          • Instruction Fuzzy Hash: 611143B9D4020AAFDB41CF98C8849EEBBF9FB09310F509056E915E3210D775AA54CF50
                          Function 00AE2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00AE2DC5
                          • GetWindowThreadProcessId.USER32(?,00000000), ref: 00AE2DD6
                          • GetCurrentThreadId.KERNEL32 ref: 00AE2DDD
                          • AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00AE2DE4
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                          • String ID:
                          • API String ID: 2710830443-0
                          • Opcode ID: 7d813e1b1cd9705c103bdaa2943cd108aed26b5ec49836f25be04420b9aa0e48
                          • Instruction ID: c810ce456f17117b126c3d3f2077dd9ff58eb24325f1a103051e0ed3cda53541
                          • Opcode Fuzzy Hash: 7d813e1b1cd9705c103bdaa2943cd108aed26b5ec49836f25be04420b9aa0e48
                          • Instruction Fuzzy Hash: 79E06D715812247AD7201B639C4DFEB3E6CEB42BA1F904115B205D3080DEA08840C6B0
                          Function 00B18863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00A99639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00A99693
                            • Part of subcall function 00A99639: SelectObject.GDI32(?,00000000), ref: 00A996A2
                            • Part of subcall function 00A99639: BeginPath.GDI32(?), ref: 00A996B9
                            • Part of subcall function 00A99639: SelectObject.GDI32(?,00000000), ref: 00A996E2
                          • MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00B18887
                          • LineTo.GDI32(?,?,?), ref: 00B18894
                          • EndPath.GDI32(?), ref: 00B188A4
                          • StrokePath.GDI32(?), ref: 00B188B2
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                          • String ID:
                          • API String ID: 1539411459-0
                          • Opcode ID: 3fa39ffe5406faa88db0a33f53207ac172973346409060cf7b0d4b83c4addfec
                          • Instruction ID: e666af22e73f205a2754a5af1f31cf0930c2c3581d8065468559784afcfcb517
                          • Opcode Fuzzy Hash: 3fa39ffe5406faa88db0a33f53207ac172973346409060cf7b0d4b83c4addfec
                          • Instruction Fuzzy Hash: A0F05E36081258FADB125F98AC0EFCE3F99AF0A311F848040FA11660E2CB755562CFE9
                          Function 00A998B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                          Download Yara Rule
                          APIs
                          • GetSysColor.USER32(00000008), ref: 00A998CC
                          • SetTextColor.GDI32(?,?), ref: 00A998D6
                          • SetBkMode.GDI32(?,00000001), ref: 00A998E9
                          • GetStockObject.GDI32(00000005), ref: 00A998F1
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Color$ModeObjectStockText
                          • String ID:
                          • API String ID: 4037423528-0
                          • Opcode ID: 23c1f9a1639bd2078d4ec6702b1577dce1b964eca1d479f570554133c909358f
                          • Instruction ID: 2cb40900c98affeaa04e82d4951786373fe716d6727e6d553ec8b5b3589f9c45
                          • Opcode Fuzzy Hash: 23c1f9a1639bd2078d4ec6702b1577dce1b964eca1d479f570554133c909358f
                          • Instruction Fuzzy Hash: 0AE06D312C4280BADB215B78BC09BED3F61AB12336F14C21AF6FA690E1CB7146509B11
                          Function 00AE162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON
                          Download Yara Rule
                          APIs
                          • GetCurrentThread.KERNEL32 ref: 00AE1634
                          • OpenThreadToken.ADVAPI32(00000000,?,?,?,00AE11D9), ref: 00AE163B
                          • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00AE11D9), ref: 00AE1648
                          • OpenProcessToken.ADVAPI32(00000000,?,?,?,00AE11D9), ref: 00AE164F
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: CurrentOpenProcessThreadToken
                          • String ID:
                          • API String ID: 3974789173-0
                          • Opcode ID: a12d81bebd1b4533a93e0126f7ace81b63c1ccab4a4a1abd9b28f497464ead59
                          • Instruction ID: 62e9f2d609b2f771d30f631269f79544377d852cace0ea481e514b0908593791
                          • Opcode Fuzzy Hash: a12d81bebd1b4533a93e0126f7ace81b63c1ccab4a4a1abd9b28f497464ead59
                          • Instruction Fuzzy Hash: F8E08631641221DBD7202FA1AD0DBC63F7CBF45795F14C808F245CB080DA344540C754
                          Function 00ADD858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                          Download Yara Rule
                          APIs
                          • GetDesktopWindow.USER32 ref: 00ADD858
                          • GetDC.USER32(00000000), ref: 00ADD862
                          • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00ADD882
                          • ReleaseDC.USER32(?), ref: 00ADD8A3
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: CapsDesktopDeviceReleaseWindow
                          • String ID:
                          • API String ID: 2889604237-0
                          • Opcode ID: 63b70cb8b337c1237aaab46e39640a08b40c29c9fa3ada48e7f3376cc19abcba
                          • Instruction ID: 47df62f2fdd0fc0fa3c44e057940a52211bcfb766e1bf829168e6c43f43702fe
                          • Opcode Fuzzy Hash: 63b70cb8b337c1237aaab46e39640a08b40c29c9fa3ada48e7f3376cc19abcba
                          • Instruction Fuzzy Hash: 4AE012B4840204EFCF41AFA0D90CAADBFB2FB08310F60D009E80AE7250CB388A41EF50
                          Function 00ADD86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON
                          Download Yara Rule
                          APIs
                          • GetDesktopWindow.USER32 ref: 00ADD86C
                          • GetDC.USER32(00000000), ref: 00ADD876
                          • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00ADD882
                          • ReleaseDC.USER32(?), ref: 00ADD8A3
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: CapsDesktopDeviceReleaseWindow
                          • String ID:
                          • API String ID: 2889604237-0
                          • Opcode ID: 980bcc27c3d7f91dee28e973223a1226f8abce5e6d2295ab376f30973c1b3388
                          • Instruction ID: 3a59e6db21bd869b58a5e74a9f9b015398c77a5b155c3dc9ab3265aa2c149902
                          • Opcode Fuzzy Hash: 980bcc27c3d7f91dee28e973223a1226f8abce5e6d2295ab376f30973c1b3388
                          • Instruction Fuzzy Hash: 48E092B5D40204EFCF51AFA0D94C6ADBFB5BB08311B549449E94AE7250CB385A41EF50
                          Function 00AF4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00A87620: _wcslen.LIBCMT ref: 00A87625
                          • WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00AF4ED4
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Connection_wcslen
                          • String ID: *$LPT
                          • API String ID: 1725874428-3443410124
                          • Opcode ID: 40386a0da1a9c1233c2de054470dbd89c0e023f08b6282a386d13910be39c6d5
                          • Instruction ID: 4cedac2c7433002cade8e7407ab77220909dbb08c861549711edc20359a055ba
                          • Opcode Fuzzy Hash: 40386a0da1a9c1233c2de054470dbd89c0e023f08b6282a386d13910be39c6d5
                          • Instruction Fuzzy Hash: 72916D75A002089FCB14DF98C584EAABBF1BF48704F188099F94A9F362D731ED85CB90
                          Function 00AAE27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                          Download Yara Rule
                          APIs
                          • __startOneArgErrorHandling.LIBCMT ref: 00AAE30D
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: ErrorHandling__start
                          • String ID: pow
                          • API String ID: 3213639722-2276729525
                          • Opcode ID: 6b08328f2cbd3a768d6c35b419a72a8f644e1ae095e136f41b4dafc66f9caefd
                          • Instruction ID: ff8a8bf960050d990880c8c5d85093c2e86a83ff9d01bc8f0c718ee9acc2b030
                          • Opcode Fuzzy Hash: 6b08328f2cbd3a768d6c35b419a72a8f644e1ae095e136f41b4dafc66f9caefd
                          • Instruction Fuzzy Hash: E9512B71A0C20296CF15F718CA417FD3BACAF81780F344D98E096872EAEF758C959A56
                          Function 00A9E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID: #
                          • API String ID: 0-1885708031
                          • Opcode ID: 4f9745b836c850abcc94e22845c01d4737a728ad17069356660ec6b3f878ff09
                          • Instruction ID: b9e308044d0e92b5feb3af82c1b4279b8d7009aa6e2a02031fa4b38d8e70b333
                          • Opcode Fuzzy Hash: 4f9745b836c850abcc94e22845c01d4737a728ad17069356660ec6b3f878ff09
                          • Instruction Fuzzy Hash: 1F51F175A04246DFDF15EF68C481AFA7BB8EF65310F24405AE8929F3D1DA349D42CBA0
                          Function 00A9F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                          Download Yara Rule
                          APIs
                          • Sleep.KERNEL32(00000000), ref: 00A9F2A2
                          • GlobalMemoryStatusEx.KERNEL32(?), ref: 00A9F2BB
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: GlobalMemorySleepStatus
                          • String ID: @
                          • API String ID: 2783356886-2766056989
                          • Opcode ID: 3e04200a84c0a28bc5db054fd99e746fbb6adfdf79b0a62dd6f78b0f8fd1214f
                          • Instruction ID: b56842a9a52dac5e9755d844b4559579e16eca8998d5634edfffa322aca9e7b0
                          • Opcode Fuzzy Hash: 3e04200a84c0a28bc5db054fd99e746fbb6adfdf79b0a62dd6f78b0f8fd1214f
                          • Instruction Fuzzy Hash: 375158714087449BE320AF14ED86BAFBBF8FF84314F91884DF2D951195EB308929CB66
                          Function 00B05745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
                          Download Yara Rule
                          APIs
                          • CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 00B057E0
                          • _wcslen.LIBCMT ref: 00B057EC
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: BuffCharUpper_wcslen
                          • String ID: CALLARGARRAY
                          • API String ID: 157775604-1150593374
                          • Opcode ID: fbe4e43f3dcd72b4c8db06beb1e997c85a325548395c563cfd0938338e898d9d
                          • Instruction ID: 306db88396470623a79a457c240fdfcac46863aa616754723ca019f59d92bb4e
                          • Opcode Fuzzy Hash: fbe4e43f3dcd72b4c8db06beb1e997c85a325548395c563cfd0938338e898d9d
                          • Instruction Fuzzy Hash: 34418F31A006099FCB14DFA9C9859BEBBF9EF59350F1480A9E905A7291EB70DD81CF90
                          Function 00AFD0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON
                          Download Yara Rule
                          APIs
                          • _wcslen.LIBCMT ref: 00AFD130
                          • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00AFD13A
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: CrackInternet_wcslen
                          • String ID: |
                          • API String ID: 596671847-2343686810
                          • Opcode ID: 29eacb24e421cec4f35ef6264e2d5d3ef65d0b94b61ee2501ef735229efe15fb
                          • Instruction ID: 7cd27ef544fda1af982c9116655a919ef2b8c6432e83e7ba100c2b0c80fcc86f
                          • Opcode Fuzzy Hash: 29eacb24e421cec4f35ef6264e2d5d3ef65d0b94b61ee2501ef735229efe15fb
                          • Instruction Fuzzy Hash: 81313E71D00209ABDF15EFE4CD85AEEBFBAFF05300F000119F915A6165E731AA56DB64
                          Function 00B1356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON
                          Download Yara Rule
                          APIs
                          • DestroyWindow.USER32(?,?,?,?), ref: 00B13621
                          • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00B1365C
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Window$DestroyMove
                          • String ID: static
                          • API String ID: 2139405536-2160076837
                          • Opcode ID: b2e3074822d43182c3f4e2075baa347a2a9ba325a88a2cb871ea5492731e7223
                          • Instruction ID: 7a381924f0126c8c612731a38aef9ad43b7ed771e93fa57426dfd0e8b16c20fd
                          • Opcode Fuzzy Hash: b2e3074822d43182c3f4e2075baa347a2a9ba325a88a2cb871ea5492731e7223
                          • Instruction Fuzzy Hash: AA319E71100204AEEB109F28DC80FFB73E9FF98B64F508619F9A597290DA30AD91C760
                          Function 00B14537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(00000027,00001132,00000000,?), ref: 00B1461F
                          • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00B14634
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: MessageSend
                          • String ID: '
                          • API String ID: 3850602802-1997036262
                          • Opcode ID: dedc2322882a607ec1043d0423c9e9d56c1926f0d93f4b0f4b0389d4a95a6203
                          • Instruction ID: 4d92ea4e928e208d882ca1c8ab252e6f621da106a7ab9440e3127c16216985e5
                          • Opcode Fuzzy Hash: dedc2322882a607ec1043d0423c9e9d56c1926f0d93f4b0f4b0389d4a95a6203
                          • Instruction Fuzzy Hash: 03311674A0020A9FDF14CFA9C980BDA7BF6FB19304F5444AAE904AB341D770A981CF90
                          Function 00B131EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00B1327C
                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00B13287
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: MessageSend
                          • String ID: Combobox
                          • API String ID: 3850602802-2096851135
                          • Opcode ID: 56b7fa2e1c6ad39d52cac01c21ad6195df610035f758ce4d743d9f4dc7bd7d08
                          • Instruction ID: 53882d87cff31623f933b09403412f7b4ecc0595fa98c607630864633cbebaa2
                          • Opcode Fuzzy Hash: 56b7fa2e1c6ad39d52cac01c21ad6195df610035f758ce4d743d9f4dc7bd7d08
                          • Instruction Fuzzy Hash: B511B2713002087FFF21AE54DC80EFB3BEAEB98764F504164F918A7290E6319D9187A0
                          Function 00B13710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00A8600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00A8604C
                            • Part of subcall function 00A8600E: GetStockObject.GDI32(00000011), ref: 00A86060
                            • Part of subcall function 00A8600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00A8606A
                          • GetWindowRect.USER32(00000000,?), ref: 00B1377A
                          • GetSysColor.USER32(00000012), ref: 00B13794
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Window$ColorCreateMessageObjectRectSendStock
                          • String ID: static
                          • API String ID: 1983116058-2160076837
                          • Opcode ID: b8b4084e399041024a838f210547763b09e644b6152bd47ef55744c236e474f7
                          • Instruction ID: 2b02397816be642be00fd4dbd5c6ae68816a7c1c597e3e76db34dba2bcba12bb
                          • Opcode Fuzzy Hash: b8b4084e399041024a838f210547763b09e644b6152bd47ef55744c236e474f7
                          • Instruction Fuzzy Hash: 461137B2610209AFDF01DFA8CC46EEA7BF8FB08714F404954F955E3250EB35E8619B60
                          Function 00AFCD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON
                          Download Yara Rule
                          APIs
                          • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00AFCD7D
                          • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00AFCDA6
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Internet$OpenOption
                          • String ID: <local>
                          • API String ID: 942729171-4266983199
                          • Opcode ID: bd163f0ef1fb2529d547fa116c432cf770f4eea48050162a826defa563346eb0
                          • Instruction ID: 8298fa73180333a4fbb2e0e5f0aa04c8b4b1d34335fe34029f73749cb323185b
                          • Opcode Fuzzy Hash: bd163f0ef1fb2529d547fa116c432cf770f4eea48050162a826defa563346eb0
                          • Instruction Fuzzy Hash: 4E11C27124563DBAD7384BA78C49EFBBEACEF127B4F40422AB20983080D7709941D6F0
                          Function 00B13429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetWindowTextLengthW.USER32(00000000), ref: 00B134AB
                          • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00B134BA
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: LengthMessageSendTextWindow
                          • String ID: edit
                          • API String ID: 2978978980-2167791130
                          • Opcode ID: 698ac6083e2a317bacaae59bf48c6f52c202edadd96caca34e2cd2de59a08edf
                          • Instruction ID: 26cddfcb56284b7365fc855b9dafc8239dd521b9aaa4b728af2a57d25c399cb8
                          • Opcode Fuzzy Hash: 698ac6083e2a317bacaae59bf48c6f52c202edadd96caca34e2cd2de59a08edf
                          • Instruction Fuzzy Hash: 2811BF71100208AFEB228E64DC80AEB3BEAEB14B74F908364FA65932E0D731DCD19750
                          Function 00AE6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00A89CB3: _wcslen.LIBCMT ref: 00A89CBD
                          • CharUpperBuffW.USER32(?,?,?), ref: 00AE6CB6
                          • _wcslen.LIBCMT ref: 00AE6CC2
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: _wcslen$BuffCharUpper
                          • String ID: STOP
                          • API String ID: 1256254125-2411985666
                          • Opcode ID: 119a9923c767e30e8cbe9a0c501109e4e5afc65f942f010a4c07b2fef02cf569
                          • Instruction ID: 73397bbb514a74dc60eb0c35c2a0477fc45db645796b1aeabfa581dfc0dfbe4a
                          • Opcode Fuzzy Hash: 119a9923c767e30e8cbe9a0c501109e4e5afc65f942f010a4c07b2fef02cf569
                          • Instruction Fuzzy Hash: E90104326009668BCB20AFBECC908BF77B5FAB57907600D28E86293191EB31D900C750
                          Function 00AE1CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00A89CB3: _wcslen.LIBCMT ref: 00A89CBD
                            • Part of subcall function 00AE3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00AE3CCA
                          • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00AE1D4C
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: ClassMessageNameSend_wcslen
                          • String ID: ComboBox$ListBox
                          • API String ID: 624084870-1403004172
                          • Opcode ID: eaf1fd8aaccb4dfd4b630a988e19747808662b4ac6436ae9aad2398c06e71741
                          • Instruction ID: 665c46336464af906f79be9e7e0cfe5f1bcc292fa6ee1c6bec0dd93439e218de
                          • Opcode Fuzzy Hash: eaf1fd8aaccb4dfd4b630a988e19747808662b4ac6436ae9aad2398c06e71741
                          • Instruction Fuzzy Hash: 7101D471601228ABCF18FFA5CE95CFF77A8EB46350B540619F832672D2EA3199088761
                          Function 00AE1BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00A89CB3: _wcslen.LIBCMT ref: 00A89CBD
                            • Part of subcall function 00AE3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00AE3CCA
                          • SendMessageW.USER32(?,00000180,00000000,?), ref: 00AE1C46
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: ClassMessageNameSend_wcslen
                          • String ID: ComboBox$ListBox
                          • API String ID: 624084870-1403004172
                          • Opcode ID: 598064eba1f80a2f16d6df52d332ae60dbd165afbf0f9f41fc45d86bc05864c4
                          • Instruction ID: 219521cfae22db2279b7fef0fda3adbc69c3333d3cfd8ff37cd05422bdec20ef
                          • Opcode Fuzzy Hash: 598064eba1f80a2f16d6df52d332ae60dbd165afbf0f9f41fc45d86bc05864c4
                          • Instruction Fuzzy Hash: 1B01A7757811586BCF14FB91CA559FF77A89B51340F240019F416B7282EA319F1C97B2
                          Function 00AE1C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00A89CB3: _wcslen.LIBCMT ref: 00A89CBD
                            • Part of subcall function 00AE3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00AE3CCA
                          • SendMessageW.USER32(?,00000182,?,00000000), ref: 00AE1CC8
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: ClassMessageNameSend_wcslen
                          • String ID: ComboBox$ListBox
                          • API String ID: 624084870-1403004172
                          • Opcode ID: f9bf0c6750e43ec6285a55d51edcb798858120b8439cad826b36c913a8f2bd3b
                          • Instruction ID: ca1a386c1dc668e9590e563cdfbccb3132252fc6197b4994ff35c2c98e45c49f
                          • Opcode Fuzzy Hash: f9bf0c6750e43ec6285a55d51edcb798858120b8439cad826b36c913a8f2bd3b
                          • Instruction Fuzzy Hash: DB01D6B16811686BCF14FBA2CB05AFF77E89B51340F240415B802B3282EA319F18D772
                          Function 00AE1D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00A89CB3: _wcslen.LIBCMT ref: 00A89CBD
                            • Part of subcall function 00AE3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00AE3CCA
                          • SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00AE1DD3
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: ClassMessageNameSend_wcslen
                          • String ID: ComboBox$ListBox
                          • API String ID: 624084870-1403004172
                          • Opcode ID: 0c2157a63edde5619c2b3b39d67c49d48f6d6705c54b0436aa6e0007e351a88b
                          • Instruction ID: 489ad511cf2ce2fb7fe2fd73e059bd35f7da742797b1cbfa90c87b61eca47014
                          • Opcode Fuzzy Hash: 0c2157a63edde5619c2b3b39d67c49d48f6d6705c54b0436aa6e0007e351a88b
                          • Instruction Fuzzy Hash: E5F0A971A416296BDB14F7A5CD95AFF77B8AB01350F580915F422632C1EA715A088361
                          Function 00B0747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: _wcslen
                          • String ID: 3, 3, 16, 1
                          • API String ID: 176396367-3042988571
                          • Opcode ID: e49a2f2a9c59cc032bcc90ec9b0c28ec3425cdaff8527021fe5f461c41f1d59b
                          • Instruction ID: 745ef6143674f96a0bf42f71bb34a4b558e4dab131f13032db4a5466ad9372dd
                          • Opcode Fuzzy Hash: e49a2f2a9c59cc032bcc90ec9b0c28ec3425cdaff8527021fe5f461c41f1d59b
                          • Instruction Fuzzy Hash: A7E02B02A5426010D23116799DC197FDBCDCFCA790710186BF981C33E6EFD49DA293A0
                          Function 00AE0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON
                          Download Yara Rule
                          APIs
                          • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00AE0B23
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Message
                          • String ID: AutoIt$Error allocating memory.
                          • API String ID: 2030045667-4017498283
                          • Opcode ID: 7d38cbad8cd2bebb223f00b791f10dd6e76d0b89b9599c7c44833a4574d18d7d
                          • Instruction ID: d8fb56594544b2b1fded4cc428a578748b20f5e7c5c64156763abb95710a9a38
                          • Opcode Fuzzy Hash: 7d38cbad8cd2bebb223f00b791f10dd6e76d0b89b9599c7c44833a4574d18d7d
                          • Instruction Fuzzy Hash: D3E0D8323843082BD62037547D03FC97EC58F06F50F10046AF748954D38BD1299006E9
                          Function 00AA0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00A9F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00AA0D71,?,?,?,00A8100A), ref: 00A9F7CE
                          • IsDebuggerPresent.KERNEL32(?,?,?,00A8100A), ref: 00AA0D75
                          • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00A8100A), ref: 00AA0D84
                          Strings
                          • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00AA0D7F
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
                          • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                          • API String ID: 55579361-631824599
                          • Opcode ID: 27ac9a6d10525efad39fd3a1c923147eaf3fa8b29a605ac1398f9841a3ac4c9a
                          • Instruction ID: 8d8519b1d8ecbda90ec3b10d69f21ca8bd2507eca54254e0fff6f67d2f72f5d3
                          • Opcode Fuzzy Hash: 27ac9a6d10525efad39fd3a1c923147eaf3fa8b29a605ac1398f9841a3ac4c9a
                          • Instruction Fuzzy Hash: C9E06D752007018BD360AFBCD508B927BE0AB01740F40896DE486C76A1EBB5E488CB91
                          Function 00AF3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                          Download Yara Rule
                          APIs
                          • GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00AF302F
                          • GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00AF3044
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: Temp$FileNamePath
                          • String ID: aut
                          • API String ID: 3285503233-3010740371
                          • Opcode ID: ad50417d46135138b446c25fe3e4587a781bdfdfd676af17e440be1b22442af5
                          • Instruction ID: 86746fb37b56eb8fefe5b2c17effc3894ee379a6ecefb47183f40609f7894a66
                          • Opcode Fuzzy Hash: ad50417d46135138b446c25fe3e4587a781bdfdfd676af17e440be1b22442af5
                          • Instruction Fuzzy Hash: EBD05EB254032867DA20A7A4AC0EFCB3F6CDB05750F4002A1B655E30A1DEF09A84CAD0
                          Function 00ADD21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: LocalTime
                          • String ID: %.3d$X64
                          • API String ID: 481472006-1077770165
                          • Opcode ID: 7f4fac8a890df5a8ebe4aa9759a77435b8a1733c5a31bfad8bd6b1052e71c719
                          • Instruction ID: b1c19c2a58f15eefcadee1f373d5d5bcf97f02691a01ebd19a08c6b7c94d982d
                          • Opcode Fuzzy Hash: 7f4fac8a890df5a8ebe4aa9759a77435b8a1733c5a31bfad8bd6b1052e71c719
                          • Instruction Fuzzy Hash: 69D012B1948108EACF509AD0CC458F9B7BCEB18341F508453F807D2140DA34C649A761
                          Function 00B12322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                          Download Yara Rule
                          APIs
                          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00B1232C
                          • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00B1233F
                            • Part of subcall function 00AEE97B: Sleep.KERNEL32 ref: 00AEE9F3
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: FindMessagePostSleepWindow
                          • String ID: Shell_TrayWnd
                          • API String ID: 529655941-2988720461
                          • Opcode ID: 365d9ab950a8d9884e1585f13e1b41ff7df4ee727b2e52f10f5b07376c800ace
                          • Instruction ID: e3963a4e3850132c5d4840c69aae7d489397bc6ac85026c279900e0dcb4ec2ec
                          • Opcode Fuzzy Hash: 365d9ab950a8d9884e1585f13e1b41ff7df4ee727b2e52f10f5b07376c800ace
                          • Instruction Fuzzy Hash: FDD0C9363D4350BAE664A771DC0FFC6AA55AB10B10F4089167645AB1E5D9A0A841CA54
                          Function 00B12356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                          Download Yara Rule
                          APIs
                          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00B1236C
                          • PostMessageW.USER32(00000000), ref: 00B12373
                            • Part of subcall function 00AEE97B: Sleep.KERNEL32 ref: 00AEE9F3
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: FindMessagePostSleepWindow
                          • String ID: Shell_TrayWnd
                          • API String ID: 529655941-2988720461
                          • Opcode ID: 11a4a1d4c6d0d75e840cd0ddec41532591853267d833888d8dda7e8f1ddfabb0
                          • Instruction ID: 495225f42807eea0a4879174ba6ca9f06c53ad80cde0763d134e232db5fb695d
                          • Opcode Fuzzy Hash: 11a4a1d4c6d0d75e840cd0ddec41532591853267d833888d8dda7e8f1ddfabb0
                          • Instruction Fuzzy Hash: 2AD0C9323C13507AE664A771DC0FFC6AA55AB15B10F4089167645AB1E5D9A0A841CA54
                          Function 00ABBDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00ABBE93
                          • GetLastError.KERNEL32 ref: 00ABBEA1
                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00ABBEFC
                          Memory Dump Source
                          • Source File: 00000000.00000002.1308084317.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
                          • Associated: 00000000.00000002.1308062032.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308151110.0000000000B42000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308218891.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1308238112.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_a80000_file.jbxd
                          Similarity
                          • API ID: ByteCharMultiWide$ErrorLast
                          • String ID:
                          • API String ID: 1717984340-0
                          • Opcode ID: cc0a370344734d7aa52872d76794b1a93c6ac4341fbc7a1cac0489ce2b410d7d
                          • Instruction ID: f15a88f4a4c485231cbe407fd02426fcad01551f52f3516e4e38ce680390d154
                          • Opcode Fuzzy Hash: cc0a370344734d7aa52872d76794b1a93c6ac4341fbc7a1cac0489ce2b410d7d
                          • Instruction Fuzzy Hash: 1441C334610206AFCF258FB5CD44AFA7BADAF42310F244169F9599B1A2DBB0CD01DB70