Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
S91AYfMUT0.exe

Overview

General Information

Sample name:S91AYfMUT0.exe
renamed because original name is a hash value
Original sample name:b54974cd7b04beb5d6c5377ff6170f7b.exe
Analysis ID:1510361
MD5:b54974cd7b04beb5d6c5377ff6170f7b
SHA1:229eaffc4f15cbf5b2e21d9360e396aee53fb1b7
SHA256:9bef149490674703ed211bd591252d0c1557251e2e0844f4d5885d84ec0207ff
Tags:exe
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: Remcos
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Drops VBS files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Sigma detected: WScript or CScript Dropper
Switches to a custom stack to bypass stack traces
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to execute programs as a different user
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sigma detected: Uncommon Svchost Parent Process
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • S91AYfMUT0.exe (PID: 8092 cmdline: "C:\Users\user\Desktop\S91AYfMUT0.exe" MD5: B54974CD7B04BEB5D6C5377FF6170F7B)
    • icon.exe (PID: 7212 cmdline: "C:\Users\user\Desktop\S91AYfMUT0.exe" MD5: B54974CD7B04BEB5D6C5377FF6170F7B)
      • svchost.exe (PID: 7284 cmdline: "C:\Users\user\Desktop\S91AYfMUT0.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
  • wscript.exe (PID: 6736 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\icon.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • icon.exe (PID: 7676 cmdline: "C:\Users\user\AppData\Local\directory\icon.exe" MD5: B54974CD7B04BEB5D6C5377FF6170F7B)
      • svchost.exe (PID: 6116 cmdline: "C:\Users\user\AppData\Local\directory\icon.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "5.95.169.137:2404:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-203ZZ1", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.3742139950.0000000003412000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    00000009.00000002.3740400024.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
      00000009.00000002.3740400024.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000009.00000002.3740400024.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
          00000009.00000002.3740400024.0000000000400000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
          • 0x6c4b8:$a1: Remcos restarted by watchdog!
          • 0x6ca30:$a3: %02i:%02i:%02i:%03i
          Click to see the 38 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          13.2.svchost.exe.400000.0.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
            13.2.svchost.exe.400000.0.raw.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
              13.2.svchost.exe.400000.0.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                13.2.svchost.exe.400000.0.raw.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                • 0x6c4b8:$a1: Remcos restarted by watchdog!
                • 0x6ca30:$a3: %02i:%02i:%02i:%03i
                13.2.svchost.exe.400000.0.raw.unpackREMCOS_RAT_variantsunknownunknown
                • 0x6650c:$str_a1: C:\Windows\System32\cmd.exe
                • 0x66488:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                • 0x66488:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                • 0x66988:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                • 0x671b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                • 0x6657c:$str_b2: Executing file:
                • 0x675fc:$str_b3: GetDirectListeningPort
                • 0x66fa8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                • 0x67128:$str_b7: \update.vbs
                • 0x665a4:$str_b9: Downloaded file:
                • 0x66590:$str_b10: Downloading file:
                • 0x66634:$str_b12: Failed to upload file:
                • 0x675c4:$str_b13: StartForward
                • 0x675e4:$str_b14: StopForward
                • 0x67080:$str_b15: fso.DeleteFile "
                • 0x67014:$str_b16: On Error Resume Next
                • 0x670b0:$str_b17: fso.DeleteFolder "
                • 0x66624:$str_b18: Uploaded file:
                • 0x665e4:$str_b19: Unable to delete:
                • 0x67048:$str_b20: while fso.FileExists("
                • 0x66ac1:$str_c0: [Firefox StoredLogins not found]
                Click to see the 43 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: WScript or CScript Dropper
                Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\icon.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\icon.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3968, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\icon.vbs" , ProcessId: 6736, ProcessName: wscript.exe
                Sigma detected: Uncommon Svchost Parent Process
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\S91AYfMUT0.exe", CommandLine: "C:\Users\user\Desktop\S91AYfMUT0.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\S91AYfMUT0.exe", ParentImage: C:\Users\user\AppData\Local\directory\icon.exe, ParentProcessId: 7212, ParentProcessName: icon.exe, ProcessCommandLine: "C:\Users\user\Desktop\S91AYfMUT0.exe", ProcessId: 7284, ProcessName: svchost.exe
                Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\icon.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\icon.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3968, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\icon.vbs" , ProcessId: 6736, ProcessName: wscript.exe
                Sigma detected: Windows Processes Suspicious Parent Directory
                Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\S91AYfMUT0.exe", CommandLine: "C:\Users\user\Desktop\S91AYfMUT0.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\S91AYfMUT0.exe", ParentImage: C:\Users\user\AppData\Local\directory\icon.exe, ParentProcessId: 7212, ParentProcessName: icon.exe, ProcessCommandLine: "C:\Users\user\Desktop\S91AYfMUT0.exe", ProcessId: 7284, ProcessName: svchost.exe

                Data Obfuscation

                barindex
                Sigma detected: Drops script at startup location
                Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\directory\icon.exe, ProcessId: 7212, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\icon.vbs

                Stealing of Sensitive Information

                barindex
                Sigma detected: Remcos
                Source: Registry Key setAuthor: Joe Security: Data: Details: DD 18 B5 6D A1 23 D8 B8 DC B8 AE 7F 9A 19 B7 57 22 6C DD 1B 6F 27 BD 7D E2 46 78 E7 C3 ED 2E 14 8D F4 AB 40 C2 16 4F 49 5F 83 C3 12 E9 C9 03 5B 37 4D 70 F8 35 61 3B AD AC F3 8F 60 AE BB 27 24 , EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\svchost.exe, ProcessId: 7284, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-203ZZ1\exepath

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-09-12T21:27:15.218010+020020365941Malware Command and Control Activity Detected192.168.2.104970045.95.169.1372404TCP
                2024-09-12T21:27:17.917524+020020365941Malware Command and Control Activity Detected192.168.2.104970145.95.169.1372404TCP
                2024-09-12T21:27:20.602886+020020365941Malware Command and Control Activity Detected192.168.2.104970245.95.169.1372404TCP
                2024-09-12T21:27:23.550003+020020365941Malware Command and Control Activity Detected192.168.2.104970345.95.169.1372404TCP
                2024-09-12T21:27:26.358167+020020365941Malware Command and Control Activity Detected192.168.2.104970545.95.169.1372404TCP
                2024-09-12T21:27:29.076160+020020365941Malware Command and Control Activity Detected192.168.2.104970945.95.169.1372404TCP
                2024-09-12T21:27:31.775526+020020365941Malware Command and Control Activity Detected192.168.2.104971045.95.169.1372404TCP
                2024-09-12T21:27:34.478620+020020365941Malware Command and Control Activity Detected192.168.2.104971145.95.169.1372404TCP
                2024-09-12T21:27:37.203367+020020365941Malware Command and Control Activity Detected192.168.2.104971245.95.169.1372404TCP
                2024-09-12T21:27:39.925071+020020365941Malware Command and Control Activity Detected192.168.2.104971345.95.169.1372404TCP
                2024-09-12T21:27:42.637414+020020365941Malware Command and Control Activity Detected192.168.2.104971445.95.169.1372404TCP
                2024-09-12T21:27:45.344746+020020365941Malware Command and Control Activity Detected192.168.2.104971545.95.169.1372404TCP
                2024-09-12T21:27:48.135008+020020365941Malware Command and Control Activity Detected192.168.2.104971645.95.169.1372404TCP
                2024-09-12T21:27:50.822146+020020365941Malware Command and Control Activity Detected192.168.2.104971745.95.169.1372404TCP
                2024-09-12T21:27:53.529767+020020365941Malware Command and Control Activity Detected192.168.2.104971845.95.169.1372404TCP
                2024-09-12T21:27:56.229180+020020365941Malware Command and Control Activity Detected192.168.2.104971945.95.169.1372404TCP
                2024-09-12T21:27:58.931805+020020365941Malware Command and Control Activity Detected192.168.2.104972045.95.169.1372404TCP
                2024-09-12T21:28:01.636832+020020365941Malware Command and Control Activity Detected192.168.2.104972145.95.169.1372404TCP
                2024-09-12T21:28:04.409147+020020365941Malware Command and Control Activity Detected192.168.2.104972245.95.169.1372404TCP
                2024-09-12T21:28:07.371022+020020365941Malware Command and Control Activity Detected192.168.2.104972445.95.169.1372404TCP
                2024-09-12T21:28:10.074508+020020365941Malware Command and Control Activity Detected192.168.2.104972545.95.169.1372404TCP
                2024-09-12T21:28:13.059767+020020365941Malware Command and Control Activity Detected192.168.2.104972645.95.169.1372404TCP
                2024-09-12T21:28:15.793463+020020365941Malware Command and Control Activity Detected192.168.2.104972745.95.169.1372404TCP
                2024-09-12T21:28:18.496322+020020365941Malware Command and Control Activity Detected192.168.2.104972845.95.169.1372404TCP
                2024-09-12T21:28:21.201793+020020365941Malware Command and Control Activity Detected192.168.2.104972945.95.169.1372404TCP
                2024-09-12T21:28:23.990055+020020365941Malware Command and Control Activity Detected192.168.2.104973045.95.169.1372404TCP
                2024-09-12T21:28:26.700938+020020365941Malware Command and Control Activity Detected192.168.2.104973145.95.169.1372404TCP
                2024-09-12T21:28:29.405886+020020365941Malware Command and Control Activity Detected192.168.2.104973245.95.169.1372404TCP
                2024-09-12T21:28:32.089053+020020365941Malware Command and Control Activity Detected192.168.2.104973345.95.169.1372404TCP
                2024-09-12T21:28:34.795844+020020365941Malware Command and Control Activity Detected192.168.2.104973445.95.169.1372404TCP
                2024-09-12T21:28:37.495044+020020365941Malware Command and Control Activity Detected192.168.2.104973545.95.169.1372404TCP
                2024-09-12T21:28:40.199306+020020365941Malware Command and Control Activity Detected192.168.2.104973645.95.169.1372404TCP
                2024-09-12T21:28:43.130186+020020365941Malware Command and Control Activity Detected192.168.2.104973745.95.169.1372404TCP
                2024-09-12T21:28:45.795277+020020365941Malware Command and Control Activity Detected192.168.2.104973845.95.169.1372404TCP
                2024-09-12T21:28:48.590013+020020365941Malware Command and Control Activity Detected192.168.2.104973945.95.169.1372404TCP
                2024-09-12T21:28:53.589312+020020365941Malware Command and Control Activity Detected192.168.2.104974045.95.169.1372404TCP
                2024-09-12T21:28:56.169469+020020365941Malware Command and Control Activity Detected192.168.2.104974145.95.169.1372404TCP
                2024-09-12T21:28:58.714462+020020365941Malware Command and Control Activity Detected192.168.2.104974245.95.169.1372404TCP
                2024-09-12T21:29:01.266431+020020365941Malware Command and Control Activity Detected192.168.2.104974345.95.169.1372404TCP
                2024-09-12T21:29:03.777955+020020365941Malware Command and Control Activity Detected192.168.2.104974445.95.169.1372404TCP
                2024-09-12T21:29:06.253062+020020365941Malware Command and Control Activity Detected192.168.2.104974545.95.169.1372404TCP
                2024-09-12T21:29:08.707352+020020365941Malware Command and Control Activity Detected192.168.2.104974645.95.169.1372404TCP
                2024-09-12T21:29:11.121127+020020365941Malware Command and Control Activity Detected192.168.2.104974745.95.169.1372404TCP
                2024-09-12T21:29:13.495506+020020365941Malware Command and Control Activity Detected192.168.2.104974845.95.169.1372404TCP
                2024-09-12T21:29:15.959830+020020365941Malware Command and Control Activity Detected192.168.2.104974945.95.169.1372404TCP
                2024-09-12T21:29:18.308869+020020365941Malware Command and Control Activity Detected192.168.2.104975045.95.169.1372404TCP
                2024-09-12T21:29:20.672062+020020365941Malware Command and Control Activity Detected192.168.2.104975145.95.169.1372404TCP
                2024-09-12T21:29:22.987406+020020365941Malware Command and Control Activity Detected192.168.2.104975245.95.169.1372404TCP
                2024-09-12T21:29:25.340075+020020365941Malware Command and Control Activity Detected192.168.2.104975345.95.169.1372404TCP
                2024-09-12T21:29:27.747997+020020365941Malware Command and Control Activity Detected192.168.2.104975445.95.169.1372404TCP
                2024-09-12T21:29:30.202831+020020365941Malware Command and Control Activity Detected192.168.2.104975545.95.169.1372404TCP
                2024-09-12T21:29:32.438465+020020365941Malware Command and Control Activity Detected192.168.2.104975645.95.169.1372404TCP
                2024-09-12T21:29:34.639455+020020365941Malware Command and Control Activity Detected192.168.2.104975745.95.169.1372404TCP
                2024-09-12T21:29:36.860018+020020365941Malware Command and Control Activity Detected192.168.2.104975845.95.169.1372404TCP
                2024-09-12T21:29:39.060917+020020365941Malware Command and Control Activity Detected192.168.2.104975945.95.169.1372404TCP
                2024-09-12T21:29:41.236637+020020365941Malware Command and Control Activity Detected192.168.2.104976045.95.169.1372404TCP
                2024-09-12T21:29:43.388382+020020365941Malware Command and Control Activity Detected192.168.2.104976145.95.169.1372404TCP
                2024-09-12T21:29:45.532232+020020365941Malware Command and Control Activity Detected192.168.2.104976245.95.169.1372404TCP
                2024-09-12T21:29:47.654867+020020365941Malware Command and Control Activity Detected192.168.2.104976345.95.169.1372404TCP
                2024-09-12T21:29:49.958130+020020365941Malware Command and Control Activity Detected192.168.2.104976445.95.169.1372404TCP
                2024-09-12T21:29:52.068158+020020365941Malware Command and Control Activity Detected192.168.2.104976545.95.169.1372404TCP
                2024-09-12T21:29:54.153761+020020365941Malware Command and Control Activity Detected192.168.2.104976645.95.169.1372404TCP
                2024-09-12T21:29:56.219908+020020365941Malware Command and Control Activity Detected192.168.2.104976745.95.169.1372404TCP
                2024-09-12T21:29:58.278588+020020365941Malware Command and Control Activity Detected192.168.2.104976845.95.169.1372404TCP
                2024-09-12T21:30:00.346480+020020365941Malware Command and Control Activity Detected192.168.2.104976945.95.169.1372404TCP
                2024-09-12T21:30:02.375452+020020365941Malware Command and Control Activity Detected192.168.2.104977045.95.169.1372404TCP
                2024-09-12T21:30:04.406538+020020365941Malware Command and Control Activity Detected192.168.2.104977145.95.169.1372404TCP
                2024-09-12T21:30:07.390061+020020365941Malware Command and Control Activity Detected192.168.2.104977245.95.169.1372404TCP
                2024-09-12T21:30:09.529597+020020365941Malware Command and Control Activity Detected192.168.2.104977345.95.169.1372404TCP
                2024-09-12T21:30:11.517891+020020365941Malware Command and Control Activity Detected192.168.2.104977445.95.169.1372404TCP
                2024-09-12T21:30:13.762887+020020365941Malware Command and Control Activity Detected192.168.2.104977545.95.169.1372404TCP
                2024-09-12T21:30:16.796315+020020365941Malware Command and Control Activity Detected192.168.2.104977645.95.169.1372404TCP
                2024-09-12T21:30:18.762756+020020365941Malware Command and Control Activity Detected192.168.2.104977745.95.169.1372404TCP
                2024-09-12T21:30:20.717713+020020365941Malware Command and Control Activity Detected192.168.2.104977845.95.169.1372404TCP
                2024-09-12T21:30:22.672776+020020365941Malware Command and Control Activity Detected192.168.2.104977945.95.169.1372404TCP
                2024-09-12T21:30:24.593750+020020365941Malware Command and Control Activity Detected192.168.2.104978045.95.169.1372404TCP
                2024-09-12T21:30:26.535505+020020365941Malware Command and Control Activity Detected192.168.2.104978145.95.169.1372404TCP
                2024-09-12T21:30:28.435898+020020365941Malware Command and Control Activity Detected192.168.2.104978245.95.169.1372404TCP
                2024-09-12T21:30:30.357811+020020365941Malware Command and Control Activity Detected192.168.2.104978345.95.169.1372404TCP
                2024-09-12T21:30:32.267567+020020365941Malware Command and Control Activity Detected192.168.2.104978445.95.169.1372404TCP
                2024-09-12T21:30:34.796130+020020365941Malware Command and Control Activity Detected192.168.2.104978545.95.169.1372404TCP
                2024-09-12T21:30:36.685651+020020365941Malware Command and Control Activity Detected192.168.2.104978645.95.169.1372404TCP
                2024-09-12T21:30:38.575430+020020365941Malware Command and Control Activity Detected192.168.2.104978745.95.169.1372404TCP
                2024-09-12T21:30:40.435581+020020365941Malware Command and Control Activity Detected192.168.2.104978845.95.169.1372404TCP
                2024-09-12T21:30:42.465556+020020365941Malware Command and Control Activity Detected192.168.2.104978945.95.169.1372404TCP
                2024-09-12T21:30:44.362724+020020365941Malware Command and Control Activity Detected192.168.2.104979045.95.169.1372404TCP
                2024-09-12T21:30:46.239681+020020365941Malware Command and Control Activity Detected192.168.2.104979145.95.169.1372404TCP
                2024-09-12T21:30:48.107581+020020365941Malware Command and Control Activity Detected192.168.2.104979245.95.169.1372404TCP
                2024-09-12T21:30:49.950832+020020365941Malware Command and Control Activity Detected192.168.2.104979345.95.169.1372404TCP
                2024-09-12T21:30:51.779596+020020365941Malware Command and Control Activity Detected192.168.2.104979445.95.169.1372404TCP
                2024-09-12T21:30:53.607180+020020365941Malware Command and Control Activity Detected192.168.2.104979545.95.169.1372404TCP
                2024-09-12T21:30:55.436498+020020365941Malware Command and Control Activity Detected192.168.2.104979645.95.169.1372404TCP
                2024-09-12T21:30:57.285171+020020365941Malware Command and Control Activity Detected192.168.2.104979745.95.169.1372404TCP
                2024-09-12T21:30:59.125555+020020365941Malware Command and Control Activity Detected192.168.2.104979845.95.169.1372404TCP
                2024-09-12T21:31:00.970633+020020365941Malware Command and Control Activity Detected192.168.2.104979945.95.169.1372404TCP
                2024-09-12T21:31:02.779631+020020365941Malware Command and Control Activity Detected192.168.2.104980045.95.169.1372404TCP
                2024-09-12T21:31:04.597796+020020365941Malware Command and Control Activity Detected192.168.2.104980145.95.169.1372404TCP
                2024-09-12T21:31:06.441468+020020365941Malware Command and Control Activity Detected192.168.2.104980245.95.169.1372404TCP
                2024-09-12T21:31:08.254116+020020365941Malware Command and Control Activity Detected192.168.2.104980345.95.169.1372404TCP
                2024-09-12T21:31:10.083380+020020365941Malware Command and Control Activity Detected192.168.2.104980445.95.169.1372404TCP
                2024-09-12T21:31:11.888048+020020365941Malware Command and Control Activity Detected192.168.2.104980545.95.169.1372404TCP
                2024-09-12T21:31:13.671542+020020365941Malware Command and Control Activity Detected192.168.2.104980645.95.169.1372404TCP
                2024-09-12T21:31:15.702801+020020365941Malware Command and Control Activity Detected192.168.2.104980745.95.169.1372404TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: S91AYfMUT0.exeAvira: detected
                Antivirus detection for dropped file
                Source: C:\Users\user\AppData\Local\directory\icon.exeAvira: detection malicious, Label: TR/AD.ShellcodeCrypter.itcqh
                Found malware configuration
                Source: 00000009.00000002.3742035824.0000000003400000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "5.95.169.137:2404:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-203ZZ1", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
                Multi AV Scanner detection for dropped file
                Source: C:\Users\user\AppData\Local\directory\icon.exeReversingLabs: Detection: 60%
                Multi AV Scanner detection for submitted file
                Source: S91AYfMUT0.exeReversingLabs: Detection: 60%
                Yara detected Remcos RAT
                Source: Yara matchFile source: 13.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.icon.exe.3470000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.icon.exe.3130000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.icon.exe.3470000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.icon.exe.3130000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000009.00000002.3742139950.0000000003412000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.3740400024.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.1496539129.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.1496792749.0000000000800000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.1338735869.0000000003130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.3742035824.0000000003400000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.1498234408.0000000003470000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: icon.exe PID: 7212, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 7284, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: icon.exe PID: 7676, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 6116, type: MEMORYSTR
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for dropped file
                Source: C:\Users\user\AppData\Local\directory\icon.exeJoe Sandbox ML: detected
                Machine Learning detection for sample
                Source: S91AYfMUT0.exeJoe Sandbox ML: detected
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_004338C8 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,9_2_004338C8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_004338C8 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,13_2_004338C8
                Source: icon.exe, 00000008.00000002.1338735869.0000000003130000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_2c01edba-d

                Exploits

                barindex
                Yara detected UAC Bypass using CMSTP
                Source: Yara matchFile source: 13.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.icon.exe.3470000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.icon.exe.3130000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.icon.exe.3470000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.icon.exe.3130000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000009.00000002.3740400024.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.1496539129.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.1338735869.0000000003130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.1498234408.0000000003470000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: icon.exe PID: 7212, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 7284, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: icon.exe PID: 7676, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 6116, type: MEMORYSTR

                Privilege Escalation

                barindex
                Contains functionality to bypass UAC (CMSTPLUA)
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_00407538 _wcslen,CoGetObject,9_2_00407538
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_00407538 _wcslen,CoGetObject,13_2_00407538
                Source: S91AYfMUT0.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: Binary string: wntdll.pdbUGP source: icon.exe, 00000008.00000003.1337200630.0000000003880000.00000004.00001000.00020000.00000000.sdmp, icon.exe, 00000008.00000003.1335604041.0000000003650000.00000004.00001000.00020000.00000000.sdmp, icon.exe, 0000000C.00000003.1492846740.0000000003690000.00000004.00001000.00020000.00000000.sdmp, icon.exe, 0000000C.00000003.1493315506.00000000034F0000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: icon.exe, 00000008.00000003.1337200630.0000000003880000.00000004.00001000.00020000.00000000.sdmp, icon.exe, 00000008.00000003.1335604041.0000000003650000.00000004.00001000.00020000.00000000.sdmp, icon.exe, 0000000C.00000003.1492846740.0000000003690000.00000004.00001000.00020000.00000000.sdmp, icon.exe, 0000000C.00000003.1493315506.00000000034F0000.00000004.00001000.00020000.00000000.sdmp
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_00684696 GetFileAttributesW,FindFirstFileW,FindClose,6_2_00684696
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_0068C93C FindFirstFileW,FindClose,6_2_0068C93C
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_0068C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,6_2_0068C9C7
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_0068F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,6_2_0068F200
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_0068F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,6_2_0068F35D
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_0068F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,6_2_0068F65E
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_00683A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,6_2_00683A2B
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_00683D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,6_2_00683D4E
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_0068BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,6_2_0068BF27
                Source: C:\Users\user\AppData\Local\directory\icon.exeCode function: 8_2_00074696 GetFileAttributesW,FindFirstFileW,FindClose,8_2_00074696
                Source: C:\Users\user\AppData\Local\directory\icon.exeCode function: 8_2_0007C93C FindFirstFileW,FindClose,8_2_0007C93C
                Source: C:\Users\user\AppData\Local\directory\icon.exeCode function: 8_2_0007C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,8_2_0007C9C7
                Source: C:\Users\user\AppData\Local\directory\icon.exeCode function: 8_2_0007F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,8_2_0007F200
                Source: C:\Users\user\AppData\Local\directory\icon.exeCode function: 8_2_0007F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,8_2_0007F35D
                Source: C:\Users\user\AppData\Local\directory\icon.exeCode function: 8_2_0007F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,8_2_0007F65E
                Source: C:\Users\user\AppData\Local\directory\icon.exeCode function: 8_2_00073A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,8_2_00073A2B
                Source: C:\Users\user\AppData\Local\directory\icon.exeCode function: 8_2_00073D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,8_2_00073D4E
                Source: C:\Users\user\AppData\Local\directory\icon.exeCode function: 8_2_0007BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,8_2_0007BF27
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,9_2_0040928E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,9_2_0041C322
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,9_2_0040C388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,9_2_004096A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,9_2_00408847
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_00407877 FindFirstFileW,FindNextFileW,9_2_00407877
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0044E8F9 FindFirstFileExA,9_2_0044E8F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,9_2_0040BB6B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,9_2_00419B86
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,9_2_0040BD72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,13_2_0040928E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,13_2_0041C322
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,13_2_0040C388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,13_2_004096A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,13_2_00408847
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_00407877 FindFirstFileW,FindNextFileW,13_2_00407877
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_0044E8F9 FindFirstFileExA,13_2_0044E8F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,13_2_0040BB6B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,13_2_00419B86
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,13_2_0040BD72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,9_2_00407CD2
                Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
                Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
                Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
                Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Jump to behavior
                Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
                Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Jump to behavior

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49701 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49719 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49721 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49722 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49716 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49731 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49703 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49743 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49758 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49728 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49739 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49752 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49770 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49714 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49776 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49778 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49786 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49735 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49742 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49756 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49732 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49705 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49710 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49806 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49760 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49745 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49749 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49729 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49759 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49751 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49782 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49747 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49794 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49717 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49746 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49797 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49753 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49769 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49712 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49702 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49798 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49741 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49761 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49748 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49700 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49793 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49787 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49799 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49733 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49779 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49711 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49724 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49744 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49784 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49718 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49709 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49765 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49800 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49725 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49755 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49768 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49737 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49788 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49772 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49780 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49795 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49766 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49764 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49713 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49785 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49730 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49767 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49715 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49789 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49771 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49803 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49775 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49790 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49783 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49726 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49727 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49720 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49802 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49807 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49774 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49754 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49738 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49801 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49734 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49791 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49736 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49804 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49740 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49781 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49773 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49757 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49762 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49777 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49750 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49796 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49763 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49805 -> 45.95.169.137:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49792 -> 45.95.169.137:2404
                System process connects to network (likely due to code injection or exploit)
                Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 45.95.169.137 2404Jump to behavior
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: 5.95.169.137
                Source: global trafficTCP traffic: 192.168.2.10:49700 -> 45.95.169.137:2404
                Source: Joe Sandbox ViewASN Name: GIGANET-HUGigaNetInternetServiceProviderCoHU GIGANET-HUGigaNetInternetServiceProviderCoHU
                Source: unknownTCP traffic detected without corresponding DNS query: 45.95.169.137
                Source: unknownTCP traffic detected without corresponding DNS query: 45.95.169.137
                Source: unknownTCP traffic detected without corresponding DNS query: 45.95.169.137
                Source: unknownTCP traffic detected without corresponding DNS query: 45.95.169.137
                Source: unknownTCP traffic detected without corresponding DNS query: 45.95.169.137
                Source: unknownTCP traffic detected without corresponding DNS query: 45.95.169.137
                Source: unknownTCP traffic detected without corresponding DNS query: 45.95.169.137
                Source: unknownTCP traffic detected without corresponding DNS query: 45.95.169.137
                Source: unknownTCP traffic detected without corresponding DNS query: 45.95.169.137
                Source: unknownTCP traffic detected without corresponding DNS query: 45.95.169.137
                Source: unknownTCP traffic detected without corresponding DNS query: 45.95.169.137
                Source: unknownTCP traffic detected without corresponding DNS query: 45.95.169.137
                Source: unknownTCP traffic detected without corresponding DNS query: 45.95.169.137
                Source: unknownTCP traffic detected without corresponding DNS query: 45.95.169.137
                Source: unknownTCP traffic detected without corresponding DNS query: 45.95.169.137
                Source: unknownTCP traffic detected without corresponding DNS query: 45.95.169.137
                Source: unknownTCP traffic detected without corresponding DNS query: 45.95.169.137
                Source: unknownTCP traffic detected without corresponding DNS query: 45.95.169.137
                Source: unknownTCP traffic detected without corresponding DNS query: 45.95.169.137
                Source: unknownTCP traffic detected without corresponding DNS query: 45.95.169.137
                Source: unknownTCP traffic detected without corresponding DNS query: 45.95.169.137
                Source: unknownTCP traffic detected without corresponding DNS query: 45.95.169.137
                Source: unknownTCP traffic detected without corresponding DNS query: 45.95.169.137
                Source: unknownTCP traffic detected without corresponding DNS query: 45.95.169.137
                Source: unknownTCP traffic detected without corresponding DNS query: 45.95.169.137
                Source: unknownTCP traffic detected without corresponding DNS query: 45.95.169.137
                Source: unknownTCP traffic detected without corresponding DNS query: 45.95.169.137
                Source: unknownTCP traffic detected without corresponding DNS query: 45.95.169.137
                Source: unknownTCP traffic detected without corresponding DNS query: 45.95.169.137
                Source: unknownTCP traffic detected without corresponding DNS query: 45.95.169.137
                Source: unknownTCP traffic detected without corresponding DNS query: 45.95.169.137
                Source: unknownTCP traffic detected without corresponding DNS query: 45.95.169.137
                Source: unknownTCP traffic detected without corresponding DNS query: 45.95.169.137
                Source: unknownTCP traffic detected without corresponding DNS query: 45.95.169.137
                Source: unknownTCP traffic detected without corresponding DNS query: 45.95.169.137
                Source: unknownTCP traffic detected without corresponding DNS query: 45.95.169.137
                Source: unknownTCP traffic detected without corresponding DNS query: 45.95.169.137
                Source: unknownTCP traffic detected without corresponding DNS query: 45.95.169.137
                Source: unknownTCP traffic detected without corresponding DNS query: 45.95.169.137
                Source: unknownTCP traffic detected without corresponding DNS query: 45.95.169.137
                Source: unknownTCP traffic detected without corresponding DNS query: 45.95.169.137
                Source: unknownTCP traffic detected without corresponding DNS query: 45.95.169.137
                Source: unknownTCP traffic detected without corresponding DNS query: 45.95.169.137
                Source: unknownTCP traffic detected without corresponding DNS query: 45.95.169.137
                Source: unknownTCP traffic detected without corresponding DNS query: 45.95.169.137
                Source: unknownTCP traffic detected without corresponding DNS query: 45.95.169.137
                Source: unknownTCP traffic detected without corresponding DNS query: 45.95.169.137
                Source: unknownTCP traffic detected without corresponding DNS query: 45.95.169.137
                Source: unknownTCP traffic detected without corresponding DNS query: 45.95.169.137
                Source: unknownTCP traffic detected without corresponding DNS query: 45.95.169.137
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_006925E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,6_2_006925E2
                Source: svchost.exeString found in binary or memory: http://geoplugin.net/json.gp
                Source: icon.exe, 00000008.00000002.1338735869.0000000003130000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.3740400024.0000000000400000.00000040.80000000.00040000.00000000.sdmp, icon.exe, 0000000C.00000002.1498234408.0000000003470000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.1496539129.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Contains functionality to register a low level keyboard hook
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0040A2F3 SetWindowsHookExA 0000000D,0040A2DF,000000009_2_0040A2F3
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_0069425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,6_2_0069425A
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_00694458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,6_2_00694458
                Source: C:\Users\user\AppData\Local\directory\icon.exeCode function: 8_2_00084458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,8_2_00084458
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_004168FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,9_2_004168FC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_004168FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,13_2_004168FC
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_0069425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,6_2_0069425A
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_00680219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,6_2_00680219
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_006ACDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,6_2_006ACDAC
                Source: C:\Users\user\AppData\Local\directory\icon.exeCode function: 8_2_0009CDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,8_2_0009CDAC
                Source: Yara matchFile source: 13.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.icon.exe.3470000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.icon.exe.3130000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.icon.exe.3470000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.icon.exe.3130000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000009.00000002.3740400024.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.1496539129.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.1338735869.0000000003130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.1498234408.0000000003470000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: icon.exe PID: 7212, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 7284, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: icon.exe PID: 7676, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 6116, type: MEMORYSTR

                E-Banking Fraud

                barindex
                Yara detected Remcos RAT
                Source: Yara matchFile source: 13.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.icon.exe.3470000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.icon.exe.3130000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.icon.exe.3470000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.icon.exe.3130000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000009.00000002.3742139950.0000000003412000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.3740400024.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.1496539129.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.1496792749.0000000000800000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.1338735869.0000000003130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.3742035824.0000000003400000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.1498234408.0000000003470000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: icon.exe PID: 7212, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 7284, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: icon.exe PID: 7676, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 6116, type: MEMORYSTR

                Spam, unwanted Advertisements and Ransom Demands

                barindex
                Contains functionalty to change the wallpaper
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0041CA73 SystemParametersInfoW,9_2_0041CA73
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_0041CA73 SystemParametersInfoW,13_2_0041CA73

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 13.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 13.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 13.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 9.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 9.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 9.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 12.2.icon.exe.3470000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 12.2.icon.exe.3470000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 12.2.icon.exe.3470000.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 8.2.icon.exe.3130000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 8.2.icon.exe.3130000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 8.2.icon.exe.3130000.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 12.2.icon.exe.3470000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 12.2.icon.exe.3470000.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 12.2.icon.exe.3470000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 13.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 8.2.icon.exe.3130000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 13.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 13.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 8.2.icon.exe.3130000.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 8.2.icon.exe.3130000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 9.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 9.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 9.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 00000009.00000002.3740400024.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 00000009.00000002.3740400024.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 00000009.00000002.3740400024.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 0000000D.00000002.1496539129.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 0000000D.00000002.1496539129.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 0000000D.00000002.1496539129.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 00000008.00000002.1338735869.0000000003130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 00000008.00000002.1338735869.0000000003130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 00000008.00000002.1338735869.0000000003130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 0000000C.00000002.1498234408.0000000003470000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 0000000C.00000002.1498234408.0000000003470000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 0000000C.00000002.1498234408.0000000003470000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: Process Memory Space: icon.exe PID: 7212, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: Process Memory Space: svchost.exe PID: 7284, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: Process Memory Space: icon.exe PID: 7676, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: Process Memory Space: svchost.exe PID: 6116, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Binary is likely a compiled AutoIt script file
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: This is a third-party compiled AutoIt script.6_2_00623B4C
                Source: S91AYfMUT0.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                Source: S91AYfMUT0.exe, 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_92c2fa67-8
                Source: S91AYfMUT0.exe, 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_ca072f58-7
                Source: S91AYfMUT0.exe, 00000006.00000003.1307801735.0000000003A45000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_3e58b70f-9
                Source: S91AYfMUT0.exe, 00000006.00000003.1307801735.0000000003A45000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_3d1fecb7-2
                Source: C:\Users\user\AppData\Local\directory\icon.exeCode function: This is a third-party compiled AutoIt script.8_2_00013B4C
                Source: icon.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                Source: icon.exe, 00000008.00000000.1308705452.00000000000C5000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_4b3d5142-5
                Source: icon.exe, 00000008.00000000.1308705452.00000000000C5000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_2eef661d-d
                Source: icon.exe, 0000000C.00000000.1463361438.00000000000C5000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_e32b8ba0-f
                Source: icon.exe, 0000000C.00000000.1463361438.00000000000C5000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_dacc41c0-5
                Source: S91AYfMUT0.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_91693d92-4
                Source: S91AYfMUT0.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_953966b2-1
                Source: icon.exe.6.drString found in binary or memory: This is a third-party compiled AutoIt script.memstr_cb6066bb-4
                Source: icon.exe.6.drString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_1939fa0e-d
                Windows Scripting host queries suspicious COM object (likely to drop second stage)
                Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_00684021: CreateFileW,DeviceIoControl,CloseHandle,6_2_00684021
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_00678AF9 GetCurrentProcess,OpenProcessToken,CreateEnvironmentBlock,CloseHandle,CreateProcessWithLogonW,DestroyEnvironmentBlock,6_2_00678AF9
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_0068545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,6_2_0068545F
                Source: C:\Users\user\AppData\Local\directory\icon.exeCode function: 8_2_0007545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,8_2_0007545F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_004167EF ExitWindowsEx,LoadLibraryA,GetProcAddress,9_2_004167EF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_004167EF ExitWindowsEx,LoadLibraryA,GetProcAddress,13_2_004167EF
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_0062E8006_2_0062E800
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_0064DBB56_2_0064DBB5
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_0062FE406_2_0062FE40
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_0062E0606_2_0062E060
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_006A804A6_2_006A804A
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_006341406_2_00634140
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_006424056_2_00642405
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_006565226_2_00656522
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_006A06656_2_006A0665
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_0065267E6_2_0065267E
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_006368436_2_00636843
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_0064283A6_2_0064283A
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_006589DF6_2_006589DF
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_00638A0E6_2_00638A0E
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_006A0AE26_2_006A0AE2
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_00656A946_2_00656A94
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_0067EB076_2_0067EB07
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_00688B136_2_00688B13
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_0064CD616_2_0064CD61
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_006570066_2_00657006
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_0063710E6_2_0063710E
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_006331906_2_00633190
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_006212876_2_00621287
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_006433C76_2_006433C7
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_0064F4196_2_0064F419
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_006416C46_2_006416C4
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_006356806_2_00635680
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_006358C06_2_006358C0
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_006478D36_2_006478D3
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_00641BB86_2_00641BB8
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_00659D056_2_00659D05
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_0064BFE66_2_0064BFE6
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_00641FD06_2_00641FD0
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_00F335F06_2_00F335F0
                Source: C:\Users\user\AppData\Local\directory\icon.exeCode function: 8_2_0001E0608_2_0001E060
                Source: C:\Users\user\AppData\Local\directory\icon.exeCode function: 8_2_0001E8008_2_0001E800
                Source: C:\Users\user\AppData\Local\directory\icon.exeCode function: 8_2_0003DBB58_2_0003DBB5
                Source: C:\Users\user\AppData\Local\directory\icon.exeCode function: 8_2_0001FE408_2_0001FE40
                Source: C:\Users\user\AppData\Local\directory\icon.exeCode function: 8_2_0009804A8_2_0009804A
                Source: C:\Users\user\AppData\Local\directory\icon.exeCode function: 8_2_000241408_2_00024140
                Source: C:\Users\user\AppData\Local\directory\icon.exeCode function: 8_2_000324058_2_00032405
                Source: C:\Users\user\AppData\Local\directory\icon.exeCode function: 8_2_000465228_2_00046522
                Source: C:\Users\user\AppData\Local\directory\icon.exeCode function: 8_2_000906658_2_00090665
                Source: C:\Users\user\AppData\Local\directory\icon.exeCode function: 8_2_0004267E8_2_0004267E
                Source: C:\Users\user\AppData\Local\directory\icon.exeCode function: 8_2_0003283A8_2_0003283A
                Source: C:\Users\user\AppData\Local\directory\icon.exeCode function: 8_2_000268438_2_00026843
                Source: C:\Users\user\AppData\Local\directory\icon.exeCode function: 8_2_000489DF8_2_000489DF
                Source: C:\Users\user\AppData\Local\directory\icon.exeCode function: 8_2_00028A0E8_2_00028A0E
                Source: C:\Users\user\AppData\Local\directory\icon.exeCode function: 8_2_00046A948_2_00046A94
                Source: C:\Users\user\AppData\Local\directory\icon.exeCode function: 8_2_00090AE28_2_00090AE2
                Source: C:\Users\user\AppData\Local\directory\icon.exeCode function: 8_2_0006EB078_2_0006EB07
                Source: C:\Users\user\AppData\Local\directory\icon.exeCode function: 8_2_00078B138_2_00078B13
                Source: C:\Users\user\AppData\Local\directory\icon.exeCode function: 8_2_0003CD618_2_0003CD61
                Source: C:\Users\user\AppData\Local\directory\icon.exeCode function: 8_2_000470068_2_00047006
                Source: C:\Users\user\AppData\Local\directory\icon.exeCode function: 8_2_0002710E8_2_0002710E
                Source: C:\Users\user\AppData\Local\directory\icon.exeCode function: 8_2_000231908_2_00023190
                Source: C:\Users\user\AppData\Local\directory\icon.exeCode function: 8_2_000112878_2_00011287
                Source: C:\Users\user\AppData\Local\directory\icon.exeCode function: 8_2_000333C78_2_000333C7
                Source: C:\Users\user\AppData\Local\directory\icon.exeCode function: 8_2_0003F4198_2_0003F419
                Source: C:\Users\user\AppData\Local\directory\icon.exeCode function: 8_2_000256808_2_00025680
                Source: C:\Users\user\AppData\Local\directory\icon.exeCode function: 8_2_000316C48_2_000316C4
                Source: C:\Users\user\AppData\Local\directory\icon.exeCode function: 8_2_000258C08_2_000258C0
                Source: C:\Users\user\AppData\Local\directory\icon.exeCode function: 8_2_000378D38_2_000378D3
                Source: C:\Users\user\AppData\Local\directory\icon.exeCode function: 8_2_00031BB88_2_00031BB8
                Source: C:\Users\user\AppData\Local\directory\icon.exeCode function: 8_2_00049D058_2_00049D05
                Source: C:\Users\user\AppData\Local\directory\icon.exeCode function: 8_2_00031FD08_2_00031FD0
                Source: C:\Users\user\AppData\Local\directory\icon.exeCode function: 8_2_0003BFE68_2_0003BFE6
                Source: C:\Users\user\AppData\Local\directory\icon.exeCode function: 8_2_031235F08_2_031235F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0043706A9_2_0043706A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_004140059_2_00414005
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0043E11C9_2_0043E11C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_004541D99_2_004541D9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_004381E89_2_004381E8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0041F18B9_2_0041F18B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_004462709_2_00446270
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0043E34B9_2_0043E34B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_004533AB9_2_004533AB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0042742E9_2_0042742E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_004375669_2_00437566
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0043E5A89_2_0043E5A8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_004387F09_2_004387F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0043797E9_2_0043797E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_004339D79_2_004339D7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0044DA499_2_0044DA49
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_00427AD79_2_00427AD7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0041DBF39_2_0041DBF3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_00427C409_2_00427C40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_00437DB39_2_00437DB3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_00435EEB9_2_00435EEB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0043DEED9_2_0043DEED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_00426E9F9_2_00426E9F
                Source: C:\Users\user\AppData\Local\directory\icon.exeCode function: 12_2_02EB35F012_2_02EB35F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_0043706A13_2_0043706A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_0041400513_2_00414005
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_0043E11C13_2_0043E11C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_004541D913_2_004541D9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_004381E813_2_004381E8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_0041F18B13_2_0041F18B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_0044627013_2_00446270
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_0043E34B13_2_0043E34B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_004533AB13_2_004533AB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_0042742E13_2_0042742E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_0043756613_2_00437566
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_0043E5A813_2_0043E5A8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_004387F013_2_004387F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_0043797E13_2_0043797E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_004339D713_2_004339D7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_0044DA4913_2_0044DA49
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_00427AD713_2_00427AD7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_0041DBF313_2_0041DBF3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_00427C4013_2_00427C40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_00437DB313_2_00437DB3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_00435EEB13_2_00435EEB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_0043DEED13_2_0043DEED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_00426E9F13_2_00426E9F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 00402213 appears 38 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 004052FD appears 32 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0040417E appears 46 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 00402093 appears 100 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 00401E65 appears 68 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 00434E70 appears 108 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 00401FAB appears 38 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 004020DF appears 40 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 00434801 appears 82 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 00457AA8 appears 34 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 00445951 appears 56 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0044854A appears 36 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 00411FA2 appears 32 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 004046F7 appears 34 times
                Source: C:\Users\user\AppData\Local\directory\icon.exeCode function: String function: 00017F41 appears 35 times
                Source: C:\Users\user\AppData\Local\directory\icon.exeCode function: String function: 00038B40 appears 42 times
                Source: C:\Users\user\AppData\Local\directory\icon.exeCode function: String function: 00030D27 appears 70 times
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: String function: 00627F41 appears 35 times
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: String function: 00648B40 appears 42 times
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: String function: 00640D27 appears 70 times
                Source: S91AYfMUT0.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: 13.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 13.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 13.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 9.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 9.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 9.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 12.2.icon.exe.3470000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 12.2.icon.exe.3470000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 12.2.icon.exe.3470000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 8.2.icon.exe.3130000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 8.2.icon.exe.3130000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 8.2.icon.exe.3130000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 12.2.icon.exe.3470000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 12.2.icon.exe.3470000.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 12.2.icon.exe.3470000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 13.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 8.2.icon.exe.3130000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 13.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 13.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 8.2.icon.exe.3130000.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 8.2.icon.exe.3130000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 9.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 9.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 9.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 00000009.00000002.3740400024.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 00000009.00000002.3740400024.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 00000009.00000002.3740400024.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 0000000D.00000002.1496539129.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 0000000D.00000002.1496539129.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 0000000D.00000002.1496539129.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 00000008.00000002.1338735869.0000000003130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 00000008.00000002.1338735869.0000000003130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 00000008.00000002.1338735869.0000000003130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 0000000C.00000002.1498234408.0000000003470000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 0000000C.00000002.1498234408.0000000003470000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 0000000C.00000002.1498234408.0000000003470000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: Process Memory Space: icon.exe PID: 7212, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: Process Memory Space: svchost.exe PID: 7284, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: Process Memory Space: icon.exe PID: 7676, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: Process Memory Space: svchost.exe PID: 6116, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winEXE@10/10@0/1
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_0068A2D5 GetLastError,FormatMessageW,6_2_0068A2D5
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_00678713 AdjustTokenPrivileges,CloseHandle,6_2_00678713
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_00678CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,6_2_00678CC3
                Source: C:\Users\user\AppData\Local\directory\icon.exeCode function: 8_2_00068713 AdjustTokenPrivileges,CloseHandle,8_2_00068713
                Source: C:\Users\user\AppData\Local\directory\icon.exeCode function: 8_2_00068CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,8_2_00068CC3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0041798D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,9_2_0041798D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_0041798D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,13_2_0041798D
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_0068B59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,6_2_0068B59E
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_0069F121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,6_2_0069F121
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_0067DA5D CoCreateInstance,SetErrorMode,GetProcAddress,SetErrorMode,6_2_0067DA5D
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_00624FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,6_2_00624FE9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,9_2_0041AADB
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeFile created: C:\Users\user\AppData\Local\directoryJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-203ZZ1
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeFile created: C:\Users\user\AppData\Local\Temp\autAF64.tmpJump to behavior
                Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\icon.vbs"
                Source: S91AYfMUT0.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: S91AYfMUT0.exeReversingLabs: Detection: 60%
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeFile read: C:\Users\user\Desktop\S91AYfMUT0.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\S91AYfMUT0.exe "C:\Users\user\Desktop\S91AYfMUT0.exe"
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeProcess created: C:\Users\user\AppData\Local\directory\icon.exe "C:\Users\user\Desktop\S91AYfMUT0.exe"
                Source: C:\Users\user\AppData\Local\directory\icon.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\S91AYfMUT0.exe"
                Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\icon.vbs"
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\directory\icon.exe "C:\Users\user\AppData\Local\directory\icon.exe"
                Source: C:\Users\user\AppData\Local\directory\icon.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\directory\icon.exe"
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeProcess created: C:\Users\user\AppData\Local\directory\icon.exe "C:\Users\user\Desktop\S91AYfMUT0.exe"Jump to behavior
                Source: C:\Users\user\AppData\Local\directory\icon.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\S91AYfMUT0.exe"Jump to behavior
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\directory\icon.exe "C:\Users\user\AppData\Local\directory\icon.exe" Jump to behavior
                Source: C:\Users\user\AppData\Local\directory\icon.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\directory\icon.exe" Jump to behavior
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeSection loaded: scrrun.dllJump to behavior
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeSection loaded: sxs.dllJump to behavior
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\directory\icon.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\AppData\Local\directory\icon.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Local\directory\icon.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\AppData\Local\directory\icon.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\AppData\Local\directory\icon.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\AppData\Local\directory\icon.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\directory\icon.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Local\directory\icon.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Local\directory\icon.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Local\directory\icon.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Local\directory\icon.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\directory\icon.exeSection loaded: scrrun.dllJump to behavior
                Source: C:\Users\user\AppData\Local\directory\icon.exeSection loaded: sxs.dllJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Users\user\AppData\Local\directory\icon.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\AppData\Local\directory\icon.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Local\directory\icon.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\AppData\Local\directory\icon.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\AppData\Local\directory\icon.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\AppData\Local\directory\icon.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\directory\icon.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Local\directory\icon.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Local\directory\icon.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Local\directory\icon.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Local\directory\icon.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\directory\icon.exeSection loaded: scrrun.dllJump to behavior
                Source: C:\Users\user\AppData\Local\directory\icon.exeSection loaded: sxs.dllJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\InprocServer32Jump to behavior
                Source: S91AYfMUT0.exeStatic file information: File size 1279488 > 1048576
                Source: S91AYfMUT0.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                Source: S91AYfMUT0.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                Source: S91AYfMUT0.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                Source: S91AYfMUT0.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: S91AYfMUT0.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                Source: S91AYfMUT0.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                Source: S91AYfMUT0.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: wntdll.pdbUGP source: icon.exe, 00000008.00000003.1337200630.0000000003880000.00000004.00001000.00020000.00000000.sdmp, icon.exe, 00000008.00000003.1335604041.0000000003650000.00000004.00001000.00020000.00000000.sdmp, icon.exe, 0000000C.00000003.1492846740.0000000003690000.00000004.00001000.00020000.00000000.sdmp, icon.exe, 0000000C.00000003.1493315506.00000000034F0000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: icon.exe, 00000008.00000003.1337200630.0000000003880000.00000004.00001000.00020000.00000000.sdmp, icon.exe, 00000008.00000003.1335604041.0000000003650000.00000004.00001000.00020000.00000000.sdmp, icon.exe, 0000000C.00000003.1492846740.0000000003690000.00000004.00001000.00020000.00000000.sdmp, icon.exe, 0000000C.00000003.1493315506.00000000034F0000.00000004.00001000.00020000.00000000.sdmp
                Source: S91AYfMUT0.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                Source: S91AYfMUT0.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                Source: S91AYfMUT0.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                Source: S91AYfMUT0.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                Source: S91AYfMUT0.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_0069C304 LoadLibraryA,GetProcAddress,6_2_0069C304
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_0062C590 push eax; retn 0062h6_2_0062C599
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_00648B85 push ecx; ret 6_2_00648B98
                Source: C:\Users\user\AppData\Local\directory\icon.exeCode function: 8_2_0001C590 push eax; retn 0001h8_2_0001C599
                Source: C:\Users\user\AppData\Local\directory\icon.exeCode function: 8_2_00038B85 push ecx; ret 8_2_00038B98
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_00457186 push ecx; ret 9_2_00457199
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0045E55D push esi; ret 9_2_0045E566
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_00457AA8 push eax; ret 9_2_00457AC6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_00434EB6 push ecx; ret 9_2_00434EC9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_00457186 push ecx; ret 13_2_00457199
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_0045E55D push esi; ret 13_2_0045E566
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_00457AA8 push eax; ret 13_2_00457AC6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_00434EB6 push ecx; ret 13_2_00434EC9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_00406EEB ShellExecuteW,URLDownloadToFileW,9_2_00406EEB
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeFile created: C:\Users\user\AppData\Local\directory\icon.exeJump to dropped file

                Boot Survival

                barindex
                Drops VBS files to the startup folder
                Source: C:\Users\user\AppData\Local\directory\icon.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\icon.vbsJump to dropped file
                Source: C:\Users\user\AppData\Local\directory\icon.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\icon.vbsJump to behavior
                Source: C:\Users\user\AppData\Local\directory\icon.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\icon.vbsJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,9_2_0041AADB
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_00624A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,6_2_00624A35
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_006A55FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,6_2_006A55FD
                Source: C:\Users\user\AppData\Local\directory\icon.exeCode function: 8_2_00014A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,8_2_00014A35
                Source: C:\Users\user\AppData\Local\directory\icon.exeCode function: 8_2_000955FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,8_2_000955FD
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_006433C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,6_2_006433C7
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\directory\icon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\directory\icon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\directory\icon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\directory\icon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Delayed program exit found
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0040F7E2 Sleep,ExitProcess,9_2_0040F7E2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_0040F7E2 Sleep,ExitProcess,13_2_0040F7E2
                Switches to a custom stack to bypass stack traces
                Source: C:\Users\user\AppData\Local\directory\icon.exeAPI/Special instruction interceptor: Address: 3123214
                Source: C:\Users\user\AppData\Local\directory\icon.exeAPI/Special instruction interceptor: Address: 2EB3214
                Source: C:\Windows\SysWOW64\svchost.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,9_2_0041A7D9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,13_2_0041A7D9
                Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeWindow / User API: threadDelayed 9749Jump to behavior
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_6-100485
                Source: C:\Users\user\AppData\Local\directory\icon.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeAPI coverage: 5.0 %
                Source: C:\Users\user\AppData\Local\directory\icon.exeAPI coverage: 5.2 %
                Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 9.3 %
                Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 6.2 %
                Source: C:\Windows\SysWOW64\svchost.exe TID: 7328Thread sleep count: 196 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\svchost.exe TID: 7328Thread sleep time: -588000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exe TID: 7328Thread sleep count: 9749 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\svchost.exe TID: 7328Thread sleep time: -29247000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_00684696 GetFileAttributesW,FindFirstFileW,FindClose,6_2_00684696
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_0068C93C FindFirstFileW,FindClose,6_2_0068C93C
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_0068C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,6_2_0068C9C7
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_0068F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,6_2_0068F200
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_0068F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,6_2_0068F35D
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_0068F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,6_2_0068F65E
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_00683A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,6_2_00683A2B
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_00683D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,6_2_00683D4E
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_0068BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,6_2_0068BF27
                Source: C:\Users\user\AppData\Local\directory\icon.exeCode function: 8_2_00074696 GetFileAttributesW,FindFirstFileW,FindClose,8_2_00074696
                Source: C:\Users\user\AppData\Local\directory\icon.exeCode function: 8_2_0007C93C FindFirstFileW,FindClose,8_2_0007C93C
                Source: C:\Users\user\AppData\Local\directory\icon.exeCode function: 8_2_0007C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,8_2_0007C9C7
                Source: C:\Users\user\AppData\Local\directory\icon.exeCode function: 8_2_0007F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,8_2_0007F200
                Source: C:\Users\user\AppData\Local\directory\icon.exeCode function: 8_2_0007F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,8_2_0007F35D
                Source: C:\Users\user\AppData\Local\directory\icon.exeCode function: 8_2_0007F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,8_2_0007F65E
                Source: C:\Users\user\AppData\Local\directory\icon.exeCode function: 8_2_00073A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,8_2_00073A2B
                Source: C:\Users\user\AppData\Local\directory\icon.exeCode function: 8_2_00073D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,8_2_00073D4E
                Source: C:\Users\user\AppData\Local\directory\icon.exeCode function: 8_2_0007BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,8_2_0007BF27
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,9_2_0040928E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,9_2_0041C322
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,9_2_0040C388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,9_2_004096A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,9_2_00408847
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_00407877 FindFirstFileW,FindNextFileW,9_2_00407877
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0044E8F9 FindFirstFileExA,9_2_0044E8F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,9_2_0040BB6B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,9_2_00419B86
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,9_2_0040BD72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,13_2_0040928E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,13_2_0041C322
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,13_2_0040C388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,13_2_004096A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,13_2_00408847
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_00407877 FindFirstFileW,FindNextFileW,13_2_00407877
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_0044E8F9 FindFirstFileExA,13_2_0044E8F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,13_2_0040BB6B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,13_2_00419B86
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,13_2_0040BD72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,9_2_00407CD2
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_00624AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,6_2_00624AFE
                Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
                Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
                Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
                Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Jump to behavior
                Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
                Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Jump to behavior
                Source: svchost.exe, 00000009.00000002.3742139950.0000000003412000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeAPI call chain: ExitProcess graph end nodegraph_6-97882
                Source: C:\Users\user\AppData\Local\directory\icon.exeAPI call chain: ExitProcess graph end node
                Source: C:\Windows\SysWOW64\svchost.exeAPI call chain: ExitProcess graph end node
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_006941FD BlockInput,6_2_006941FD
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_00623B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,6_2_00623B4C
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_00655CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,6_2_00655CCC
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_0069C304 LoadLibraryA,GetProcAddress,6_2_0069C304
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_00F334E0 mov eax, dword ptr fs:[00000030h]6_2_00F334E0
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_00F33480 mov eax, dword ptr fs:[00000030h]6_2_00F33480
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_00F31E70 mov eax, dword ptr fs:[00000030h]6_2_00F31E70
                Source: C:\Users\user\AppData\Local\directory\icon.exeCode function: 8_2_03123480 mov eax, dword ptr fs:[00000030h]8_2_03123480
                Source: C:\Users\user\AppData\Local\directory\icon.exeCode function: 8_2_031234E0 mov eax, dword ptr fs:[00000030h]8_2_031234E0
                Source: C:\Users\user\AppData\Local\directory\icon.exeCode function: 8_2_03121E70 mov eax, dword ptr fs:[00000030h]8_2_03121E70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_00443355 mov eax, dword ptr fs:[00000030h]9_2_00443355
                Source: C:\Users\user\AppData\Local\directory\icon.exeCode function: 12_2_02EB34E0 mov eax, dword ptr fs:[00000030h]12_2_02EB34E0
                Source: C:\Users\user\AppData\Local\directory\icon.exeCode function: 12_2_02EB1E70 mov eax, dword ptr fs:[00000030h]12_2_02EB1E70
                Source: C:\Users\user\AppData\Local\directory\icon.exeCode function: 12_2_02EB3480 mov eax, dword ptr fs:[00000030h]12_2_02EB3480
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_00443355 mov eax, dword ptr fs:[00000030h]13_2_00443355
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_006781F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,6_2_006781F7
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_0064A364 SetUnhandledExceptionFilter,6_2_0064A364
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_0064A395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_0064A395
                Source: C:\Users\user\AppData\Local\directory\icon.exeCode function: 8_2_0003A364 SetUnhandledExceptionFilter,8_2_0003A364
                Source: C:\Users\user\AppData\Local\directory\icon.exeCode function: 8_2_0003A395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_0003A395
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0043503C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,9_2_0043503C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_00434A8A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0043BB71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_0043BB71
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_00434BD8 SetUnhandledExceptionFilter,9_2_00434BD8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_0043503C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,13_2_0043503C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,13_2_00434A8A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_0043BB71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,13_2_0043BB71
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_00434BD8 SetUnhandledExceptionFilter,13_2_00434BD8

                HIPS / PFW / Operating System Protection Evasion

                barindex
                System process connects to network (likely due to code injection or exploit)
                Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 45.95.169.137 2404Jump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Users\user\AppData\Local\directory\icon.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
                Source: C:\Users\user\AppData\Local\directory\icon.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\AppData\Local\directory\icon.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2FC0008Jump to behavior
                Source: C:\Users\user\AppData\Local\directory\icon.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2FC008Jump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe9_2_00412132
                Source: C:\Windows\SysWOW64\svchost.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe13_2_00412132
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_00678C93 LogonUserW,6_2_00678C93
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_00623B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,6_2_00623B4C
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_00624A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,6_2_00624A35
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_00684EF5 mouse_event,6_2_00684EF5
                Source: C:\Users\user\AppData\Local\directory\icon.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\S91AYfMUT0.exe"Jump to behavior
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\directory\icon.exe "C:\Users\user\AppData\Local\directory\icon.exe" Jump to behavior
                Source: C:\Users\user\AppData\Local\directory\icon.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\directory\icon.exe" Jump to behavior
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_006781F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,6_2_006781F7
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_00684C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,6_2_00684C03
                Source: S91AYfMUT0.exe, icon.exe.6.drBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                Source: S91AYfMUT0.exe, icon.exeBinary or memory string: Shell_TrayWnd
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_0064886B cpuid 6_2_0064886B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: EnumSystemLocalesW,9_2_0045201B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: EnumSystemLocalesW,9_2_004520B6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,9_2_00452143
                Source: C:\Windows\SysWOW64\svchost.exeCode function: GetLocaleInfoW,9_2_00452393
                Source: C:\Windows\SysWOW64\svchost.exeCode function: EnumSystemLocalesW,9_2_00448484
                Source: C:\Windows\SysWOW64\svchost.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,9_2_004524BC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: GetLocaleInfoW,9_2_004525C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,9_2_00452690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: GetLocaleInfoW,9_2_0044896D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: GetLocaleInfoA,9_2_0040F90C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,9_2_00451D58
                Source: C:\Windows\SysWOW64\svchost.exeCode function: EnumSystemLocalesW,9_2_00451FD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: EnumSystemLocalesW,13_2_0045201B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: EnumSystemLocalesW,13_2_004520B6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,13_2_00452143
                Source: C:\Windows\SysWOW64\svchost.exeCode function: GetLocaleInfoW,13_2_00452393
                Source: C:\Windows\SysWOW64\svchost.exeCode function: EnumSystemLocalesW,13_2_00448484
                Source: C:\Windows\SysWOW64\svchost.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,13_2_004524BC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: GetLocaleInfoW,13_2_004525C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,13_2_00452690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: GetLocaleInfoW,13_2_0044896D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: GetLocaleInfoA,13_2_0040F90C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,13_2_00451D58
                Source: C:\Windows\SysWOW64\svchost.exeCode function: EnumSystemLocalesW,13_2_00451FD0
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_006550D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,6_2_006550D7
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_00662230 GetUserNameW,6_2_00662230
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_0065418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,6_2_0065418A
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_00624AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,6_2_00624AFE
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected Remcos RAT
                Source: Yara matchFile source: 13.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.icon.exe.3470000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.icon.exe.3130000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.icon.exe.3470000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.icon.exe.3130000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000009.00000002.3742139950.0000000003412000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.3740400024.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.1496539129.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.1496792749.0000000000800000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.1338735869.0000000003130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.3742035824.0000000003400000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.1498234408.0000000003470000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: icon.exe PID: 7212, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 7284, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: icon.exe PID: 7676, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 6116, type: MEMORYSTR
                Contains functionality to steal Chrome passwords or cookies
                Source: C:\Windows\SysWOW64\svchost.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data9_2_0040BA4D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data13_2_0040BA4D
                Contains functionality to steal Firefox passwords or cookies
                Source: C:\Windows\SysWOW64\svchost.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\9_2_0040BB6B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: \key3.db9_2_0040BB6B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\13_2_0040BB6B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: \key3.db13_2_0040BB6B
                Source: icon.exeBinary or memory string: WIN_81
                Source: icon.exeBinary or memory string: WIN_XP
                Source: icon.exeBinary or memory string: WIN_XPe
                Source: icon.exeBinary or memory string: WIN_VISTA
                Source: icon.exeBinary or memory string: WIN_7
                Source: icon.exeBinary or memory string: WIN_8
                Source: icon.exe.6.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

                Remote Access Functionality

                barindex
                Detected Remcos RAT
                Source: C:\Windows\SysWOW64\svchost.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-203ZZ1Jump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-203ZZ1Jump to behavior
                Yara detected Remcos RAT
                Source: Yara matchFile source: 13.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.icon.exe.3470000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.icon.exe.3130000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.icon.exe.3470000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.icon.exe.3130000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000009.00000002.3742139950.0000000003412000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.3740400024.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.1496539129.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.1496792749.0000000000800000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.1338735869.0000000003130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.3742035824.0000000003400000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.1498234408.0000000003470000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: icon.exe PID: 7212, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 7284, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: icon.exe PID: 7676, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 6116, type: MEMORYSTR
                Source: C:\Windows\SysWOW64\svchost.exeCode function: cmd.exe9_2_0040569A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: cmd.exe13_2_0040569A
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_00696596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,6_2_00696596
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_00696A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,6_2_00696A5A
                Source: C:\Users\user\Desktop\S91AYfMUT0.exeCode function: 6_2_00657CF1 RpcBindingSetOption,_LocaleUpdate::_LocaleUpdate,_memset,WideCharToMultiByte,GetLastError,_memset,6_2_00657CF1
                Source: C:\Users\user\AppData\Local\directory\icon.exeCode function: 8_2_00086596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,8_2_00086596
                Source: C:\Users\user\AppData\Local\directory\icon.exeCode function: 8_2_00086A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,8_2_00086A5A
                Source: C:\Users\user\AppData\Local\directory\icon.exeCode function: 8_2_00047CF1 RpcBindingSetOption,_LocaleUpdate::_LocaleUpdate,_memset,WideCharToMultiByte,GetLastError,_memset,8_2_00047CF1

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity Information111
                Scripting                		2
                Valid Accounts                		2
                Native API                		111
                Scripting                		1
                Exploitation for Privilege Escalation                		1
                Disable or Modify Tools                		1
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services11
                Archive Collected Data                		11
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault Accounts1
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		1
                DLL Side-Loading                		1
                Deobfuscate/Decode Files or Information                		121
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol121
                Input Capture                		2
                Encrypted Channel                		Exfiltration Over Bluetooth1
                Defacement
                Email AddressesDNS ServerDomain Accounts2
                Service Execution                		2
                Valid Accounts                		1
                Bypass User Account Control                		2
                Obfuscated Files or Information                		2
                Credentials In Files                		1
                System Service Discovery                		SMB/Windows Admin Shares3
                Clipboard Data                		1
                Non-Standard Port                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCron1
                Windows Service                		2
                Valid Accounts                		1
                DLL Side-Loading                		NTDS4
                File and Directory Discovery                		Distributed Component Object ModelInput Capture1
                Remote Access Software                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchd2
                Registry Run Keys / Startup Folder                		21
                Access Token Manipulation                		1
                Bypass User Account Control                		LSA Secrets126
                System Information Discovery                		SSHKeylogging1
                Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
                Windows Service                		1
                Masquerading                		Cached Domain Credentials231
                Security Software Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items322
                Process Injection                		2
                Valid Accounts                		DCSync1
                Virtualization/Sandbox Evasion                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/Job2
                Registry Run Keys / Startup Folder                		1
                Virtualization/Sandbox Evasion                		Proc Filesystem2
                Process Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt21
                Access Token Manipulation                		/etc/passwd and /etc/shadow11
                Application Window Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron322
                Process Injection                		Network Sniffing1
                System Owner/User Discovery                		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 signatures2 2 Behavior Graph ID: 1510361 Sample: S91AYfMUT0.exe Startdate: 12/09/2024 Architecture: WINDOWS Score: 100 31 Suricata IDS alerts for network traffic 2->31 33 Found malware configuration 2->33 35 Malicious sample detected (through community Yara rule) 2->35 37 11 other signatures 2->37 7 S91AYfMUT0.exe 6 2->7         started        11 wscript.exe 1 2->11         started        process3 file4 25 C:\Users\user\AppData\Local\...\icon.exe, PE32 7->25 dropped 47 Binary is likely a compiled AutoIt script file 7->47 13 icon.exe 3 7->13         started        49 Windows Scripting host queries suspicious COM object (likely to drop second stage) 11->49 17 icon.exe 2 11->17         started        signatures5 process6 file7 27 C:\Users\user\AppData\Roaming\...\icon.vbs, data 13->27 dropped 51 Antivirus detection for dropped file 13->51 53 Multi AV Scanner detection for dropped file 13->53 55 Binary is likely a compiled AutoIt script file 13->55 61 3 other signatures 13->61 19 svchost.exe 3 13->19         started        57 Writes to foreign memory regions 17->57 59 Maps a DLL or memory area into another process 17->59 23 svchost.exe 17->23         started        signatures8 process9 dnsIp10 29 45.95.169.137, 2404, 49700, 49701 GIGANET-HUGigaNetInternetServiceProviderCoHU Croatia (LOCAL Name: Hrvatska) 19->29 39 System process connects to network (likely due to code injection or exploit) 19->39 41 Contains functionality to bypass UAC (CMSTPLUA) 19->41 43 Detected Remcos RAT 19->43 45 5 other signatures 19->45 signatures11

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                S91AYfMUT0.exe61%ReversingLabsWin32.Trojan.Formbooks
                S91AYfMUT0.exe100%AviraTR/AD.ShellcodeCrypter.itcqh
                S91AYfMUT0.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Local\directory\icon.exe100%AviraTR/AD.ShellcodeCrypter.itcqh
                C:\Users\user\AppData\Local\directory\icon.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Local\directory\icon.exe61%ReversingLabsWin32.Trojan.Formbooks

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                5.95.169.1370%Avira URL Cloudsafe
                http://geoplugin.net/json.gp/C0%Avira URL Cloudsafe
                http://geoplugin.net/json.gp0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                5.95.169.137true
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://geoplugin.net/json.gpsvchost.exefalse
                • Avira URL Cloud: safe
                		unknown
                http://geoplugin.net/json.gp/Cicon.exe, 00000008.00000002.1338735869.0000000003130000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.3740400024.0000000000400000.00000040.80000000.00040000.00000000.sdmp, icon.exe, 0000000C.00000002.1498234408.0000000003470000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.1496539129.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                45.95.169.137
                		unknownCroatia (LOCAL Name: Hrvatska)
                		42864GIGANET-HUGigaNetInternetServiceProviderCoHUtrue

                General Information

                Joe Sandbox version:40.0.0 Tourmaline
                Analysis ID:1510361
                Start date and time:2024-09-12 21:26:12 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 10m 22s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:17
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:S91AYfMUT0.exe
                renamed because original name is a hash value
                Original Sample Name:b54974cd7b04beb5d6c5377ff6170f7b.exe
                Detection:MAL
                Classification:mal100.rans.troj.spyw.expl.evad.winEXE@10/10@0/1
                EGA Information:
                • Successful, ratio: 100%
                HCA Information:
                • Successful, ratio: 100%
                • Number of executed functions: 63
                • Number of non-executed functions: 269
                Cookbook Comments:
                • Found application associated with file extension: .exe
                • Override analysis time to 240000 for current running targets taking high CPU consumption

                Warnings

                • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, Sgrmuserer.exe, conhost.exe, svchost.exe
                • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                • Not all processes where analyzed, report is missing behavior information
                • Report creation exceeded maximum time and may have missing disassembly code information.
                • Report size exceeded maximum capacity and may have missing behavior information.
                • Report size exceeded maximum capacity and may have missing disassembly code.
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.
                • VT rate limit hit for: S91AYfMUT0.exe

                Simulations

                Behavior and APIs

                TimeTypeDescription
                15:27:48API Interceptor3775048x Sleep call for process: svchost.exe modified
                21:27:15AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\icon.vbs

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                45.95.169.137#Inv_PI_{number_12}_pdf.exeGet hashmaliciousRemcosBrowse

                  Domains

                  No context

                  ASNs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  GIGANET-HUGigaNetInternetServiceProviderCoHUbot_library.exeGet hashmaliciousUnknownBrowse
                  • 45.95.169.164
                  jv4ri.exeGet hashmaliciousRemcosBrowse
                  • 45.95.169.104
                  P.O_Qouts_t87E90Y-E4R7G-PDF.exeGet hashmaliciousRemcos, GuLoaderBrowse
                  • 45.95.169.18
                  7GfciIf7ys.exeGet hashmaliciousUnknownBrowse
                  • 45.95.169.223
                  Qoute_EXW_prices_43GJI_pdf.exeGet hashmaliciousRemcos, GuLoaderBrowse
                  • 45.95.169.110
                  Qoute_EXW_prices_43GJI_pdf.exeGet hashmaliciousRemcos, GuLoaderBrowse
                  • 45.95.169.110
                  RFQ-7H87-F8R-pdf.exeGet hashmaliciousRemcos, GuLoaderBrowse
                  • 45.95.169.139
                  Q-5687-348t.exeGet hashmaliciousRemcosBrowse
                  • 45.95.169.135
                  BdrPfb3rZS.elfGet hashmaliciousGafgyt, MiraiBrowse
                  • 45.95.169.149
                  otpD06ykDv.elfGet hashmaliciousGafgyt, MiraiBrowse
                  • 45.95.169.149

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  No context

                  Created / dropped Files

                  C:\Users\user\AppData\Local\Temp\asset

                  Download File
                  Process:C:\Users\user\Desktop\S91AYfMUT0.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):494592
                  Entropy (8bit):7.521832179522871
                  Encrypted:false
                  SSDEEP:12288:Jwb5chAnrozu9fYyPSaWw2hoAwEto79Y/x0Vg:Jwb5chAnOSgy6aTb0Q9Y/x06
                  MD5:356308ED0417041367FAD3A54E94411C
                  SHA1:6B3C8E524C57820E5733E2D2F35848E56FE644BC
                  SHA-256:C5BB3BEAD0D3DE9796BA0BBDE3C2910AA3A6B9CA442888FA5C4B7C1CBAFE1C49
                  SHA-512:0F7CA1127B31EBE636208B499A2F4B0555F46F57CC279AEDE12784358F3B0124BBFCCC0F901DC97A9AE02A4469C73FCC74E72E5BC87BD5A43A997B559775717A
                  Malicious:false
                  Reputation:low
                  Preview:...IAKIU7IZ6..GG.IBKIU3I.6OKGGWIBKIU3IZ6OKGGWIBKIU3IZ6OKGGWIZJIU=V.8O.N.v.C..tg!3Eo;5(0;#&i6R'4Y;k%"w;7%i<]i.y.k*(3,lFD_.IZ6OKGG[2.f.O.7.,.5.].7..n+hS.H..b9.S.5...7.,.5.%.7.Q.+..KH.Q.9...4.O.7.r.45].7...*YS.H.).9.S.5.O.7,-.5...6nQ.+..sH.Q.9...4.O.7._,#.].7BKIU3IZ6OKGGWIBKIU3IZ6OK..WI.JNU..POKGGWIBK.U1HQ7AKG5RIB]KU3IZ6..DGWYBKI.6IZ6.KGWWIBIIU6I[6OKGGRICKIU3IZ.GKGCWIBKIU1IZ.OKWGWYBKIU#IZ&OKGGWIRKIU3IZ6OKGG.DKMT3IZ.HK/.WIBKIU3IZ6OKGGWIBKI.4I..OK..QIzKIU3IZ6OKGGWIBKIU3I..IK_GWI.OUsIZ6OKGGWIBKI.6IZ3OKGGWIBKIU3IZ6OKGGWIBKIU3ItB*33GWI.:LU3YZ6O9BGWMBKIU3IZ6OKGGWIbKI5.;>W;*GG.0CKI.6IZLNKG1RIBKIU3IZ6OKGG.IB.g1R=;6OK..WIB[NU3GZ6O.AGWIBKIU3IZ6OK.GW.l?%&3IZ6FKGGW9EKIW3IZ.IKGGWIBKIU3IZ6.KG.y.$"-&3Ij4OKG.PIBOIU3I]6OKGGWIBKIU3I.6O.i5$;!KIU[.Z6O.@GW.BKIQ4IZ6OKGGWIBKIUsIZva9"+8*BK.n3IZ.HKG{WIB.NU3IZ6OKGGWIBK.U3.Z6OKGGWIBKIU3IZ6OKGGWIBKIU3IZ6OKGGWIBKIU3IZ6OKGGWIBKIU3IZ6OKGGWIBKIU3IZ6OKGGWIBKIU3IZ6OKGGWIBKIU3IZ6OKGGWIBKIU3IZ6OKGGWIBKIU3IZ6OKGGWIBKIU3IZ6OKGGWIBKIU3IZ6OKGGWIBKIU3IZ6OKGGWIBKIU3IZ6OKGGWIBK

                  C:\Users\user\AppData\Local\Temp\autAF64.tmp

                  Download File
                  Process:C:\Users\user\Desktop\S91AYfMUT0.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):409308
                  Entropy (8bit):7.973460599748958
                  Encrypted:false
                  SSDEEP:12288:ZKehTXj7IWSlMpy8dcP5TgjYH87iI/xzc9:ZdhTTSlAvdcPZgsc7v/E
                  MD5:91CC8186CCC1BA31ECCCC940564607E9
                  SHA1:65524748A4CEFF46A551B3249F13AF9FF291D3A0
                  SHA-256:583D92477A454F67A7C0A3636CF6D3FAA17350384183E03B82D5B711F712AF9C
                  SHA-512:565F06AA2C6A6A21B11C5C33E5CAB09EC50AA44C16BC466E6BE3B1D4484A8B6968015B03645CF321EAA802B7FC716B53368C334304AF2DB64A94E2E8F167AB74
                  Malicious:false
                  Reputation:low
                  Preview:EA06.....Gx.....U..kSm..G..h@.....S.tz=\.;5...J..g.o....b......t..ft[|.k(.N.rkL.'.Vgv.,..;..m3..=y.Z.R....F.W.....Vh.?.7.K33X}w.7.sm.EO.H..lS..O)5....x`.....f.~W.....Z.Fs.......r.M&.......V@..t..9.......o,..f..."mn.89.."..pj!.i.....W.0.........u*.U.....jj..EFoA...*M..K.*...%..Y.88.`...K.....M&.6....*.&.......G..1bcI.m......*.:MjL....g}.z%..T..4.\.....mf...4...Ti7..O.}......+1O....<.P..w>..U3....y.2.3........M.*.lT.L.;;.U.r.=..0..*b.N...5 .O./I.B.....v..@.@.En.U...............d.K&..h..L.K.....E$....^0..t.E-.*-S@.#.P.....t.....!v...w!..+p .#.@.....Fh......k..E+.J.T......R)t{.......|.....Z........t.....i.j..O.@...}.U.b.t..2....P..=2.Z.f/.J<;...."S=............b.R`.Y,/_..R.Q/W....}c.;.&.I.{f.......R..I.'...8zp.....p.../......c5..C.%...sK.R...|#..uk..........I....[.-...0.......2.......h..A..P.r...C`.........._@..0.3$.F....:...V.t..>a........!..vb..~.)H..)...cc......lb``....lf.`../....#.+..1..#....5...#...f.......u.$.lK@..<'..lso....G....L.....iU.~3G.....

                  C:\Users\user\AppData\Local\Temp\autB010.tmp

                  Download File
                  Process:C:\Users\user\Desktop\S91AYfMUT0.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):15306
                  Entropy (8bit):7.608975512491679
                  Encrypted:false
                  SSDEEP:384:axFB0xhY6C6usolt9Ev+8QnxlFGOdFLj5W82F3rHiM:a90xE7Fovpy7/dFnIZ9
                  MD5:E410190162FBA71E462649A0E4226FA0
                  SHA1:568EE172DDC949038005DC08064E6193A53B401A
                  SHA-256:994F01B7063FA279E0F58CF82C568B93D04E656CE932465843EB8A60992B6E8B
                  SHA-512:3C34E5A9D4C39A172AA0B9F669A7B2B51ED8333B92B634771F92374756E0724C7A9F0CBA7FB3044F07CB3FCA0127061E47B232572E6C0D62CF35668F46D52F65
                  Malicious:false
                  Reputation:low
                  Preview:EA06..........`.............0.|L.... .>&........ .|N...y..?.2.#.,@.....l.._.................7...,...........}. ...`.'.^.3P......q.M@+..0.?.a.....7...p|.*.............D..K.......0........|60-........ !_D....[|.`.......|.`.?.b......P...n.q....>....1...&........_...g.;.u..W....@N......8....l...&.......z.............6_p:7..d...,.._.%.......|.P...........0V..h.9..w}..O....B..`_.........l.$..$...T.&.(.=.......0..d......}...D..#....'...t.........b?k .G.Aa.....`1..=..#.C..c..1.....C.J......@1..(.#.!...............T}............l...z..P.'....~p.........8?Y.B..1...,@..8B..3.`...)...&....$}.4..(...c..../>..o......I|3`...p.y..E}.0.x%...Q.X@*?.I.f..e...f...........~.=_.....'...........O8...&@/_.8W......X.9.{(...b.j..@._.$..3.@...N..l..h.....|.._E........~..$.......puO.......~.Q;..........K....e.......p4.........60.........v.3q...[.....`.O.HJ+.....g z.p..m4....&@4.8.G...I...>?..ww..M...R..I..2..1.H..T>...G......(}.pF.`/..3..`@................b.F....~....jh........2

                  C:\Users\user\AppData\Local\Temp\autBC06.tmp

                  Download File
                  Process:C:\Users\user\AppData\Local\directory\icon.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):409308
                  Entropy (8bit):7.973460599748958
                  Encrypted:false
                  SSDEEP:12288:ZKehTXj7IWSlMpy8dcP5TgjYH87iI/xzc9:ZdhTTSlAvdcPZgsc7v/E
                  MD5:91CC8186CCC1BA31ECCCC940564607E9
                  SHA1:65524748A4CEFF46A551B3249F13AF9FF291D3A0
                  SHA-256:583D92477A454F67A7C0A3636CF6D3FAA17350384183E03B82D5B711F712AF9C
                  SHA-512:565F06AA2C6A6A21B11C5C33E5CAB09EC50AA44C16BC466E6BE3B1D4484A8B6968015B03645CF321EAA802B7FC716B53368C334304AF2DB64A94E2E8F167AB74
                  Malicious:false
                  Reputation:low
                  Preview:EA06.....Gx.....U..kSm..G..h@.....S.tz=\.;5...J..g.o....b......t..ft[|.k(.N.rkL.'.Vgv.,..;..m3..=y.Z.R....F.W.....Vh.?.7.K33X}w.7.sm.EO.H..lS..O)5....x`.....f.~W.....Z.Fs.......r.M&.......V@..t..9.......o,..f..."mn.89.."..pj!.i.....W.0.........u*.U.....jj..EFoA...*M..K.*...%..Y.88.`...K.....M&.6....*.&.......G..1bcI.m......*.:MjL....g}.z%..T..4.\.....mf...4...Ti7..O.}......+1O....<.P..w>..U3....y.2.3........M.*.lT.L.;;.U.r.=..0..*b.N...5 .O./I.B.....v..@.@.En.U...............d.K&..h..L.K.....E$....^0..t.E-.*-S@.#.P.....t.....!v...w!..+p .#.@.....Fh......k..E+.J.T......R)t{.......|.....Z........t.....i.j..O.@...}.U.b.t..2....P..=2.Z.f/.J<;...."S=............b.R`.Y,/_..R.Q/W....}c.;.&.I.{f.......R..I.'...8zp.....p.../......c5..C.%...sK.R...|#..uk..........I....[.-...0.......2.......h..A..P.r...C`.........._@..0.3$.F....:...V.t..>a........!..vb..~.)H..)...cc......lb``....lf.`../....#.+..1..#....5...#...f.......u.$.lK@..<'..lso....G....L.....iU.~3G.....

                  C:\Users\user\AppData\Local\Temp\autBCB3.tmp

                  Download File
                  Process:C:\Users\user\AppData\Local\directory\icon.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):15306
                  Entropy (8bit):7.608975512491679
                  Encrypted:false
                  SSDEEP:384:axFB0xhY6C6usolt9Ev+8QnxlFGOdFLj5W82F3rHiM:a90xE7Fovpy7/dFnIZ9
                  MD5:E410190162FBA71E462649A0E4226FA0
                  SHA1:568EE172DDC949038005DC08064E6193A53B401A
                  SHA-256:994F01B7063FA279E0F58CF82C568B93D04E656CE932465843EB8A60992B6E8B
                  SHA-512:3C34E5A9D4C39A172AA0B9F669A7B2B51ED8333B92B634771F92374756E0724C7A9F0CBA7FB3044F07CB3FCA0127061E47B232572E6C0D62CF35668F46D52F65
                  Malicious:false
                  Reputation:low
                  Preview:EA06..........`.............0.|L.... .>&........ .|N...y..?.2.#.,@.....l.._.................7...,...........}. ...`.'.^.3P......q.M@+..0.?.a.....7...p|.*.............D..K.......0........|60-........ !_D....[|.`.......|.`.?.b......P...n.q....>....1...&........_...g.;.u..W....@N......8....l...&.......z.............6_p:7..d...,.._.%.......|.P...........0V..h.9..w}..O....B..`_.........l.$..$...T.&.(.=.......0..d......}...D..#....'...t.........b?k .G.Aa.....`1..=..#.C..c..1.....C.J......@1..(.#.!...............T}............l...z..P.'....~p.........8?Y.B..1...,@..8B..3.`...)...&....$}.4..(...c..../>..o......I|3`...p.y..E}.0.x%...Q.X@*?.I.f..e...f...........~.=_.....'...........O8...&@/_.8W......X.9.{(...b.j..@._.$..3.@...N..l..h.....|.._E........~..$.......puO.......~.Q;..........K....e.......p4.........60.........v.3q...[.....`.O.HJ+.....g z.p..m4....&@4.8.G...I...>?..ww..M...R..I..2..1.H..T>...G......(}.pF.`/..3..`@................b.F....~....jh........2

                  C:\Users\user\AppData\Local\Temp\autF853.tmp

                  Download File
                  Process:C:\Users\user\AppData\Local\directory\icon.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):409308
                  Entropy (8bit):7.973460599748958
                  Encrypted:false
                  SSDEEP:12288:ZKehTXj7IWSlMpy8dcP5TgjYH87iI/xzc9:ZdhTTSlAvdcPZgsc7v/E
                  MD5:91CC8186CCC1BA31ECCCC940564607E9
                  SHA1:65524748A4CEFF46A551B3249F13AF9FF291D3A0
                  SHA-256:583D92477A454F67A7C0A3636CF6D3FAA17350384183E03B82D5B711F712AF9C
                  SHA-512:565F06AA2C6A6A21B11C5C33E5CAB09EC50AA44C16BC466E6BE3B1D4484A8B6968015B03645CF321EAA802B7FC716B53368C334304AF2DB64A94E2E8F167AB74
                  Malicious:false
                  Reputation:low
                  Preview:EA06.....Gx.....U..kSm..G..h@.....S.tz=\.;5...J..g.o....b......t..ft[|.k(.N.rkL.'.Vgv.,..;..m3..=y.Z.R....F.W.....Vh.?.7.K33X}w.7.sm.EO.H..lS..O)5....x`.....f.~W.....Z.Fs.......r.M&.......V@..t..9.......o,..f..."mn.89.."..pj!.i.....W.0.........u*.U.....jj..EFoA...*M..K.*...%..Y.88.`...K.....M&.6....*.&.......G..1bcI.m......*.:MjL....g}.z%..T..4.\.....mf...4...Ti7..O.}......+1O....<.P..w>..U3....y.2.3........M.*.lT.L.;;.U.r.=..0..*b.N...5 .O./I.B.....v..@.@.En.U...............d.K&..h..L.K.....E$....^0..t.E-.*-S@.#.P.....t.....!v...w!..+p .#.@.....Fh......k..E+.J.T......R)t{.......|.....Z........t.....i.j..O.@...}.U.b.t..2....P..=2.Z.f/.J<;...."S=............b.R`.Y,/_..R.Q/W....}c.;.&.I.{f.......R..I.'...8zp.....p.../......c5..C.%...sK.R...|#..uk..........I....[.-...0.......2.......h..A..P.r...C`.........._@..0.3$.F....:...V.t..>a........!..vb..~.)H..)...cc......lb``....lf.`../....#.+..1..#....5...#...f.......u.$.lK@..<'..lso....G....L.....iU.~3G.....

                  C:\Users\user\AppData\Local\Temp\autF900.tmp

                  Download File
                  Process:C:\Users\user\AppData\Local\directory\icon.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):15306
                  Entropy (8bit):7.608975512491679
                  Encrypted:false
                  SSDEEP:384:axFB0xhY6C6usolt9Ev+8QnxlFGOdFLj5W82F3rHiM:a90xE7Fovpy7/dFnIZ9
                  MD5:E410190162FBA71E462649A0E4226FA0
                  SHA1:568EE172DDC949038005DC08064E6193A53B401A
                  SHA-256:994F01B7063FA279E0F58CF82C568B93D04E656CE932465843EB8A60992B6E8B
                  SHA-512:3C34E5A9D4C39A172AA0B9F669A7B2B51ED8333B92B634771F92374756E0724C7A9F0CBA7FB3044F07CB3FCA0127061E47B232572E6C0D62CF35668F46D52F65
                  Malicious:false
                  Reputation:low
                  Preview:EA06..........`.............0.|L.... .>&........ .|N...y..?.2.#.,@.....l.._.................7...,...........}. ...`.'.^.3P......q.M@+..0.?.a.....7...p|.*.............D..K.......0........|60-........ !_D....[|.`.......|.`.?.b......P...n.q....>....1...&........_...g.;.u..W....@N......8....l...&.......z.............6_p:7..d...,.._.%.......|.P...........0V..h.9..w}..O....B..`_.........l.$..$...T.&.(.=.......0..d......}...D..#....'...t.........b?k .G.Aa.....`1..=..#.C..c..1.....C.J......@1..(.#.!...............T}............l...z..P.'....~p.........8?Y.B..1...,@..8B..3.`...)...&....$}.4..(...c..../>..o......I|3`...p.y..E}.0.x%...Q.X@*?.I.f..e...f...........~.=_.....'...........O8...&@/_.8W......X.9.{(...b.j..@._.$..3.@...N..l..h.....|.._E........~..$.......puO.......~.Q;..........K....e.......p4.........60.........v.3q...[.....`.O.HJ+.....g z.p..m4....&@4.8.G...I...>?..ww..M...R..I..2..1.H..T>...G......(}.pF.`/..3..`@................b.F....~....jh........2

                  C:\Users\user\AppData\Local\Temp\demonetising

                  Download File
                  Process:C:\Users\user\Desktop\S91AYfMUT0.exe
                  File Type:ASCII text, with very long lines (65536), with no line terminators
                  Category:dropped
                  Size (bytes):200730
                  Entropy (8bit):2.757297243983128
                  Encrypted:false
                  SSDEEP:192:dQyw4U1Emh0cHgDQNMo4eutXGlERJGrbmqsaogDVA9+ls4BqlF9HIrwVmclVw6XL:J
                  MD5:B034F1AAA54283EE47C256574A85FF9A
                  SHA1:5DE291E89694D741E0AF1BD240D1BAB7A8988DCF
                  SHA-256:10F5C3A669BE97B559AB6B46CEE58A290CCCC74CCAA411723F278080A708EA3A
                  SHA-512:83CEDBD49FF14E9F4FEBDD5F06606886F07D79D812E17EB7C936AA5EA89982D99E398122331C0A69F7684495F56777A7E6C3D195B359376700C03C447572964A
                  Malicious:false
                  Reputation:low
                  Preview:9200160920016092001609200160920016092001609200160920016092001609200160920016092001609200160920016092001609200160920016092001609200160920016092001609200160920016092001609200160920016092001609200160920016092001609200160920016092001609200160920016092001609200160920016092001609200160920016092001609200160920016092001609200160920016092001609200160920016092001609200160920016092001609200160920016092001609200160920016092001609200160920016092001609200160920016092001609200160920016092001609200160920016092001609200160920016092001609200160920016092001609200160920016092001609200160920016092001609200160920016092001609200160920016092001609200160920016092001609200160920016092001609200160920016092001609200160920016092001609200160920016092001609200160920016092001609200160920016092001609200160920016092001609200160920016092001609200160920016092001609200160920016092001609200160920016092001609200160920016092001609200160920016092001609200160920016092001609200160920016092001609200160920016092001609200160920016

                  C:\Users\user\AppData\Local\directory\icon.exe

                  Download File
                  Process:C:\Users\user\Desktop\S91AYfMUT0.exe
                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                  Category:dropped
                  Size (bytes):1279488
                  Entropy (8bit):7.274827926243343
                  Encrypted:false
                  SSDEEP:24576:2AHnh+eWsN3skA4RV1Hom2KXMmHa3fGd4WclYQnJ/J+MB8hCdC45:Rh+ZkldoPK8Ya3ed4WcyAJB+M+hM
                  MD5:B54974CD7B04BEB5D6C5377FF6170F7B
                  SHA1:229EAFFC4F15CBF5B2E21D9360E396AEE53FB1B7
                  SHA-256:9BEF149490674703ED211BD591252D0C1557251E2E0844F4D5885D84EC0207FF
                  SHA-512:AC5D5BC201933745399D16D2E65967129005D1A41AED4B3988ADA76CE9926B752322E075353728FCACBCD84DACD9C74CA62A215A3BEC3810B10C986E4302CF11
                  Malicious:true
                  Antivirus:
                  • Antivirus: Avira, Detection: 100%
                  • Antivirus: Joe Sandbox ML, Detection: 100%
                  • Antivirus: ReversingLabs, Detection: 61%
                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r...........#.S..._@'.S...R.k.S....".S...RichR...................PE..L....T.f.........."...............................@.......................................@...@.......@.........................|............................`..4q...+..............................PK..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc................4..............@..@.reloc..4q...`...r..................@..B........................................................................................................................................................................................................................................................................................

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\icon.vbs

                  Download File
                  Process:C:\Users\user\AppData\Local\directory\icon.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):266
                  Entropy (8bit):3.433075250668502
                  Encrypted:false
                  SSDEEP:6:DMM8lfm3OOQdUfclq7UEZ+lX1Al1A3AlAnriIM8lfQVn:DsO+vNlq7Q1A1XlGmA2n
                  MD5:A0C4D1B2E091A01F2D72A02B317238B4
                  SHA1:CC80C96421CEAB6723CEF42BF7DB6564037633A8
                  SHA-256:5DF477E0B33A0109BC03717BDDDBA076F3975945A82E9A7D0345E6488472F068
                  SHA-512:5BD4C45B27A33A6A9B08FF388D24EC7574321502B3D68BE929891AA0875FD0EFC0DF1B7F98B71F2BF20644A867E073D7CAE3EB947B33563E5A5D72C0CA1EB039
                  Malicious:true
                  Preview:S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.b.r.o.k.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.d.i.r.e.c.t.o.r.y.\.i.c.o.n...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

                  Static File Info

                  General

                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                  Entropy (8bit):7.274827926243343
                  TrID:
                  • Win32 Executable (generic) a (10002005/4) 99.96%
                  • Generic Win/DOS Executable (2004/3) 0.02%
                  • DOS Executable Generic (2002/1) 0.02%
                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                  File name:S91AYfMUT0.exe
                  File size:1'279'488 bytes
                  MD5:b54974cd7b04beb5d6c5377ff6170f7b
                  SHA1:229eaffc4f15cbf5b2e21d9360e396aee53fb1b7
                  SHA256:9bef149490674703ed211bd591252d0c1557251e2e0844f4d5885d84ec0207ff
                  SHA512:ac5d5bc201933745399d16d2e65967129005d1a41aed4b3988ada76ce9926b752322e075353728fcacbcd84dacd9c74ca62a215a3bec3810b10c986e4302cf11
                  SSDEEP:24576:2AHnh+eWsN3skA4RV1Hom2KXMmHa3fGd4WclYQnJ/J+MB8hCdC45:Rh+ZkldoPK8Ya3ed4WcyAJB+M+hM
                  TLSH:1A45BE02B3D6D036FFAB92739B6AF20196BD79250133852F12981DB9BD701B1273D663
                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

                  File Icon

                  Icon Hash:0f0dcc9a8acc490f

                  Static PE Info

                  General

                  Entrypoint:0x42800a
                  Entrypoint Section:.text
                  Digitally signed:false
                  Imagebase:0x400000
                  Subsystem:windows gui
                  Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                  Time Stamp:0x66D8540A [Wed Sep 4 12:35:22 2024 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:
                  OS Version Major:5
                  OS Version Minor:1
                  File Version Major:5
                  File Version Minor:1
                  Subsystem Version Major:5
                  Subsystem Version Minor:1
                  Import Hash:afcdf79be1557326c854b6e20cb900a7

                  Entrypoint Preview

                  Instruction
                  call 00007F9BDCB18ECDh
                  jmp 00007F9BDCB0BC84h
                  int3
                  int3
                  int3
                  int3
                  int3
                  int3
                  int3
                  int3
                  int3
                  int3
                  int3
                  int3
                  push edi
                  push esi
                  mov esi, dword ptr [esp+10h]
                  mov ecx, dword ptr [esp+14h]
                  mov edi, dword ptr [esp+0Ch]
                  mov eax, ecx
                  mov edx, ecx
                  add eax, esi
                  cmp edi, esi
                  jbe 00007F9BDCB0BE0Ah
                  cmp edi, eax
                  jc 00007F9BDCB0C16Eh
                  bt dword ptr [004C41FCh], 01h
                  jnc 00007F9BDCB0BE09h
                  rep movsb
                  jmp 00007F9BDCB0C11Ch
                  cmp ecx, 00000080h
                  jc 00007F9BDCB0BFD4h
                  mov eax, edi
                  xor eax, esi
                  test eax, 0000000Fh
                  jne 00007F9BDCB0BE10h
                  bt dword ptr [004BF324h], 01h
                  jc 00007F9BDCB0C2E0h
                  bt dword ptr [004C41FCh], 00000000h
                  jnc 00007F9BDCB0BFADh
                  test edi, 00000003h
                  jne 00007F9BDCB0BFBEh
                  test esi, 00000003h
                  jne 00007F9BDCB0BF9Dh
                  bt edi, 02h
                  jnc 00007F9BDCB0BE0Fh
                  mov eax, dword ptr [esi]
                  sub ecx, 04h
                  lea esi, dword ptr [esi+04h]
                  mov dword ptr [edi], eax
                  lea edi, dword ptr [edi+04h]
                  bt edi, 03h
                  jnc 00007F9BDCB0BE13h
                  movq xmm1, qword ptr [esi]
                  sub ecx, 08h
                  lea esi, dword ptr [esi+08h]
                  movq qword ptr [edi], xmm1
                  lea edi, dword ptr [edi+08h]
                  test esi, 00000007h
                  je 00007F9BDCB0BE65h
                  bt esi, 03h

                  Rich Headers

                  Programming Language:
                  • [ASM] VS2013 build 21005
                  • [ C ] VS2013 build 21005
                  • [C++] VS2013 build 21005
                  • [ C ] VS2008 SP1 build 30729
                  • [IMP] VS2008 SP1 build 30729
                  • [ASM] VS2013 UPD5 build 40629
                  • [RES] VS2013 build 21005
                  • [LNK] VS2013 UPD5 build 40629

                  Data Directories

                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IMPORT0xbc0cc0x17c.rdata
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xc80000x6def8.rsrc
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x1360000x7134.reloc
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa4b500x40.rdata
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                  Sections

                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  .text0x10000x8dfdd0x8e000310e36668512d53489c005622bb1b4a9False0.5735602580325704data6.675248351711057IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  .rdata0x8f0000x2fd8e0x2fe00748cf1ab2605ce1fd72d53d912abb68fFalse0.32828818537859006data5.763244005758284IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .data0xbf0000x8f740x5200aae9601d920f07080bdfadf43dfeff12False0.1017530487804878data1.1963819235530628IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  .rsrc0xc80000x6def80x6e000aa1c6559593d5e0d16515ec3972d8941False0.9792658025568182data7.9755916936262565IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .reloc0x1360000x71340x7200f04128ad0f87f42830e4a6cdbc38c719False0.7617530153508771data6.783955557128661IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                  Resources

                  NameRVASizeTypeLanguageCountryZLIB Complexity
                  RT_ICON0xc84580x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                  RT_ICON0xc85800x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                  RT_ICON0xc86a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                  RT_ICON0xc87d00x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishGreat Britain0.26011560693641617
                  RT_MENU0xc8d380x50dataEnglishGreat Britain0.9
                  RT_STRING0xc8d880x594dataEnglishGreat Britain0.3333333333333333
                  RT_STRING0xc931c0x68adataEnglishGreat Britain0.2747909199522103
                  RT_STRING0xc99a80x490dataEnglishGreat Britain0.3715753424657534
                  RT_STRING0xc9e380x5fcdataEnglishGreat Britain0.3087467362924282
                  RT_STRING0xca4340x65cdataEnglishGreat Britain0.34336609336609336
                  RT_STRING0xcaa900x466dataEnglishGreat Britain0.3605683836589698
                  RT_STRING0xcaef80x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                  RT_RCDATA0xcb0500x6a98adata1.0003229367547835
                  RT_GROUP_ICON0x1359dc0x14dataEnglishGreat Britain1.25
                  RT_GROUP_ICON0x1359f00x14dataEnglishGreat Britain1.25
                  RT_GROUP_ICON0x135a040x14dataEnglishGreat Britain1.15
                  RT_GROUP_ICON0x135a180x14dataEnglishGreat Britain1.25
                  RT_VERSION0x135a2c0xdcdataEnglishGreat Britain0.6181818181818182
                  RT_MANIFEST0x135b080x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                  Imports

                  DLLImport
                  WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
                  VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
                  WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                  COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                  MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                  WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
                  PSAPI.DLLGetProcessMemoryInfo
                  IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                  USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
                  UxTheme.dllIsThemeActive
                  KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
                  USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
                  GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
                  COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
                  ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
                  SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                  ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
                  OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

                  Possible Origin

                  Language of compilation systemCountry where language is spokenMap
                  EnglishGreat Britain

                  Network Behavior

                  Suricata IDS Alerts

                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                  2024-09-12T21:27:15.218010+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104970045.95.169.1372404TCP
                  2024-09-12T21:27:17.917524+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104970145.95.169.1372404TCP
                  2024-09-12T21:27:20.602886+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104970245.95.169.1372404TCP
                  2024-09-12T21:27:23.550003+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104970345.95.169.1372404TCP
                  2024-09-12T21:27:26.358167+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104970545.95.169.1372404TCP
                  2024-09-12T21:27:29.076160+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104970945.95.169.1372404TCP
                  2024-09-12T21:27:31.775526+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104971045.95.169.1372404TCP
                  2024-09-12T21:27:34.478620+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104971145.95.169.1372404TCP
                  2024-09-12T21:27:37.203367+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104971245.95.169.1372404TCP
                  2024-09-12T21:27:39.925071+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104971345.95.169.1372404TCP
                  2024-09-12T21:27:42.637414+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104971445.95.169.1372404TCP
                  2024-09-12T21:27:45.344746+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104971545.95.169.1372404TCP
                  2024-09-12T21:27:48.135008+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104971645.95.169.1372404TCP
                  2024-09-12T21:27:50.822146+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104971745.95.169.1372404TCP
                  2024-09-12T21:27:53.529767+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104971845.95.169.1372404TCP
                  2024-09-12T21:27:56.229180+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104971945.95.169.1372404TCP
                  2024-09-12T21:27:58.931805+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104972045.95.169.1372404TCP
                  2024-09-12T21:28:01.636832+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104972145.95.169.1372404TCP
                  2024-09-12T21:28:04.409147+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104972245.95.169.1372404TCP
                  2024-09-12T21:28:07.371022+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104972445.95.169.1372404TCP
                  2024-09-12T21:28:10.074508+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104972545.95.169.1372404TCP
                  2024-09-12T21:28:13.059767+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104972645.95.169.1372404TCP
                  2024-09-12T21:28:15.793463+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104972745.95.169.1372404TCP
                  2024-09-12T21:28:18.496322+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104972845.95.169.1372404TCP
                  2024-09-12T21:28:21.201793+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104972945.95.169.1372404TCP
                  2024-09-12T21:28:23.990055+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104973045.95.169.1372404TCP
                  2024-09-12T21:28:26.700938+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104973145.95.169.1372404TCP
                  2024-09-12T21:28:29.405886+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104973245.95.169.1372404TCP
                  2024-09-12T21:28:32.089053+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104973345.95.169.1372404TCP
                  2024-09-12T21:28:34.795844+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104973445.95.169.1372404TCP
                  2024-09-12T21:28:37.495044+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104973545.95.169.1372404TCP
                  2024-09-12T21:28:40.199306+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104973645.95.169.1372404TCP
                  2024-09-12T21:28:43.130186+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104973745.95.169.1372404TCP
                  2024-09-12T21:28:45.795277+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104973845.95.169.1372404TCP
                  2024-09-12T21:28:48.590013+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104973945.95.169.1372404TCP
                  2024-09-12T21:28:53.589312+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104974045.95.169.1372404TCP
                  2024-09-12T21:28:56.169469+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104974145.95.169.1372404TCP
                  2024-09-12T21:28:58.714462+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104974245.95.169.1372404TCP
                  2024-09-12T21:29:01.266431+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104974345.95.169.1372404TCP
                  2024-09-12T21:29:03.777955+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104974445.95.169.1372404TCP
                  2024-09-12T21:29:06.253062+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104974545.95.169.1372404TCP
                  2024-09-12T21:29:08.707352+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104974645.95.169.1372404TCP
                  2024-09-12T21:29:11.121127+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104974745.95.169.1372404TCP
                  2024-09-12T21:29:13.495506+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104974845.95.169.1372404TCP
                  2024-09-12T21:29:15.959830+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104974945.95.169.1372404TCP
                  2024-09-12T21:29:18.308869+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104975045.95.169.1372404TCP
                  2024-09-12T21:29:20.672062+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104975145.95.169.1372404TCP
                  2024-09-12T21:29:22.987406+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104975245.95.169.1372404TCP
                  2024-09-12T21:29:25.340075+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104975345.95.169.1372404TCP
                  2024-09-12T21:29:27.747997+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104975445.95.169.1372404TCP
                  2024-09-12T21:29:30.202831+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104975545.95.169.1372404TCP
                  2024-09-12T21:29:32.438465+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104975645.95.169.1372404TCP
                  2024-09-12T21:29:34.639455+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104975745.95.169.1372404TCP
                  2024-09-12T21:29:36.860018+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104975845.95.169.1372404TCP
                  2024-09-12T21:29:39.060917+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104975945.95.169.1372404TCP
                  2024-09-12T21:29:41.236637+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104976045.95.169.1372404TCP
                  2024-09-12T21:29:43.388382+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104976145.95.169.1372404TCP
                  2024-09-12T21:29:45.532232+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104976245.95.169.1372404TCP
                  2024-09-12T21:29:47.654867+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104976345.95.169.1372404TCP
                  2024-09-12T21:29:49.958130+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104976445.95.169.1372404TCP
                  2024-09-12T21:29:52.068158+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104976545.95.169.1372404TCP
                  2024-09-12T21:29:54.153761+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104976645.95.169.1372404TCP
                  2024-09-12T21:29:56.219908+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104976745.95.169.1372404TCP
                  2024-09-12T21:29:58.278588+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104976845.95.169.1372404TCP
                  2024-09-12T21:30:00.346480+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104976945.95.169.1372404TCP
                  2024-09-12T21:30:02.375452+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104977045.95.169.1372404TCP
                  2024-09-12T21:30:04.406538+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104977145.95.169.1372404TCP
                  2024-09-12T21:30:07.390061+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104977245.95.169.1372404TCP
                  2024-09-12T21:30:09.529597+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104977345.95.169.1372404TCP
                  2024-09-12T21:30:11.517891+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104977445.95.169.1372404TCP
                  2024-09-12T21:30:13.762887+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104977545.95.169.1372404TCP
                  2024-09-12T21:30:16.796315+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104977645.95.169.1372404TCP
                  2024-09-12T21:30:18.762756+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104977745.95.169.1372404TCP
                  2024-09-12T21:30:20.717713+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104977845.95.169.1372404TCP
                  2024-09-12T21:30:22.672776+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104977945.95.169.1372404TCP
                  2024-09-12T21:30:24.593750+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104978045.95.169.1372404TCP
                  2024-09-12T21:30:26.535505+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104978145.95.169.1372404TCP
                  2024-09-12T21:30:28.435898+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104978245.95.169.1372404TCP
                  2024-09-12T21:30:30.357811+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104978345.95.169.1372404TCP
                  2024-09-12T21:30:32.267567+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104978445.95.169.1372404TCP
                  2024-09-12T21:30:34.796130+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104978545.95.169.1372404TCP
                  2024-09-12T21:30:36.685651+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104978645.95.169.1372404TCP
                  2024-09-12T21:30:38.575430+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104978745.95.169.1372404TCP
                  2024-09-12T21:30:40.435581+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104978845.95.169.1372404TCP
                  2024-09-12T21:30:42.465556+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104978945.95.169.1372404TCP
                  2024-09-12T21:30:44.362724+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104979045.95.169.1372404TCP
                  2024-09-12T21:30:46.239681+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104979145.95.169.1372404TCP
                  2024-09-12T21:30:48.107581+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104979245.95.169.1372404TCP
                  2024-09-12T21:30:49.950832+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104979345.95.169.1372404TCP
                  2024-09-12T21:30:51.779596+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104979445.95.169.1372404TCP
                  2024-09-12T21:30:53.607180+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104979545.95.169.1372404TCP
                  2024-09-12T21:30:55.436498+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104979645.95.169.1372404TCP
                  2024-09-12T21:30:57.285171+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104979745.95.169.1372404TCP
                  2024-09-12T21:30:59.125555+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104979845.95.169.1372404TCP
                  2024-09-12T21:31:00.970633+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104979945.95.169.1372404TCP
                  2024-09-12T21:31:02.779631+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104980045.95.169.1372404TCP
                  2024-09-12T21:31:04.597796+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104980145.95.169.1372404TCP
                  2024-09-12T21:31:06.441468+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104980245.95.169.1372404TCP
                  2024-09-12T21:31:08.254116+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104980345.95.169.1372404TCP
                  2024-09-12T21:31:10.083380+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104980445.95.169.1372404TCP
                  2024-09-12T21:31:11.888048+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104980545.95.169.1372404TCP
                  2024-09-12T21:31:13.671542+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104980645.95.169.1372404TCP
                  2024-09-12T21:31:15.702801+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104980745.95.169.1372404TCP

                  Network Port Distribution

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Sep 12, 2024 21:27:13.500530005 CEST497002404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:27:13.505531073 CEST24044970045.95.169.137192.168.2.10
                  Sep 12, 2024 21:27:13.505623102 CEST497002404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:27:13.514281988 CEST497002404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:27:13.519292116 CEST24044970045.95.169.137192.168.2.10
                  Sep 12, 2024 21:27:15.217756987 CEST24044970045.95.169.137192.168.2.10
                  Sep 12, 2024 21:27:15.218009949 CEST497002404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:27:15.218183994 CEST497002404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:27:15.224011898 CEST24044970045.95.169.137192.168.2.10
                  Sep 12, 2024 21:27:16.223349094 CEST497012404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:27:16.228292942 CEST24044970145.95.169.137192.168.2.10
                  Sep 12, 2024 21:27:16.228370905 CEST497012404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:27:16.231977940 CEST497012404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:27:16.236659050 CEST24044970145.95.169.137192.168.2.10
                  Sep 12, 2024 21:27:17.917408943 CEST24044970145.95.169.137192.168.2.10
                  Sep 12, 2024 21:27:17.917524099 CEST497012404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:27:17.917649984 CEST497012404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:27:17.923782110 CEST24044970145.95.169.137192.168.2.10
                  Sep 12, 2024 21:27:18.926131010 CEST497022404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:27:18.931207895 CEST24044970245.95.169.137192.168.2.10
                  Sep 12, 2024 21:27:18.931324005 CEST497022404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:27:18.935167074 CEST497022404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:27:18.940040112 CEST24044970245.95.169.137192.168.2.10
                  Sep 12, 2024 21:27:20.602830887 CEST24044970245.95.169.137192.168.2.10
                  Sep 12, 2024 21:27:20.602885962 CEST497022404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:27:20.602953911 CEST497022404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:27:20.607697964 CEST24044970245.95.169.137192.168.2.10
                  Sep 12, 2024 21:27:21.614291906 CEST497032404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:27:21.619585991 CEST24044970345.95.169.137192.168.2.10
                  Sep 12, 2024 21:27:21.619672060 CEST497032404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:27:21.623290062 CEST497032404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:27:21.630108118 CEST24044970345.95.169.137192.168.2.10
                  Sep 12, 2024 21:27:23.549887896 CEST24044970345.95.169.137192.168.2.10
                  Sep 12, 2024 21:27:23.550003052 CEST497032404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:27:23.550107956 CEST497032404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:27:23.557208061 CEST24044970345.95.169.137192.168.2.10
                  Sep 12, 2024 21:27:23.557252884 CEST497032404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:27:23.784797907 CEST24044970345.95.169.137192.168.2.10
                  Sep 12, 2024 21:27:23.784853935 CEST497032404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:27:23.788403988 CEST24044970345.95.169.137192.168.2.10
                  Sep 12, 2024 21:27:24.551275015 CEST497052404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:27:24.663430929 CEST24044970545.95.169.137192.168.2.10
                  Sep 12, 2024 21:27:24.663548946 CEST497052404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:27:24.669202089 CEST497052404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:27:24.673897028 CEST24044970545.95.169.137192.168.2.10
                  Sep 12, 2024 21:27:26.358078957 CEST24044970545.95.169.137192.168.2.10
                  Sep 12, 2024 21:27:26.358166933 CEST497052404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:27:26.358253002 CEST497052404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:27:26.363289118 CEST24044970545.95.169.137192.168.2.10
                  Sep 12, 2024 21:27:27.367094040 CEST497092404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:27:27.372173071 CEST24044970945.95.169.137192.168.2.10
                  Sep 12, 2024 21:27:27.372248888 CEST497092404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:27:27.376288891 CEST497092404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:27:27.381230116 CEST24044970945.95.169.137192.168.2.10
                  Sep 12, 2024 21:27:29.075922966 CEST24044970945.95.169.137192.168.2.10
                  Sep 12, 2024 21:27:29.076159954 CEST497092404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:27:29.076313019 CEST497092404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:27:29.081206083 CEST24044970945.95.169.137192.168.2.10
                  Sep 12, 2024 21:27:30.084757090 CEST497102404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:27:30.092772007 CEST24044971045.95.169.137192.168.2.10
                  Sep 12, 2024 21:27:30.093283892 CEST497102404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:27:30.096827030 CEST497102404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:27:30.103946924 CEST24044971045.95.169.137192.168.2.10
                  Sep 12, 2024 21:27:31.775402069 CEST24044971045.95.169.137192.168.2.10
                  Sep 12, 2024 21:27:31.775526047 CEST497102404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:27:31.775602102 CEST497102404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:27:31.780534029 CEST24044971045.95.169.137192.168.2.10
                  Sep 12, 2024 21:27:32.785789013 CEST497112404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:27:32.790716887 CEST24044971145.95.169.137192.168.2.10
                  Sep 12, 2024 21:27:32.790844917 CEST497112404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:27:32.794519901 CEST497112404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:27:32.799388885 CEST24044971145.95.169.137192.168.2.10
                  Sep 12, 2024 21:27:34.478432894 CEST24044971145.95.169.137192.168.2.10
                  Sep 12, 2024 21:27:34.478620052 CEST497112404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:27:34.478671074 CEST497112404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:27:34.483582020 CEST24044971145.95.169.137192.168.2.10
                  Sep 12, 2024 21:27:35.488742113 CEST497122404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:27:35.493726015 CEST24044971245.95.169.137192.168.2.10
                  Sep 12, 2024 21:27:35.493818045 CEST497122404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:27:35.497452021 CEST497122404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:27:35.502381086 CEST24044971245.95.169.137192.168.2.10
                  Sep 12, 2024 21:27:37.203288078 CEST24044971245.95.169.137192.168.2.10
                  Sep 12, 2024 21:27:37.203366995 CEST497122404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:27:37.203459978 CEST497122404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:27:37.208628893 CEST24044971245.95.169.137192.168.2.10
                  Sep 12, 2024 21:27:38.207375050 CEST497132404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:27:38.212431908 CEST24044971345.95.169.137192.168.2.10
                  Sep 12, 2024 21:27:38.212508917 CEST497132404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:27:38.216063023 CEST497132404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:27:38.221374989 CEST24044971345.95.169.137192.168.2.10
                  Sep 12, 2024 21:27:39.924881935 CEST24044971345.95.169.137192.168.2.10
                  Sep 12, 2024 21:27:39.925071001 CEST497132404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:27:39.925184011 CEST497132404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:27:39.932554960 CEST24044971345.95.169.137192.168.2.10
                  Sep 12, 2024 21:27:40.941992998 CEST497142404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:27:40.947180033 CEST24044971445.95.169.137192.168.2.10
                  Sep 12, 2024 21:27:40.947294950 CEST497142404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:27:40.950753927 CEST497142404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:27:40.955640078 CEST24044971445.95.169.137192.168.2.10
                  Sep 12, 2024 21:27:42.637320042 CEST24044971445.95.169.137192.168.2.10
                  Sep 12, 2024 21:27:42.637413979 CEST497142404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:27:42.640680075 CEST497142404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:27:42.645556927 CEST24044971445.95.169.137192.168.2.10
                  Sep 12, 2024 21:27:43.645112991 CEST497152404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:27:43.653861046 CEST24044971545.95.169.137192.168.2.10
                  Sep 12, 2024 21:27:43.653970957 CEST497152404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:27:43.657593966 CEST497152404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:27:43.662659883 CEST24044971545.95.169.137192.168.2.10
                  Sep 12, 2024 21:27:45.344609022 CEST24044971545.95.169.137192.168.2.10
                  Sep 12, 2024 21:27:45.344746113 CEST497152404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:27:45.363683939 CEST497152404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:27:45.368880987 CEST24044971545.95.169.137192.168.2.10
                  Sep 12, 2024 21:27:46.442272902 CEST497162404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:27:46.447280884 CEST24044971645.95.169.137192.168.2.10
                  Sep 12, 2024 21:27:46.447364092 CEST497162404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:27:46.450978041 CEST497162404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:27:46.455837965 CEST24044971645.95.169.137192.168.2.10
                  Sep 12, 2024 21:27:48.134938955 CEST24044971645.95.169.137192.168.2.10
                  Sep 12, 2024 21:27:48.135008097 CEST497162404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:27:48.135083914 CEST497162404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:27:48.139889956 CEST24044971645.95.169.137192.168.2.10
                  Sep 12, 2024 21:27:49.145339966 CEST497172404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:27:49.150384903 CEST24044971745.95.169.137192.168.2.10
                  Sep 12, 2024 21:27:49.150482893 CEST497172404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:27:49.153928041 CEST497172404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:27:49.158843994 CEST24044971745.95.169.137192.168.2.10
                  Sep 12, 2024 21:27:50.822024107 CEST24044971745.95.169.137192.168.2.10
                  Sep 12, 2024 21:27:50.822145939 CEST497172404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:27:50.822369099 CEST497172404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:27:50.827193975 CEST24044971745.95.169.137192.168.2.10
                  Sep 12, 2024 21:27:51.832353115 CEST497182404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:27:51.838011980 CEST24044971845.95.169.137192.168.2.10
                  Sep 12, 2024 21:27:51.838130951 CEST497182404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:27:51.841716051 CEST497182404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:27:51.846831083 CEST24044971845.95.169.137192.168.2.10
                  Sep 12, 2024 21:27:53.529685020 CEST24044971845.95.169.137192.168.2.10
                  Sep 12, 2024 21:27:53.529767036 CEST497182404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:27:53.529875994 CEST497182404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:27:53.534631014 CEST24044971845.95.169.137192.168.2.10
                  Sep 12, 2024 21:27:54.535727024 CEST497192404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:27:54.540874958 CEST24044971945.95.169.137192.168.2.10
                  Sep 12, 2024 21:27:54.540962934 CEST497192404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:27:54.547529936 CEST497192404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:27:54.552344084 CEST24044971945.95.169.137192.168.2.10
                  Sep 12, 2024 21:27:56.229043007 CEST24044971945.95.169.137192.168.2.10
                  Sep 12, 2024 21:27:56.229180098 CEST497192404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:27:56.229435921 CEST497192404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:27:56.235240936 CEST24044971945.95.169.137192.168.2.10
                  Sep 12, 2024 21:27:57.238912106 CEST497202404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:27:57.243948936 CEST24044972045.95.169.137192.168.2.10
                  Sep 12, 2024 21:27:57.244083881 CEST497202404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:27:57.249141932 CEST497202404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:27:57.254293919 CEST24044972045.95.169.137192.168.2.10
                  Sep 12, 2024 21:27:58.931725025 CEST24044972045.95.169.137192.168.2.10
                  Sep 12, 2024 21:27:58.931804895 CEST497202404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:27:58.931880951 CEST497202404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:27:58.936887026 CEST24044972045.95.169.137192.168.2.10
                  Sep 12, 2024 21:27:59.942017078 CEST497212404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:27:59.946973085 CEST24044972145.95.169.137192.168.2.10
                  Sep 12, 2024 21:27:59.947099924 CEST497212404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:27:59.952238083 CEST497212404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:27:59.959754944 CEST24044972145.95.169.137192.168.2.10
                  Sep 12, 2024 21:28:01.636691093 CEST24044972145.95.169.137192.168.2.10
                  Sep 12, 2024 21:28:01.636831999 CEST497212404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:01.636941910 CEST497212404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:01.641736031 CEST24044972145.95.169.137192.168.2.10
                  Sep 12, 2024 21:28:02.645488024 CEST497222404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:02.650717020 CEST24044972245.95.169.137192.168.2.10
                  Sep 12, 2024 21:28:02.650924921 CEST497222404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:02.654534101 CEST497222404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:02.659621954 CEST24044972245.95.169.137192.168.2.10
                  Sep 12, 2024 21:28:04.408946037 CEST24044972245.95.169.137192.168.2.10
                  Sep 12, 2024 21:28:04.409147024 CEST497222404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:04.409459114 CEST497222404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:04.414722919 CEST24044972245.95.169.137192.168.2.10
                  Sep 12, 2024 21:28:05.411052942 CEST497242404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:05.677522898 CEST24044972445.95.169.137192.168.2.10
                  Sep 12, 2024 21:28:05.679264069 CEST497242404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:05.682909966 CEST497242404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:05.687881947 CEST24044972445.95.169.137192.168.2.10
                  Sep 12, 2024 21:28:07.370953083 CEST24044972445.95.169.137192.168.2.10
                  Sep 12, 2024 21:28:07.371021986 CEST497242404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:07.371150970 CEST497242404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:07.376182079 CEST24044972445.95.169.137192.168.2.10
                  Sep 12, 2024 21:28:08.380938053 CEST497252404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:08.385924101 CEST24044972545.95.169.137192.168.2.10
                  Sep 12, 2024 21:28:08.386050940 CEST497252404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:08.391098976 CEST497252404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:08.396145105 CEST24044972545.95.169.137192.168.2.10
                  Sep 12, 2024 21:28:10.074337006 CEST24044972545.95.169.137192.168.2.10
                  Sep 12, 2024 21:28:10.074507952 CEST497252404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:10.074609995 CEST497252404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:10.079425097 CEST24044972545.95.169.137192.168.2.10
                  Sep 12, 2024 21:28:11.085757017 CEST497262404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:11.384897947 CEST24044972645.95.169.137192.168.2.10
                  Sep 12, 2024 21:28:11.385096073 CEST497262404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:11.388989925 CEST497262404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:11.395078897 CEST24044972645.95.169.137192.168.2.10
                  Sep 12, 2024 21:28:13.059648037 CEST24044972645.95.169.137192.168.2.10
                  Sep 12, 2024 21:28:13.059767008 CEST497262404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:13.059890032 CEST497262404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:13.064836979 CEST24044972645.95.169.137192.168.2.10
                  Sep 12, 2024 21:28:14.066829920 CEST497272404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:14.071824074 CEST24044972745.95.169.137192.168.2.10
                  Sep 12, 2024 21:28:14.071907997 CEST497272404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:14.076071978 CEST497272404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:14.080919981 CEST24044972745.95.169.137192.168.2.10
                  Sep 12, 2024 21:28:15.793282986 CEST24044972745.95.169.137192.168.2.10
                  Sep 12, 2024 21:28:15.793462992 CEST497272404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:15.793531895 CEST497272404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:15.798440933 CEST24044972745.95.169.137192.168.2.10
                  Sep 12, 2024 21:28:16.801059961 CEST497282404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:16.806130886 CEST24044972845.95.169.137192.168.2.10
                  Sep 12, 2024 21:28:16.806274891 CEST497282404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:16.809976101 CEST497282404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:16.814851999 CEST24044972845.95.169.137192.168.2.10
                  Sep 12, 2024 21:28:18.496231079 CEST24044972845.95.169.137192.168.2.10
                  Sep 12, 2024 21:28:18.496321917 CEST497282404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:18.496370077 CEST497282404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:18.501188993 CEST24044972845.95.169.137192.168.2.10
                  Sep 12, 2024 21:28:19.504076958 CEST497292404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:19.509043932 CEST24044972945.95.169.137192.168.2.10
                  Sep 12, 2024 21:28:19.509287119 CEST497292404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:19.512819052 CEST497292404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:19.517895937 CEST24044972945.95.169.137192.168.2.10
                  Sep 12, 2024 21:28:21.198338032 CEST24044972945.95.169.137192.168.2.10
                  Sep 12, 2024 21:28:21.201792955 CEST497292404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:21.203222990 CEST497292404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:21.208058119 CEST24044972945.95.169.137192.168.2.10
                  Sep 12, 2024 21:28:22.207298040 CEST497302404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:22.212232113 CEST24044973045.95.169.137192.168.2.10
                  Sep 12, 2024 21:28:22.212424040 CEST497302404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:22.216063023 CEST497302404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:22.220819950 CEST24044973045.95.169.137192.168.2.10
                  Sep 12, 2024 21:28:23.986504078 CEST24044973045.95.169.137192.168.2.10
                  Sep 12, 2024 21:28:23.990055084 CEST497302404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:23.990097046 CEST497302404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:23.994838953 CEST24044973045.95.169.137192.168.2.10
                  Sep 12, 2024 21:28:25.004051924 CEST497312404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:25.009550095 CEST24044973145.95.169.137192.168.2.10
                  Sep 12, 2024 21:28:25.009625912 CEST497312404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:25.013596058 CEST497312404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:25.018909931 CEST24044973145.95.169.137192.168.2.10
                  Sep 12, 2024 21:28:26.700824022 CEST24044973145.95.169.137192.168.2.10
                  Sep 12, 2024 21:28:26.700937986 CEST497312404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:26.701169014 CEST497312404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:26.706324100 CEST24044973145.95.169.137192.168.2.10
                  Sep 12, 2024 21:28:27.707331896 CEST497322404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:27.712536097 CEST24044973245.95.169.137192.168.2.10
                  Sep 12, 2024 21:28:27.712821960 CEST497322404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:27.716964960 CEST497322404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:27.721903086 CEST24044973245.95.169.137192.168.2.10
                  Sep 12, 2024 21:28:29.405807972 CEST24044973245.95.169.137192.168.2.10
                  Sep 12, 2024 21:28:29.405885935 CEST497322404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:29.405978918 CEST497322404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:29.410742998 CEST24044973245.95.169.137192.168.2.10
                  Sep 12, 2024 21:28:30.410563946 CEST497332404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:30.415412903 CEST24044973345.95.169.137192.168.2.10
                  Sep 12, 2024 21:28:30.415548086 CEST497332404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:30.427349091 CEST497332404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:30.432246923 CEST24044973345.95.169.137192.168.2.10
                  Sep 12, 2024 21:28:32.088890076 CEST24044973345.95.169.137192.168.2.10
                  Sep 12, 2024 21:28:32.089052916 CEST497332404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:32.089091063 CEST497332404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:32.093903065 CEST24044973345.95.169.137192.168.2.10
                  Sep 12, 2024 21:28:33.097965956 CEST497342404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:33.103590012 CEST24044973445.95.169.137192.168.2.10
                  Sep 12, 2024 21:28:33.104599953 CEST497342404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:33.108556986 CEST497342404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:33.114145994 CEST24044973445.95.169.137192.168.2.10
                  Sep 12, 2024 21:28:34.795767069 CEST24044973445.95.169.137192.168.2.10
                  Sep 12, 2024 21:28:34.795844078 CEST497342404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:34.795970917 CEST497342404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:34.800760984 CEST24044973445.95.169.137192.168.2.10
                  Sep 12, 2024 21:28:35.801126957 CEST497352404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:35.806046963 CEST24044973545.95.169.137192.168.2.10
                  Sep 12, 2024 21:28:35.806301117 CEST497352404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:35.809937954 CEST497352404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:35.814829111 CEST24044973545.95.169.137192.168.2.10
                  Sep 12, 2024 21:28:37.494962931 CEST24044973545.95.169.137192.168.2.10
                  Sep 12, 2024 21:28:37.495043993 CEST497352404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:37.495119095 CEST497352404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:37.499959946 CEST24044973545.95.169.137192.168.2.10
                  Sep 12, 2024 21:28:38.504432917 CEST497362404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:38.509344101 CEST24044973645.95.169.137192.168.2.10
                  Sep 12, 2024 21:28:38.509444952 CEST497362404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:38.514580011 CEST497362404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:38.519548893 CEST24044973645.95.169.137192.168.2.10
                  Sep 12, 2024 21:28:40.199167013 CEST24044973645.95.169.137192.168.2.10
                  Sep 12, 2024 21:28:40.199306011 CEST497362404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:40.199404001 CEST497362404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:40.204255104 CEST24044973645.95.169.137192.168.2.10
                  Sep 12, 2024 21:28:41.223551035 CEST497372404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:41.228652000 CEST24044973745.95.169.137192.168.2.10
                  Sep 12, 2024 21:28:41.228733063 CEST497372404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:41.324589014 CEST497372404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:41.329973936 CEST24044973745.95.169.137192.168.2.10
                  Sep 12, 2024 21:28:43.127962112 CEST24044973745.95.169.137192.168.2.10
                  Sep 12, 2024 21:28:43.130186081 CEST497372404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:43.130259037 CEST497372404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:43.136065960 CEST24044973745.95.169.137192.168.2.10
                  Sep 12, 2024 21:28:43.137592077 CEST497372404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:43.143452883 CEST24044973745.95.169.137192.168.2.10
                  Sep 12, 2024 21:28:44.098237038 CEST497382404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:44.103454113 CEST24044973845.95.169.137192.168.2.10
                  Sep 12, 2024 21:28:44.106355906 CEST497382404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:44.109894037 CEST497382404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:44.114731073 CEST24044973845.95.169.137192.168.2.10
                  Sep 12, 2024 21:28:45.792088032 CEST24044973845.95.169.137192.168.2.10
                  Sep 12, 2024 21:28:45.795277119 CEST497382404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:45.795366049 CEST497382404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:45.800297022 CEST24044973845.95.169.137192.168.2.10
                  Sep 12, 2024 21:28:46.738517046 CEST497392404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:46.910716057 CEST24044973945.95.169.137192.168.2.10
                  Sep 12, 2024 21:28:46.910933971 CEST497392404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:46.914509058 CEST497392404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:46.919544935 CEST24044973945.95.169.137192.168.2.10
                  Sep 12, 2024 21:28:48.589834929 CEST24044973945.95.169.137192.168.2.10
                  Sep 12, 2024 21:28:48.590013027 CEST497392404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:48.590059996 CEST497392404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:48.594933987 CEST24044973945.95.169.137192.168.2.10
                  Sep 12, 2024 21:28:49.505253077 CEST497402404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:49.510186911 CEST24044974045.95.169.137192.168.2.10
                  Sep 12, 2024 21:28:49.510265112 CEST497402404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:49.514158964 CEST497402404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:49.518985033 CEST24044974045.95.169.137192.168.2.10
                  Sep 12, 2024 21:28:53.589229107 CEST24044974045.95.169.137192.168.2.10
                  Sep 12, 2024 21:28:53.589312077 CEST497402404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:53.589361906 CEST497402404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:53.594331980 CEST24044974045.95.169.137192.168.2.10
                  Sep 12, 2024 21:28:54.472902060 CEST497412404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:54.478398085 CEST24044974145.95.169.137192.168.2.10
                  Sep 12, 2024 21:28:54.479592085 CEST497412404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:54.483246088 CEST497412404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:54.488181114 CEST24044974145.95.169.137192.168.2.10
                  Sep 12, 2024 21:28:56.167768002 CEST24044974145.95.169.137192.168.2.10
                  Sep 12, 2024 21:28:56.169469118 CEST497412404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:56.169469118 CEST497412404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:56.174859047 CEST24044974145.95.169.137192.168.2.10
                  Sep 12, 2024 21:28:57.019761086 CEST497422404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:57.026331902 CEST24044974245.95.169.137192.168.2.10
                  Sep 12, 2024 21:28:57.027404070 CEST497422404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:57.030561924 CEST497422404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:57.037231922 CEST24044974245.95.169.137192.168.2.10
                  Sep 12, 2024 21:28:58.714365959 CEST24044974245.95.169.137192.168.2.10
                  Sep 12, 2024 21:28:58.714462042 CEST497422404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:58.714528084 CEST497422404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:58.719391108 CEST24044974245.95.169.137192.168.2.10
                  Sep 12, 2024 21:28:59.546437979 CEST497432404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:59.556206942 CEST24044974345.95.169.137192.168.2.10
                  Sep 12, 2024 21:28:59.556313992 CEST497432404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:59.605257988 CEST497432404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:28:59.611164093 CEST24044974345.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:01.264585972 CEST24044974345.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:01.266431093 CEST497432404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:01.266506910 CEST497432404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:01.271462917 CEST24044974345.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:02.090791941 CEST497442404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:02.095673084 CEST24044974445.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:02.099343061 CEST497442404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:02.161166906 CEST497442404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:02.166044950 CEST24044974445.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:03.777864933 CEST24044974445.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:03.777955055 CEST497442404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:03.778036118 CEST497442404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:03.783893108 CEST24044974445.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:04.551107883 CEST497452404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:04.556042910 CEST24044974545.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:04.556171894 CEST497452404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:04.559631109 CEST497452404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:04.564379930 CEST24044974545.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:06.252964020 CEST24044974545.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:06.253062010 CEST497452404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:06.253132105 CEST497452404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:06.259219885 CEST24044974545.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:07.004264116 CEST497462404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:07.009200096 CEST24044974645.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:07.009299994 CEST497462404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:07.012813091 CEST497462404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:07.020473003 CEST24044974645.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:08.703350067 CEST24044974645.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:08.707351923 CEST497462404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:08.707403898 CEST497462404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:08.712347984 CEST24044974645.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:09.426001072 CEST497472404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:09.433448076 CEST24044974745.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:09.438528061 CEST497472404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:09.442138910 CEST497472404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:09.446933031 CEST24044974745.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:11.121010065 CEST24044974745.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:11.121126890 CEST497472404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:11.121162891 CEST497472404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:11.128717899 CEST24044974745.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:11.816616058 CEST497482404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:11.821446896 CEST24044974845.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:11.823388100 CEST497482404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:11.826977015 CEST497482404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:11.831779003 CEST24044974845.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:13.495363951 CEST24044974845.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:13.495506048 CEST497482404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:13.495506048 CEST497482404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:13.500375032 CEST24044974845.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:14.176042080 CEST497492404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:14.180871964 CEST24044974945.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:14.180957079 CEST497492404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:14.184492111 CEST497492404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:14.189681053 CEST24044974945.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:15.959764004 CEST24044974945.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:15.959830046 CEST497492404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:15.960074902 CEST497492404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:15.978771925 CEST24044974945.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:16.613547087 CEST497502404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:16.618508101 CEST24044975045.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:16.618592978 CEST497502404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:16.622025013 CEST497502404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:16.626876116 CEST24044975045.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:18.308794975 CEST24044975045.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:18.308868885 CEST497502404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:18.347439051 CEST497502404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:18.354163885 CEST24044975045.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:18.973032951 CEST497512404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:18.977910995 CEST24044975145.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:18.978043079 CEST497512404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:18.982943058 CEST497512404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:18.987762928 CEST24044975145.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:20.671979904 CEST24044975145.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:20.672061920 CEST497512404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:20.672106981 CEST497512404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:20.676927090 CEST24044975145.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:21.288373947 CEST497522404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:21.293524027 CEST24044975245.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:21.293632030 CEST497522404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:21.315288067 CEST497522404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:21.320260048 CEST24044975245.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:22.984859943 CEST24044975245.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:22.987406015 CEST497522404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:22.987452030 CEST497522404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:22.992355108 CEST24044975245.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:23.582401037 CEST497532404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:23.587249994 CEST24044975345.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:23.587342024 CEST497532404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:23.590774059 CEST497532404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:23.595549107 CEST24044975345.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:25.340007067 CEST24044975345.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:25.340075016 CEST497532404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:25.340132952 CEST497532404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:25.344918013 CEST24044975345.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:25.910737038 CEST497542404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:25.918427944 CEST24044975445.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:25.918576002 CEST497542404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:25.929321051 CEST497542404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:25.934326887 CEST24044975445.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:27.747895002 CEST24044975445.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:27.747997046 CEST497542404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:27.748101950 CEST497542404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:27.753271103 CEST24044975445.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:28.301215887 CEST497552404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:28.307543993 CEST24044975545.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:28.307650089 CEST497552404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:28.311429977 CEST497552404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:28.317955017 CEST24044975545.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:30.202771902 CEST24044975545.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:30.202831030 CEST497552404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:30.203082085 CEST497552404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:30.212887049 CEST24044975545.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:30.738974094 CEST497562404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:30.746819019 CEST24044975645.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:30.746915102 CEST497562404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:30.755902052 CEST497562404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:30.760663033 CEST24044975645.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:32.438381910 CEST24044975645.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:32.438465118 CEST497562404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:32.438534021 CEST497562404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:32.446079969 CEST24044975645.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:32.957446098 CEST497572404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:32.962450981 CEST24044975745.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:32.963422060 CEST497572404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:32.971940041 CEST497572404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:32.976686001 CEST24044975745.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:34.638051987 CEST24044975745.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:34.639455080 CEST497572404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:34.639455080 CEST497572404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:34.644424915 CEST24044975745.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:35.145162106 CEST497582404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:35.150238037 CEST24044975845.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:35.150326967 CEST497582404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:35.155206919 CEST497582404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:35.160200119 CEST24044975845.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:36.859874964 CEST24044975845.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:36.860018015 CEST497582404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:36.860106945 CEST497582404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:36.865025997 CEST24044975845.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:37.347925901 CEST497592404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:37.352992058 CEST24044975945.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:37.355422020 CEST497592404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:37.358963013 CEST497592404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:37.363745928 CEST24044975945.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:39.060827017 CEST24044975945.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:39.060916901 CEST497592404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:39.061016083 CEST497592404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:39.065891981 CEST24044975945.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:39.519869089 CEST497602404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:39.525002003 CEST24044976045.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:39.525799990 CEST497602404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:39.530780077 CEST497602404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:39.535996914 CEST24044976045.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:41.236565113 CEST24044976045.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:41.236637115 CEST497602404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:41.236686945 CEST497602404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:41.243837118 CEST24044976045.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:41.692030907 CEST497612404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:41.699323893 CEST24044976145.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:41.699418068 CEST497612404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:41.703855038 CEST497612404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:41.710652113 CEST24044976145.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:43.388289928 CEST24044976145.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:43.388381958 CEST497612404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:43.388462067 CEST497612404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:43.393241882 CEST24044976145.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:43.832583904 CEST497622404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:43.837647915 CEST24044976245.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:43.837896109 CEST497622404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:43.842170954 CEST497622404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:43.846973896 CEST24044976245.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:45.532152891 CEST24044976245.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:45.532232046 CEST497622404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:45.532535076 CEST497622404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:45.537846088 CEST24044976245.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:45.957717896 CEST497632404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:45.963177919 CEST24044976345.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:45.963376045 CEST497632404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:45.971672058 CEST497632404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:45.976550102 CEST24044976345.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:47.654696941 CEST24044976345.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:47.654866934 CEST497632404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:47.655014992 CEST497632404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:47.659809113 CEST24044976345.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:48.067167044 CEST497642404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:48.072179079 CEST24044976445.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:48.072261095 CEST497642404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:48.076678038 CEST497642404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:48.081489086 CEST24044976445.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:49.958014965 CEST24044976445.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:49.958129883 CEST497642404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:49.958239079 CEST497642404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:49.961364985 CEST24044976445.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:49.961447954 CEST497642404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:49.963135958 CEST24044976445.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:50.348401070 CEST497652404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:50.353781939 CEST24044976545.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:50.353853941 CEST497652404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:50.357940912 CEST497652404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:50.362783909 CEST24044976545.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:52.068072081 CEST24044976545.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:52.068157911 CEST497652404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:52.068258047 CEST497652404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:52.073004007 CEST24044976545.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:52.457837105 CEST497662404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:52.462958097 CEST24044976645.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:52.463074923 CEST497662404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:52.466720104 CEST497662404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:52.471561909 CEST24044976645.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:54.153259993 CEST24044976645.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:54.153760910 CEST497662404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:54.153760910 CEST497662404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:54.158812046 CEST24044976645.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:54.520869017 CEST497672404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:54.526211023 CEST24044976745.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:54.527507067 CEST497672404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:54.531124115 CEST497672404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:54.536029100 CEST24044976745.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:56.219844103 CEST24044976745.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:56.219907999 CEST497672404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:56.219986916 CEST497672404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:56.225038052 CEST24044976745.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:56.582386017 CEST497682404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:56.587464094 CEST24044976845.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:56.591475010 CEST497682404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:56.594975948 CEST497682404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:56.608372927 CEST24044976845.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:58.278511047 CEST24044976845.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:58.278588057 CEST497682404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:58.278662920 CEST497682404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:58.291146994 CEST24044976845.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:58.629648924 CEST497692404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:58.634762049 CEST24044976945.95.169.137192.168.2.10
                  Sep 12, 2024 21:29:58.634850025 CEST497692404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:58.639395952 CEST497692404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:29:58.644226074 CEST24044976945.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:00.344841957 CEST24044976945.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:00.346479893 CEST497692404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:00.346673965 CEST497692404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:00.351612091 CEST24044976945.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:00.676265955 CEST497702404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:00.681258917 CEST24044977045.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:00.681375027 CEST497702404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:00.685436964 CEST497702404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:00.691725969 CEST24044977045.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:02.375320911 CEST24044977045.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:02.375452042 CEST497702404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:02.379342079 CEST497702404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:02.384233952 CEST24044977045.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:02.707551956 CEST497712404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:02.712764978 CEST24044977145.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:02.713746071 CEST497712404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:02.717324972 CEST497712404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:02.722292900 CEST24044977145.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:04.403892040 CEST24044977145.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:04.406538010 CEST497712404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:04.406596899 CEST497712404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:04.411571026 CEST24044977145.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:04.723913908 CEST497722404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:04.729105949 CEST24044977245.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:04.731498003 CEST497722404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:04.735083103 CEST497722404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:04.739969015 CEST24044977245.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:07.389954090 CEST24044977245.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:07.390060902 CEST497722404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:07.390099049 CEST497722404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:07.390625000 CEST24044977245.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:07.390676975 CEST497722404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:07.391304016 CEST24044977245.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:07.391345024 CEST497722404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:07.392721891 CEST24044977245.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:07.392762899 CEST497722404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:07.398237944 CEST24044977245.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:07.692132950 CEST497732404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:07.849663019 CEST24044977345.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:07.849764109 CEST497732404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:07.854001999 CEST497732404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:07.860112906 CEST24044977345.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:09.528914928 CEST24044977345.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:09.529597044 CEST497732404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:09.529663086 CEST497732404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:09.534761906 CEST24044977345.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:09.817003012 CEST497742404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:09.821835041 CEST24044977445.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:09.821934938 CEST497742404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:09.825680971 CEST497742404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:09.830462933 CEST24044977445.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:11.514941931 CEST24044977445.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:11.517890930 CEST497742404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:11.517967939 CEST497742404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:11.522893906 CEST24044977445.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:11.801460028 CEST497752404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:12.083894968 CEST24044977545.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:12.084008932 CEST497752404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:12.087837934 CEST497752404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:12.092689991 CEST24044977545.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:13.762799978 CEST24044977545.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:13.762887001 CEST497752404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:13.763046980 CEST497752404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:13.768218040 CEST24044977545.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:14.035677910 CEST497762404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:14.997358084 CEST24044977645.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:14.997509003 CEST497762404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:15.001338005 CEST497762404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:15.006167889 CEST24044977645.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:16.796125889 CEST24044977645.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:16.796314955 CEST497762404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:16.796405077 CEST497762404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:16.804291964 CEST24044977645.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:17.075722933 CEST497772404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:17.080857038 CEST24044977745.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:17.082334995 CEST497772404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:17.139359951 CEST497772404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:17.144357920 CEST24044977745.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:18.762661934 CEST24044977745.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:18.762756109 CEST497772404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:18.762816906 CEST497772404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:18.767558098 CEST24044977745.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:19.020025015 CEST497782404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:19.025018930 CEST24044977845.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:19.027681112 CEST497782404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:19.034832001 CEST497782404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:19.039891958 CEST24044977845.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:20.716192007 CEST24044977845.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:20.717713118 CEST497782404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:20.717767954 CEST497782404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:20.722651005 CEST24044977845.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:20.973373890 CEST497792404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:20.978733063 CEST24044977945.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:20.978935957 CEST497792404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:20.983302116 CEST497792404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:20.988325119 CEST24044977945.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:22.672698021 CEST24044977945.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:22.672775984 CEST497792404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:22.672840118 CEST497792404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:22.677702904 CEST24044977945.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:22.910685062 CEST497802404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:22.915561914 CEST24044978045.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:22.915792942 CEST497802404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:22.919478893 CEST497802404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:22.924374104 CEST24044978045.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:24.590884924 CEST24044978045.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:24.593750000 CEST497802404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:24.597135067 CEST497802404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:24.601979971 CEST24044978045.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:24.832741976 CEST497812404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:24.837943077 CEST24044978145.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:24.839484930 CEST497812404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:24.843127012 CEST497812404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:24.848083973 CEST24044978145.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:26.535309076 CEST24044978145.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:26.535505056 CEST497812404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:26.535607100 CEST497812404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:26.541296959 CEST24044978145.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:26.755924940 CEST497822404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:26.760970116 CEST24044978245.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:26.761105061 CEST497822404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:26.764671087 CEST497822404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:26.769594908 CEST24044978245.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:28.435812950 CEST24044978245.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:28.435898066 CEST497822404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:28.436000109 CEST497822404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:28.440871000 CEST24044978245.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:28.662244081 CEST497832404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:28.667506933 CEST24044978345.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:28.667587996 CEST497832404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:28.678879023 CEST497832404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:28.684793949 CEST24044978345.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:30.357718945 CEST24044978345.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:30.357810974 CEST497832404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:30.358105898 CEST497832404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:30.362909079 CEST24044978345.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:30.567365885 CEST497842404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:30.572465897 CEST24044978445.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:30.572602034 CEST497842404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:30.583301067 CEST497842404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:30.588196993 CEST24044978445.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:32.264349937 CEST24044978445.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:32.267566919 CEST497842404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:32.267647028 CEST497842404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:32.272571087 CEST24044978445.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:32.473433971 CEST497852404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:32.478266001 CEST24044978545.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:32.478331089 CEST497852404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:32.482398033 CEST497852404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:32.487310886 CEST24044978545.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:34.795984983 CEST24044978545.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:34.796093941 CEST24044978545.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:34.796129942 CEST497852404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:34.796130896 CEST497852404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:34.796179056 CEST497852404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:34.796377897 CEST24044978545.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:34.796608925 CEST497852404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:34.801009893 CEST24044978545.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:34.988912106 CEST497862404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:34.993892908 CEST24044978645.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:34.997561932 CEST497862404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:35.001195908 CEST497862404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:35.006084919 CEST24044978645.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:36.685209036 CEST24044978645.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:36.685651064 CEST497862404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:36.685651064 CEST497862404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:36.690545082 CEST24044978645.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:36.879508018 CEST497872404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:36.884593010 CEST24044978745.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:36.884735107 CEST497872404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:36.891479015 CEST497872404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:36.896410942 CEST24044978745.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:38.575351954 CEST24044978745.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:38.575429916 CEST497872404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:38.575501919 CEST497872404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:38.580343008 CEST24044978745.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:38.755358934 CEST497882404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:38.760320902 CEST24044978845.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:38.761398077 CEST497882404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:38.765078068 CEST497882404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:38.769934893 CEST24044978845.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:40.434840918 CEST24044978845.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:40.435580969 CEST497882404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:40.435625076 CEST497882404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:40.440478086 CEST24044978845.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:40.613753080 CEST497892404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:40.618783951 CEST24044978945.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:40.618895054 CEST497892404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:40.622454882 CEST497892404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:40.627362013 CEST24044978945.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:42.461966991 CEST24044978945.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:42.465555906 CEST497892404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:42.465645075 CEST497892404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:42.470582962 CEST24044978945.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:42.646013021 CEST497902404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:42.651045084 CEST24044979045.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:42.651169062 CEST497902404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:42.657649040 CEST497902404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:42.662619114 CEST24044979045.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:44.362605095 CEST24044979045.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:44.362724066 CEST497902404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:44.362786055 CEST497902404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:44.367587090 CEST24044979045.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:44.535695076 CEST497912404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:44.540714025 CEST24044979145.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:44.540889025 CEST497912404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:44.545070887 CEST497912404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:44.549998999 CEST24044979145.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:46.237423897 CEST24044979145.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:46.239681005 CEST497912404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:46.239720106 CEST497912404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:46.244673014 CEST24044979145.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:46.411708117 CEST497922404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:46.416966915 CEST24044979245.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:46.417186975 CEST497922404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:46.428185940 CEST497922404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:46.433068037 CEST24044979245.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:48.107486010 CEST24044979245.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:48.107580900 CEST497922404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:48.107712030 CEST497922404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:48.112540960 CEST24044979245.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:48.270360947 CEST497932404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:48.275892019 CEST24044979345.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:48.275988102 CEST497932404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:48.279901981 CEST497932404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:48.284851074 CEST24044979345.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:49.950731993 CEST24044979345.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:49.950831890 CEST497932404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:49.950908899 CEST497932404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:49.955764055 CEST24044979345.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:50.098361015 CEST497942404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:50.103458881 CEST24044979445.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:50.103544950 CEST497942404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:50.107626915 CEST497942404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:50.112498999 CEST24044979445.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:51.778744936 CEST24044979445.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:51.779596090 CEST497942404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:51.779701948 CEST497942404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:51.784666061 CEST24044979445.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:51.926492929 CEST497952404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:51.931750059 CEST24044979545.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:51.931895018 CEST497952404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:51.937583923 CEST497952404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:51.942513943 CEST24044979545.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:53.607006073 CEST24044979545.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:53.607180119 CEST497952404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:53.607258081 CEST497952404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:53.612051010 CEST24044979545.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:53.754839897 CEST497962404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:53.759790897 CEST24044979645.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:53.760200024 CEST497962404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:53.767107964 CEST497962404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:53.771888018 CEST24044979645.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:55.436367989 CEST24044979645.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:55.436497927 CEST497962404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:55.436566114 CEST497962404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:55.441416025 CEST24044979645.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:55.582798958 CEST497972404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:55.588655949 CEST24044979745.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:55.588866949 CEST497972404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:55.593966007 CEST497972404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:55.599438906 CEST24044979745.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:57.285064936 CEST24044979745.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:57.285171032 CEST497972404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:57.285315037 CEST497972404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:57.290093899 CEST24044979745.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:57.426354885 CEST497982404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:57.431293011 CEST24044979845.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:57.431427956 CEST497982404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:57.437736988 CEST497982404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:57.443484068 CEST24044979845.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:59.125104904 CEST24044979845.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:59.125555038 CEST497982404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:59.125652075 CEST497982404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:59.131150961 CEST24044979845.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:59.254719019 CEST497992404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:59.259771109 CEST24044979945.95.169.137192.168.2.10
                  Sep 12, 2024 21:30:59.261612892 CEST497992404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:59.270515919 CEST497992404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:30:59.275474072 CEST24044979945.95.169.137192.168.2.10
                  Sep 12, 2024 21:31:00.970541000 CEST24044979945.95.169.137192.168.2.10
                  Sep 12, 2024 21:31:00.970633030 CEST497992404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:31:00.970712900 CEST497992404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:31:00.975608110 CEST24044979945.95.169.137192.168.2.10
                  Sep 12, 2024 21:31:01.098537922 CEST498002404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:31:01.103517056 CEST24044980045.95.169.137192.168.2.10
                  Sep 12, 2024 21:31:01.103615046 CEST498002404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:31:01.107239008 CEST498002404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:31:01.112173080 CEST24044980045.95.169.137192.168.2.10
                  Sep 12, 2024 21:31:02.779550076 CEST24044980045.95.169.137192.168.2.10
                  Sep 12, 2024 21:31:02.779630899 CEST498002404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:31:02.779695034 CEST498002404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:31:02.784600973 CEST24044980045.95.169.137192.168.2.10
                  Sep 12, 2024 21:31:02.895217896 CEST498012404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:31:02.900264025 CEST24044980145.95.169.137192.168.2.10
                  Sep 12, 2024 21:31:02.900343895 CEST498012404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:31:02.905720949 CEST498012404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:31:02.910562992 CEST24044980145.95.169.137192.168.2.10
                  Sep 12, 2024 21:31:04.597726107 CEST24044980145.95.169.137192.168.2.10
                  Sep 12, 2024 21:31:04.597795963 CEST498012404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:31:04.597889900 CEST498012404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:31:04.603180885 CEST24044980145.95.169.137192.168.2.10
                  Sep 12, 2024 21:31:04.723192930 CEST498022404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:31:04.728921890 CEST24044980245.95.169.137192.168.2.10
                  Sep 12, 2024 21:31:04.731547117 CEST498022404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:31:04.739768982 CEST498022404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:31:04.746635914 CEST24044980245.95.169.137192.168.2.10
                  Sep 12, 2024 21:31:06.440036058 CEST24044980245.95.169.137192.168.2.10
                  Sep 12, 2024 21:31:06.441468000 CEST498022404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:31:06.441550970 CEST498022404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:31:06.449249983 CEST24044980245.95.169.137192.168.2.10
                  Sep 12, 2024 21:31:06.551429033 CEST498032404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:31:06.556473017 CEST24044980345.95.169.137192.168.2.10
                  Sep 12, 2024 21:31:06.556583881 CEST498032404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:31:06.560172081 CEST498032404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:31:06.564999104 CEST24044980345.95.169.137192.168.2.10
                  Sep 12, 2024 21:31:08.249851942 CEST24044980345.95.169.137192.168.2.10
                  Sep 12, 2024 21:31:08.254116058 CEST498032404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:31:08.254170895 CEST498032404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:31:08.258974075 CEST24044980345.95.169.137192.168.2.10
                  Sep 12, 2024 21:31:08.363852024 CEST498042404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:31:08.369360924 CEST24044980445.95.169.137192.168.2.10
                  Sep 12, 2024 21:31:08.369445086 CEST498042404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:31:08.373846054 CEST498042404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:31:08.378747940 CEST24044980445.95.169.137192.168.2.10
                  Sep 12, 2024 21:31:10.083228111 CEST24044980445.95.169.137192.168.2.10
                  Sep 12, 2024 21:31:10.083379984 CEST498042404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:31:10.083379984 CEST498042404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:31:10.088606119 CEST24044980445.95.169.137192.168.2.10
                  Sep 12, 2024 21:31:10.191901922 CEST498052404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:31:10.196964979 CEST24044980545.95.169.137192.168.2.10
                  Sep 12, 2024 21:31:10.197067022 CEST498052404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:31:10.200539112 CEST498052404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:31:10.209336042 CEST24044980545.95.169.137192.168.2.10
                  Sep 12, 2024 21:31:11.887912989 CEST24044980545.95.169.137192.168.2.10
                  Sep 12, 2024 21:31:11.888047934 CEST498052404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:31:11.888133049 CEST498052404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:31:11.893368959 CEST24044980545.95.169.137192.168.2.10
                  Sep 12, 2024 21:31:11.988758087 CEST498062404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:31:11.993892908 CEST24044980645.95.169.137192.168.2.10
                  Sep 12, 2024 21:31:11.993999958 CEST498062404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:31:11.998192072 CEST498062404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:31:12.003849983 CEST24044980645.95.169.137192.168.2.10
                  Sep 12, 2024 21:31:13.670146942 CEST24044980645.95.169.137192.168.2.10
                  Sep 12, 2024 21:31:13.671541929 CEST498062404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:31:13.671597004 CEST498062404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:31:13.676460028 CEST24044980645.95.169.137192.168.2.10
                  Sep 12, 2024 21:31:14.020236015 CEST498072404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:31:14.025266886 CEST24044980745.95.169.137192.168.2.10
                  Sep 12, 2024 21:31:14.025374889 CEST498072404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:31:14.028784990 CEST498072404192.168.2.1045.95.169.137
                  Sep 12, 2024 21:31:14.033658981 CEST24044980745.95.169.137192.168.2.10
                  Sep 12, 2024 21:31:15.702729940 CEST24044980745.95.169.137192.168.2.10
                  Sep 12, 2024 21:31:15.702800989 CEST498072404192.168.2.1045.95.169.137

                  Statistics

                  CPU Usage

                  Click to jump to process

                  Memory Usage

                  Click to jump to process

                  High Level Behavior Distribution

                  Click to dive into process behavior distribution

                  Behavior

                  Click to jump to process

                  System Behavior

                  General

                  Target ID:6
                  Start time:15:27:06
                  Start date:12/09/2024
                  Path:C:\Users\user\Desktop\S91AYfMUT0.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\Desktop\S91AYfMUT0.exe"
                  Imagebase:0x620000
                  File size:1'279'488 bytes
                  MD5 hash:B54974CD7B04BEB5D6C5377FF6170F7B
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:low
                  Has exited:true

                  General

                  Target ID:8
                  Start time:15:27:09
                  Start date:12/09/2024
                  Path:C:\Users\user\AppData\Local\directory\icon.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\Desktop\S91AYfMUT0.exe"
                  Imagebase:0x10000
                  File size:1'279'488 bytes
                  MD5 hash:B54974CD7B04BEB5D6C5377FF6170F7B
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000008.00000002.1338735869.0000000003130000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000002.1338735869.0000000003130000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000008.00000002.1338735869.0000000003130000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000008.00000002.1338735869.0000000003130000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                  • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000008.00000002.1338735869.0000000003130000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                  • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000008.00000002.1338735869.0000000003130000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                  Antivirus matches:
                  • Detection: 100%, Avira
                  • Detection: 100%, Joe Sandbox ML
                  • Detection: 61%, ReversingLabs
                  Reputation:low
                  Has exited:true

                  General

                  Target ID:9
                  Start time:15:27:11
                  Start date:12/09/2024
                  Path:C:\Windows\SysWOW64\svchost.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\Desktop\S91AYfMUT0.exe"
                  Imagebase:0xb80000
                  File size:46'504 bytes
                  MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000009.00000002.3742139950.0000000003412000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000009.00000002.3740400024.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000009.00000002.3740400024.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000009.00000002.3740400024.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000009.00000002.3740400024.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                  • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000009.00000002.3740400024.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                  • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000009.00000002.3740400024.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen
                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000009.00000002.3742035824.0000000003400000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  Reputation:high
                  Has exited:false

                  General

                  Target ID:11
                  Start time:15:27:24
                  Start date:12/09/2024
                  Path:C:\Windows\System32\wscript.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\icon.vbs"
                  Imagebase:0x7ff669b20000
                  File size:170'496 bytes
                  MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:12
                  Start time:15:27:24
                  Start date:12/09/2024
                  Path:C:\Users\user\AppData\Local\directory\icon.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\AppData\Local\directory\icon.exe"
                  Imagebase:0x10000
                  File size:1'279'488 bytes
                  MD5 hash:B54974CD7B04BEB5D6C5377FF6170F7B
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000C.00000002.1498234408.0000000003470000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000C.00000002.1498234408.0000000003470000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000C.00000002.1498234408.0000000003470000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000C.00000002.1498234408.0000000003470000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                  • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000C.00000002.1498234408.0000000003470000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                  • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000000C.00000002.1498234408.0000000003470000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                  Reputation:low
                  Has exited:true

                  General

                  Target ID:13
                  Start time:15:27:27
                  Start date:12/09/2024
                  Path:C:\Windows\SysWOW64\svchost.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\AppData\Local\directory\icon.exe"
                  Imagebase:0xb80000
                  File size:46'504 bytes
                  MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000D.00000002.1496539129.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000D.00000002.1496539129.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000D.00000002.1496539129.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000D.00000002.1496539129.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                  • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000D.00000002.1496539129.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                  • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000000D.00000002.1496539129.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen
                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000D.00000002.1496792749.0000000000800000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  Reputation:high
                  Has exited:true

                  Disassembly

                  Reset < >

                    Execution Graph

                    Execution Coverage:3.9%
                    Dynamic/Decrypted Code Coverage:0.4%
                    Signature Coverage:6.9%
                    Total number of Nodes:2000
                    Total number of Limit Nodes:48
                    execution_graph 97621 660226 97630 62ade2 Mailbox 97621->97630 97623 660c86 97703 6766f4 59 API calls Mailbox 97623->97703 97625 660c8f 97627 6600e0 VariantClear 97627->97630 97628 62b6c1 97702 68a0b5 90 API calls 4 library calls 97628->97702 97630->97623 97630->97625 97630->97627 97630->97628 97633 69e237 97630->97633 97636 6983a8 97630->97636 97696 629df0 97630->97696 97701 677405 59 API calls 97630->97701 97704 69cdf1 97633->97704 97635 69e247 97635->97630 98055 629a20 97636->98055 97638 6983ca CoInitialize 97639 6983e9 VariantInit 97638->97639 97640 6983e3 CoUninitialize 97638->97640 97641 698605 97639->97641 97642 698411 97639->97642 97640->97639 97643 640ff6 Mailbox 59 API calls 97641->97643 97644 698418 97642->97644 97645 6985e4 97642->97645 97646 698616 97643->97646 97648 69841b 97644->97648 97649 698487 97644->97649 97647 629997 85 API calls 97645->97647 97650 698639 97646->97650 97654 629997 85 API calls 97646->97654 97651 6985f1 97647->97651 97652 6986ba VariantClear 97648->97652 97653 698422 97648->97653 97658 69859d 97649->97658 97659 69849e 97649->97659 97663 687804 106 API calls 97650->97663 97669 69855b 97650->97669 97655 629997 85 API calls 97651->97655 97652->97630 97656 629997 85 API calls 97653->97656 97657 698629 97654->97657 97655->97641 97660 69842f 97656->97660 98057 67da5d 97657->98057 97661 629997 85 API calls 97658->97661 98069 629c9c 59 API calls 97659->98069 97665 629997 85 API calls 97660->97665 97667 6985a2 97661->97667 97663->97669 97666 698445 97665->97666 97670 629997 85 API calls 97666->97670 97671 629997 85 API calls 97667->97671 97668 6984a3 97674 6984c7 97668->97674 98070 629c9c 59 API calls 97668->98070 97669->97652 98073 6996db 342 API calls Mailbox 97669->98073 97672 698457 97670->97672 97673 6985b4 97671->97673 97676 629997 85 API calls 97672->97676 97677 629997 85 API calls 97673->97677 97678 640ff6 Mailbox 59 API calls 97674->97678 97680 69846b 97676->97680 97681 6985c8 97677->97681 97689 6984ed 97678->97689 97679 6984b8 97679->97674 98071 629c9c 59 API calls 97679->98071 98068 699a72 359 API calls 3 library calls 97680->98068 98072 699a72 359 API calls 3 library calls 97681->98072 97686 698538 97686->97669 97690 687804 106 API calls 97686->97690 97687 698482 97687->97652 97688 6985df 97688->97669 97689->97686 97691 698509 97689->97691 97692 629997 85 API calls 97689->97692 97690->97669 97693 629997 85 API calls 97691->97693 97692->97691 97694 698525 97693->97694 97695 67da5d 14 API calls 97694->97695 97695->97686 97698 629dfb 97696->97698 97697 629e32 97697->97630 97698->97697 98090 628e34 59 API calls Mailbox 97698->98090 97700 629e5d 97700->97630 97701->97630 97702->97623 97703->97625 97742 629997 97704->97742 97708 69d0cd 97709 69d242 97708->97709 97713 69d0db 97708->97713 97843 69dbdc 93 API calls Mailbox 97709->97843 97712 69d251 97712->97713 97714 69d25d 97712->97714 97773 69cc82 97713->97773 97730 69ce75 Mailbox 97714->97730 97715 629997 85 API calls 97734 69cec6 Mailbox 97715->97734 97720 69d114 97788 640e48 97720->97788 97723 69d12e 97829 68a0b5 90 API calls 4 library calls 97723->97829 97724 69d147 97792 62942e 97724->97792 97727 69d139 GetCurrentProcess TerminateProcess 97727->97724 97730->97635 97732 69d190 97735 69d2b8 97732->97735 97803 628ea0 97732->97803 97814 69d95d 97732->97814 97830 629e9c 97732->97830 97733 628ea0 59 API calls 97736 69d17f 97733->97736 97734->97708 97734->97715 97734->97730 97827 68f835 59 API calls 2 library calls 97734->97827 97828 69d2f3 61 API calls 2 library calls 97734->97828 97735->97730 97739 69d2cc FreeLibrary 97735->97739 97737 69d95d 108 API calls 97736->97737 97737->97732 97739->97730 97743 6299b1 97742->97743 97751 6299ab 97742->97751 97744 65f9fc __i64tow 97743->97744 97745 65f903 97743->97745 97746 6299f9 97743->97746 97747 6299b7 __itow 97743->97747 97753 640ff6 Mailbox 59 API calls 97745->97753 97758 65f97b Mailbox _wcscpy 97745->97758 97858 6438d8 84 API calls 3 library calls 97746->97858 97844 640ff6 97747->97844 97751->97730 97760 69dab9 97751->97760 97752 6299d1 97752->97751 97854 627f41 97752->97854 97755 65f948 97753->97755 97756 640ff6 Mailbox 59 API calls 97755->97756 97757 65f96e 97756->97757 97757->97758 97759 627f41 59 API calls 97757->97759 97859 6438d8 84 API calls 3 library calls 97758->97859 97759->97758 97888 627faf 97760->97888 97762 69dad4 CharLowerBuffW 97892 67f658 97762->97892 97769 69db24 97917 627e8c 97769->97917 97771 69db30 Mailbox 97772 69db6c Mailbox 97771->97772 97921 69d2f3 61 API calls 2 library calls 97771->97921 97772->97734 97774 69cc9d 97773->97774 97778 69ccf2 97773->97778 97775 640ff6 Mailbox 59 API calls 97774->97775 97777 69ccbf 97775->97777 97776 640ff6 Mailbox 59 API calls 97776->97777 97777->97776 97777->97778 97779 69dd64 97778->97779 97780 69df8d Mailbox 97779->97780 97787 69dd87 _strcat _wcscpy __NMSG_WRITE 97779->97787 97780->97720 97781 629d46 59 API calls 97781->97787 97782 629c9c 59 API calls 97782->97787 97783 629cf8 59 API calls 97783->97787 97784 629997 85 API calls 97784->97787 97785 64594c 58 API calls __malloc_crt 97785->97787 97787->97780 97787->97781 97787->97782 97787->97783 97787->97784 97787->97785 97928 685b29 61 API calls 2 library calls 97787->97928 97790 640e5d 97788->97790 97789 640ef5 VirtualAlloc 97791 640ec3 97789->97791 97790->97789 97790->97791 97791->97723 97791->97724 97793 629436 97792->97793 97794 640ff6 Mailbox 59 API calls 97793->97794 97795 629444 97794->97795 97796 629450 97795->97796 97929 62935c 59 API calls Mailbox 97795->97929 97798 6291b0 97796->97798 97930 6292c0 97798->97930 97800 640ff6 Mailbox 59 API calls 97802 62925b 97800->97802 97801 6291bf 97801->97800 97801->97802 97802->97732 97802->97733 97804 628eb2 97803->97804 97807 628ebb 97804->97807 97938 628d3b 59 API calls Mailbox 97804->97938 97806 628f78 97806->97732 97807->97806 97808 640ff6 Mailbox 59 API calls 97807->97808 97809 628fcc 97808->97809 97810 640ff6 Mailbox 59 API calls 97809->97810 97812 628fef 97809->97812 97811 628fdc 97810->97811 97811->97812 97813 627f41 59 API calls 97811->97813 97812->97732 97813->97812 97815 69d975 97814->97815 97817 69d991 97814->97817 97816 69d99d 97815->97816 97815->97817 97818 69d97c 97815->97818 97819 69da46 97815->97819 97947 629bf8 59 API calls Mailbox 97816->97947 97825 69da6c 97817->97825 97939 642f95 97817->97939 97945 68573e 61 API calls 2 library calls 97818->97945 97948 687804 97819->97948 97824 69d986 97946 629bf8 59 API calls Mailbox 97824->97946 97825->97732 97827->97734 97828->97734 97829->97727 97831 629eaa 97830->97831 97836 629ed8 Mailbox 97830->97836 97832 629efd 97831->97832 97837 629eb0 Mailbox 97831->97837 98048 6281a7 97832->98048 97834 629ec4 97834->97836 97838 629ecf 97834->97838 97839 629f2c 97834->97839 97835 65fe38 97835->97836 98053 677405 59 API calls 97835->98053 97836->97732 97837->97834 97837->97835 97838->97836 97840 65fe0f VariantClear 97838->97840 97839->97836 98052 628e34 59 API calls Mailbox 97839->98052 97840->97836 97843->97712 97846 640ffe 97844->97846 97847 641018 97846->97847 97849 64101c std::exception::exception 97846->97849 97860 64594c 97846->97860 97877 6435e1 DecodePointer 97846->97877 97847->97752 97878 6487db RaiseException 97849->97878 97851 641046 97879 648711 58 API calls _free 97851->97879 97853 641058 97853->97752 97855 627f50 __NMSG_WRITE _memmove 97854->97855 97856 640ff6 Mailbox 59 API calls 97855->97856 97857 627f8e 97856->97857 97857->97751 97858->97747 97859->97744 97861 6459c7 97860->97861 97869 645958 97860->97869 97886 6435e1 DecodePointer 97861->97886 97863 6459cd 97887 648d68 58 API calls __getptd_noexit 97863->97887 97866 64598b RtlAllocateHeap 97866->97869 97876 6459bf 97866->97876 97868 645963 97868->97869 97880 64a3ab 58 API calls __NMSG_WRITE 97868->97880 97881 64a408 58 API calls 6 library calls 97868->97881 97882 6432df GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 97868->97882 97869->97866 97869->97868 97870 6459b3 97869->97870 97874 6459b1 97869->97874 97883 6435e1 DecodePointer 97869->97883 97884 648d68 58 API calls __getptd_noexit 97870->97884 97885 648d68 58 API calls __getptd_noexit 97874->97885 97876->97846 97877->97846 97878->97851 97879->97853 97880->97868 97881->97868 97883->97869 97884->97874 97885->97876 97886->97863 97887->97876 97889 627fc2 97888->97889 97891 627fbf _memmove 97888->97891 97890 640ff6 Mailbox 59 API calls 97889->97890 97890->97891 97891->97762 97893 67f683 __NMSG_WRITE 97892->97893 97894 67f6c2 97893->97894 97897 67f6b8 97893->97897 97898 67f769 97893->97898 97894->97771 97899 6277c7 97894->97899 97897->97894 97922 627a24 61 API calls 97897->97922 97898->97894 97923 627a24 61 API calls 97898->97923 97900 640ff6 Mailbox 59 API calls 97899->97900 97901 6277e8 97900->97901 97902 640ff6 Mailbox 59 API calls 97901->97902 97903 6277f6 97902->97903 97904 6279ab 97903->97904 97905 627a17 97904->97905 97906 6279ba 97904->97906 97908 627e8c 59 API calls 97905->97908 97906->97905 97907 6279c5 97906->97907 97909 6279e0 97907->97909 97910 65ef32 97907->97910 97913 6279e8 _memmove 97908->97913 97924 628087 59 API calls Mailbox 97909->97924 97925 628189 97910->97925 97913->97769 97914 65ef3c 97915 640ff6 Mailbox 59 API calls 97914->97915 97916 65ef5c 97915->97916 97918 627ea3 _memmove 97917->97918 97919 627e9a 97917->97919 97918->97771 97919->97918 97920 627faf 59 API calls 97919->97920 97920->97918 97921->97772 97922->97897 97923->97898 97924->97913 97926 640ff6 Mailbox 59 API calls 97925->97926 97927 628193 97926->97927 97927->97914 97928->97787 97929->97796 97931 6292c9 Mailbox 97930->97931 97932 65f5c8 97931->97932 97936 6292d3 97931->97936 97933 640ff6 Mailbox 59 API calls 97932->97933 97935 65f5d4 97933->97935 97934 6292da 97934->97801 97936->97934 97937 629df0 Mailbox 59 API calls 97936->97937 97937->97936 97938->97807 97940 642f9e RtlFreeHeap 97939->97940 97941 642fc7 _free 97939->97941 97940->97941 97942 642fb3 97940->97942 97941->97825 97958 648d68 58 API calls __getptd_noexit 97942->97958 97944 642fb9 GetLastError 97944->97941 97945->97824 97946->97817 97947->97817 97949 687813 97948->97949 97957 687866 97949->97957 97959 687fa4 97949->97959 97951 687822 97951->97957 98029 687c1a 106 API calls 2 library calls 97951->98029 97953 68782e 97954 640ff6 Mailbox 59 API calls 97953->97954 97953->97957 97955 687840 VariantInit VariantCopy 97954->97955 97956 687857 VariantClear 97955->97956 97955->97957 97956->97957 97957->97817 97958->97944 97960 687fc1 97959->97960 97961 688307 97959->97961 97962 6881f5 VariantInit 97960->97962 97963 687fc7 97960->97963 97964 688318 97961->97964 97965 68840f 97961->97965 97972 6883c2 97961->97972 98018 68800b Mailbox 97961->98018 97973 688217 97962->97973 97966 688089 97963->97966 97967 6880e0 VariantTimeToSystemTime 97963->97967 97968 68819b 97963->97968 97969 68815f 97963->97969 97970 687fd7 97963->97970 97971 688137 VarR8FromDec 97963->97971 97986 688121 97963->97986 97963->98018 97977 640ff6 Mailbox 59 API calls 97964->97977 97964->98018 97974 687804 96 API calls 97965->97974 97965->98018 97983 6880a8 97966->97983 97984 688092 97966->97984 98030 6438d8 84 API calls 3 library calls 97967->98030 97978 6881a9 97968->97978 97979 6881cf 97968->97979 97976 627f41 59 API calls 97969->97976 97980 640ff6 Mailbox 59 API calls 97970->97980 97971->98018 97972->97965 97995 640ff6 Mailbox 59 API calls 97972->97995 97972->98018 97981 6882f2 VariantClear 97973->97981 97982 688225 97973->97982 97974->98018 97988 68816e 97976->97988 97989 688330 VariantInit 97977->97989 97990 627f41 59 API calls 97978->97990 97992 627f41 59 API calls 97979->97992 97991 687fe5 VariantInit VariantCopy 97980->97991 97981->98018 97993 6882bf 97982->97993 97994 688235 97982->97994 97985 640ff6 Mailbox 59 API calls 97983->97985 97996 640ff6 Mailbox 59 API calls 97984->97996 97997 6880ad 97985->97997 98031 629bf8 59 API calls Mailbox 97986->98031 98032 6877cf 97988->98032 97989->98018 97999 6881b3 97990->97999 98000 687ffc VariantClear 97991->98000 97991->98018 98001 6881d9 97992->98001 97998 640ff6 Mailbox 59 API calls 97993->97998 98002 688238 97994->98002 98003 688295 97994->98003 97995->97965 98004 688097 97996->98004 98010 6277c7 59 API calls 97997->98010 97997->98018 98006 6882c9 97998->98006 98019 6877cf 59 API calls 97999->98019 98000->98018 98020 6877cf 59 API calls 98001->98020 98007 68823b 98002->98007 98008 68825e 98002->98008 98005 640ff6 Mailbox 59 API calls 98003->98005 98014 627f41 59 API calls 98004->98014 98004->98018 98009 6882a3 98005->98009 98015 68825c 98006->98015 98046 685c77 59 API calls Mailbox 98006->98046 98012 640ff6 Mailbox 59 API calls 98007->98012 98013 640ff6 Mailbox 59 API calls 98008->98013 98009->98015 98023 6277c7 59 API calls 98009->98023 98010->98018 98021 688249 98012->98021 98022 68826c 98013->98022 98014->98018 98017 6882dc VariantClear 98015->98017 98017->98018 98018->97951 98019->98018 98020->98018 98021->98015 98036 681a84 59 API calls 98021->98036 98024 68827a 98022->98024 98026 6277c7 59 API calls 98022->98026 98023->98015 98037 627d2c 98024->98037 98026->98024 98028 68828a SysFreeString 98028->98017 98029->97953 98030->97986 98031->98018 98033 6877da 98032->98033 98034 640ff6 Mailbox 59 API calls 98033->98034 98035 6877e8 98034->98035 98035->98018 98036->98015 98038 627da5 98037->98038 98039 627d38 __NMSG_WRITE 98037->98039 98040 627e8c 59 API calls 98038->98040 98041 627d73 98039->98041 98042 627d4e 98039->98042 98045 627d56 _memmove 98040->98045 98044 628189 59 API calls 98041->98044 98047 628087 59 API calls Mailbox 98042->98047 98044->98045 98045->98028 98046->98015 98047->98045 98049 6281b2 98048->98049 98050 6281ba 98048->98050 98054 6280d7 59 API calls 2 library calls 98049->98054 98050->97836 98052->97836 98053->97836 98054->98050 98056 629a2b 98055->98056 98056->97638 98074 67dc20 98057->98074 98060 67dab1 CoCreateInstance 98061 67dacf 98060->98061 98062 67daee 98060->98062 98061->97650 98062->98061 98063 67daf9 SetErrorMode GetProcAddress 98062->98063 98064 67db18 98063->98064 98067 67db1f 98063->98067 98079 67dd22 GetModuleFileNameW LoadTypeLibEx RegisterTypeLib RegisterTypeLibForUser 98064->98079 98066 67db8d SetErrorMode 98066->98061 98067->98066 98068->97687 98069->97668 98070->97679 98071->97674 98072->97688 98073->97652 98080 677652 98074->98080 98077 67daa9 98077->98060 98077->98061 98078 67dc50 IIDFromString 98078->98077 98079->98067 98081 677667 98080->98081 98082 67766d CLSIDFromProgID 98080->98082 98081->98082 98083 6776b0 CLSIDFromString 98082->98083 98084 67767b 98082->98084 98086 6776bc 98083->98086 98085 67767f ProgIDFromCLSID 98084->98085 98084->98086 98085->98086 98087 677694 lstrcmpiW 98085->98087 98086->98077 98086->98078 98088 6776a5 CoTaskMemFree 98087->98088 98089 6776a2 98087->98089 98088->98086 98089->98088 98090->97700 98091 623633 98092 62366a 98091->98092 98093 6236e7 98092->98093 98094 623688 98092->98094 98130 6236e5 98092->98130 98098 65d31c 98093->98098 98099 6236ed 98093->98099 98095 623695 98094->98095 98096 62375d PostQuitMessage 98094->98096 98100 6236a0 98095->98100 98101 65d38f 98095->98101 98132 6236d8 98096->98132 98097 6236ca DefWindowProcW 98097->98132 98147 6311d0 10 API calls Mailbox 98098->98147 98103 6236f2 98099->98103 98104 623715 SetTimer RegisterWindowMessageW 98099->98104 98105 623767 98100->98105 98106 6236a8 98100->98106 98162 682a16 71 API calls _memset 98101->98162 98110 65d2bf 98103->98110 98111 6236f9 KillTimer 98103->98111 98107 62373e CreatePopupMenu I_RpcFreeBuffer 98104->98107 98104->98132 98136 624531 98105->98136 98112 65d374 98106->98112 98113 6236b3 98106->98113 98114 62374b 98107->98114 98109 65d343 98148 6311f3 342 API calls Mailbox 98109->98148 98118 65d2c4 98110->98118 98119 65d2f8 MoveWindow 98110->98119 98143 6244cb Shell_NotifyIconW _memset 98111->98143 98112->98097 98161 67817e 59 API calls Mailbox 98112->98161 98113->98114 98131 6236be 98113->98131 98145 6245df 81 API calls _memset 98114->98145 98115 65d3a1 98115->98097 98115->98132 98123 65d2e7 SetFocus 98118->98123 98124 65d2c8 98118->98124 98119->98132 98121 62370c 98144 623114 DeleteObject DestroyWindow Mailbox 98121->98144 98123->98132 98128 65d2d1 98124->98128 98124->98131 98127 62375b 98127->98132 98146 6311d0 10 API calls Mailbox 98128->98146 98130->98097 98131->98097 98149 6244cb Shell_NotifyIconW _memset 98131->98149 98134 65d368 98150 6243db 98134->98150 98137 6245ca 98136->98137 98138 624548 _memset 98136->98138 98137->98132 98163 62410d 98138->98163 98140 6245b3 KillTimer SetTimer 98140->98137 98141 62456f 98141->98140 98142 65d6c0 Shell_NotifyIconW 98141->98142 98142->98140 98143->98121 98144->98132 98145->98127 98146->98132 98147->98109 98148->98131 98149->98134 98151 624406 _memset 98150->98151 98218 624213 98151->98218 98154 62448b 98156 6244c1 Shell_NotifyIconW 98154->98156 98157 6244a5 Shell_NotifyIconW 98154->98157 98158 6244b3 98156->98158 98157->98158 98159 62410d 61 API calls 98158->98159 98160 6244ba 98159->98160 98160->98130 98161->98130 98162->98115 98164 624200 Mailbox 98163->98164 98165 624129 98163->98165 98164->98141 98185 627b76 98165->98185 98168 624144 98170 627d2c 59 API calls 98168->98170 98169 65d5dd LoadStringW 98172 65d5f7 98169->98172 98171 624159 98170->98171 98171->98172 98174 62416a 98171->98174 98173 627c8e 59 API calls 98172->98173 98179 65d601 98173->98179 98175 624174 98174->98175 98176 624205 98174->98176 98190 627c8e 98175->98190 98178 6281a7 59 API calls 98176->98178 98181 62417e _memset _wcscpy 98178->98181 98179->98181 98199 627e0b 98179->98199 98183 6241e6 Shell_NotifyIconW 98181->98183 98182 65d623 98184 627e0b 59 API calls 98182->98184 98183->98164 98184->98181 98186 640ff6 Mailbox 59 API calls 98185->98186 98187 627b9b 98186->98187 98188 628189 59 API calls 98187->98188 98189 624137 98188->98189 98189->98168 98189->98169 98191 65f094 98190->98191 98192 627ca0 98190->98192 98212 678123 59 API calls _memmove 98191->98212 98206 627bb1 98192->98206 98195 65f09e 98197 6281a7 59 API calls 98195->98197 98196 627cac 98196->98181 98198 65f0a6 Mailbox 98197->98198 98200 65f173 98199->98200 98201 627e1f 98199->98201 98203 628189 59 API calls 98200->98203 98213 627db0 98201->98213 98205 65f17e __NMSG_WRITE _memmove 98203->98205 98204 627e2a 98204->98182 98207 627be5 _memmove 98206->98207 98208 627bbf 98206->98208 98207->98196 98207->98207 98208->98207 98209 640ff6 Mailbox 59 API calls 98208->98209 98210 627c34 98209->98210 98211 640ff6 Mailbox 59 API calls 98210->98211 98211->98207 98212->98195 98214 627dbf __NMSG_WRITE 98213->98214 98215 628189 59 API calls 98214->98215 98217 627dd0 _memmove 98214->98217 98216 65f130 _memmove 98215->98216 98217->98204 98219 624227 98218->98219 98220 65d638 98218->98220 98219->98154 98222 683226 62 API calls _W_store_winword 98219->98222 98220->98219 98221 65d641 DestroyIcon 98220->98221 98221->98219 98222->98154 98223 f323b0 98237 f30000 98223->98237 98225 f32439 98240 f322a0 98225->98240 98243 f33480 GetPEB 98237->98243 98239 f3068b 98239->98225 98241 f322a9 Sleep 98240->98241 98242 f322b7 98241->98242 98244 f334aa 98243->98244 98244->98239 98245 621066 98250 62f8cf 98245->98250 98247 62106c 98283 642f80 98247->98283 98251 62f8f0 98250->98251 98286 640143 98251->98286 98255 62f937 98256 6277c7 59 API calls 98255->98256 98257 62f941 98256->98257 98258 6277c7 59 API calls 98257->98258 98259 62f94b 98258->98259 98260 6277c7 59 API calls 98259->98260 98261 62f955 98260->98261 98262 6277c7 59 API calls 98261->98262 98263 62f993 98262->98263 98264 6277c7 59 API calls 98263->98264 98265 62fa5e 98264->98265 98296 6360e7 98265->98296 98269 62fa90 98270 6277c7 59 API calls 98269->98270 98271 62fa9a 98270->98271 98324 63ffde 98271->98324 98273 62fae1 98274 62faf1 GetStdHandle 98273->98274 98275 6649d5 98274->98275 98276 62fb3d 98274->98276 98275->98276 98278 6649de 98275->98278 98277 62fb45 OleInitialize 98276->98277 98277->98247 98331 686dda 64 API calls Mailbox 98278->98331 98280 6649e5 98332 6874a9 CreateThread 98280->98332 98282 6649f1 CloseHandle 98282->98277 98345 642e84 98283->98345 98285 621076 98333 64021c 98286->98333 98289 64021c 59 API calls 98290 640185 98289->98290 98291 6277c7 59 API calls 98290->98291 98292 640191 98291->98292 98293 627d2c 59 API calls 98292->98293 98294 62f8f6 98293->98294 98295 6403a2 6 API calls 98294->98295 98295->98255 98297 6277c7 59 API calls 98296->98297 98298 6360f7 98297->98298 98299 6277c7 59 API calls 98298->98299 98300 6360ff 98299->98300 98340 635bfd 98300->98340 98303 635bfd 59 API calls 98304 63610f 98303->98304 98305 6277c7 59 API calls 98304->98305 98306 63611a 98305->98306 98307 640ff6 Mailbox 59 API calls 98306->98307 98308 62fa68 98307->98308 98309 636259 98308->98309 98310 636267 98309->98310 98311 6277c7 59 API calls 98310->98311 98312 636272 98311->98312 98313 6277c7 59 API calls 98312->98313 98314 63627d 98313->98314 98315 6277c7 59 API calls 98314->98315 98316 636288 98315->98316 98317 6277c7 59 API calls 98316->98317 98318 636293 98317->98318 98319 635bfd 59 API calls 98318->98319 98320 63629e 98319->98320 98321 640ff6 Mailbox 59 API calls 98320->98321 98322 6362a5 RegisterWindowMessageW 98321->98322 98322->98269 98325 675cc3 98324->98325 98326 63ffee 98324->98326 98343 689d71 60 API calls 98325->98343 98327 640ff6 Mailbox 59 API calls 98326->98327 98329 63fff6 98327->98329 98329->98273 98330 675cce 98331->98280 98332->98282 98344 68748f 65 API calls 98332->98344 98334 6277c7 59 API calls 98333->98334 98335 640227 98334->98335 98336 6277c7 59 API calls 98335->98336 98337 64022f 98336->98337 98338 6277c7 59 API calls 98337->98338 98339 64017b 98338->98339 98339->98289 98341 6277c7 59 API calls 98340->98341 98342 635c05 98341->98342 98342->98303 98343->98330 98346 642e90 __close 98345->98346 98353 643457 98346->98353 98352 642eb7 __close 98352->98285 98370 649e4b 98353->98370 98355 642e99 98356 642ec8 DecodePointer DecodePointer 98355->98356 98357 642ef5 98356->98357 98358 642ea5 98356->98358 98357->98358 98409 6489e4 59 API calls __beginthread 98357->98409 98367 642ec2 98358->98367 98360 642f58 EncodePointer EncodePointer 98360->98358 98361 642f07 98361->98360 98362 642f2c 98361->98362 98410 648aa4 61 API calls 2 library calls 98361->98410 98362->98358 98365 642f46 EncodePointer 98362->98365 98411 648aa4 61 API calls 2 library calls 98362->98411 98365->98360 98366 642f40 98366->98358 98366->98365 98412 643460 98367->98412 98371 649e5c 98370->98371 98372 649e6f EnterCriticalSection 98370->98372 98377 649ed3 98371->98377 98372->98355 98374 649e62 98374->98372 98401 6432f5 58 API calls 3 library calls 98374->98401 98378 649edf __close 98377->98378 98379 649f00 98378->98379 98380 649ee8 98378->98380 98389 649f21 __close 98379->98389 98405 648a5d 58 API calls __malloc_crt 98379->98405 98402 64a3ab 58 API calls __NMSG_WRITE 98380->98402 98382 649eed 98403 64a408 58 API calls 6 library calls 98382->98403 98385 649f15 98387 649f1c 98385->98387 98388 649f2b 98385->98388 98386 649ef4 98404 6432df GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 98386->98404 98406 648d68 58 API calls __getptd_noexit 98387->98406 98392 649e4b __lock 58 API calls 98388->98392 98389->98374 98394 649f32 98392->98394 98395 649f57 98394->98395 98396 649f3f 98394->98396 98398 642f95 _free 58 API calls 98395->98398 98407 64a06b InitializeCriticalSectionAndSpinCount 98396->98407 98399 649f4b 98398->98399 98408 649f73 LeaveCriticalSection _doexit 98399->98408 98402->98382 98403->98386 98405->98385 98406->98389 98407->98399 98408->98389 98409->98361 98410->98362 98411->98366 98415 649fb5 LeaveCriticalSection 98412->98415 98414 642ec7 98414->98352 98415->98414 98416 621016 98421 624ad2 98416->98421 98419 642f80 __cinit 67 API calls 98420 621025 98419->98420 98422 640ff6 Mailbox 59 API calls 98421->98422 98423 624ada 98422->98423 98424 62101b 98423->98424 98428 624a94 98423->98428 98424->98419 98429 624a9d 98428->98429 98431 624aaf 98428->98431 98430 642f80 __cinit 67 API calls 98429->98430 98430->98431 98432 624afe 98431->98432 98433 6277c7 59 API calls 98432->98433 98434 624b16 GetVersionExW 98433->98434 98435 627d2c 59 API calls 98434->98435 98436 624b59 98435->98436 98437 627e8c 59 API calls 98436->98437 98445 624b86 98436->98445 98438 624b7a 98437->98438 98460 627886 98438->98460 98440 624bf1 GetCurrentProcess IsWow64Process 98441 624c0a 98440->98441 98442 624c20 98441->98442 98443 624c89 GetSystemInfo 98441->98443 98456 624c95 98442->98456 98447 624c56 98443->98447 98444 65dc8d 98445->98440 98445->98444 98447->98424 98449 624c32 98451 624c95 2 API calls 98449->98451 98450 624c7d GetSystemInfo 98452 624c47 98450->98452 98453 624c3a GetNativeSystemInfo 98451->98453 98452->98447 98454 624c4d FreeLibrary 98452->98454 98453->98452 98454->98447 98457 624c2e 98456->98457 98458 624c9e LoadLibraryA 98456->98458 98457->98449 98457->98450 98458->98457 98459 624caf GetProcAddress 98458->98459 98459->98457 98461 627894 98460->98461 98462 627e8c 59 API calls 98461->98462 98463 6278a4 98462->98463 98463->98445 98464 621055 98469 622649 98464->98469 98467 642f80 __cinit 67 API calls 98468 621064 98467->98468 98470 6277c7 59 API calls 98469->98470 98471 6226b7 98470->98471 98476 623582 98471->98476 98473 622754 98475 62105a 98473->98475 98479 623416 59 API calls 2 library calls 98473->98479 98475->98467 98480 6235b0 98476->98480 98479->98473 98481 6235a1 98480->98481 98482 6235bd 98480->98482 98481->98473 98482->98481 98483 6235c4 RegOpenKeyExW 98482->98483 98483->98481 98484 6235de RegQueryValueExW 98483->98484 98485 623614 RegCloseKey 98484->98485 98486 6235ff 98484->98486 98485->98481 98486->98485 98487 660251 98499 63fb84 98487->98499 98489 660267 98490 66027d 98489->98490 98491 6602e8 98489->98491 98588 629fbd 60 API calls 98490->98588 98508 62fe40 98491->98508 98494 6602dc Mailbox 98496 660ce1 Mailbox 98494->98496 98590 68a0b5 90 API calls 4 library calls 98494->98590 98497 6602bc 98497->98494 98589 6885d9 59 API calls Mailbox 98497->98589 98500 63fba2 98499->98500 98501 63fb90 98499->98501 98503 63fbd1 98500->98503 98504 63fba8 98500->98504 98502 629e9c 60 API calls 98501->98502 98507 63fb9a 98502->98507 98505 629e9c 60 API calls 98503->98505 98506 640ff6 Mailbox 59 API calls 98504->98506 98505->98507 98506->98507 98507->98489 98591 6282e0 98508->98591 98510 62fe9d 98511 664b57 98510->98511 98557 630856 98510->98557 98596 62f394 98510->98596 98721 68a0b5 90 API calls 4 library calls 98511->98721 98515 664b6c 98516 62ff9e 98517 664cb7 98516->98517 98519 62ffac 98516->98519 98725 676c62 59 API calls 2 library calls 98516->98725 98517->98515 98517->98519 98727 69a5ee 86 API calls Mailbox 98517->98727 98518 630677 98526 640ff6 Mailbox 59 API calls 98518->98526 98528 664d23 98519->98528 98575 664f7d 98519->98575 98600 6284dc 98519->98600 98520 664c01 98520->98515 98723 68a0b5 90 API calls 4 library calls 98520->98723 98523 640ff6 59 API calls Mailbox 98550 62ff33 98523->98550 98536 6306a5 _memmove 98526->98536 98527 664c72 98726 676665 59 API calls 2 library calls 98527->98726 98537 664d41 98528->98537 98729 628720 98528->98729 98530 664b7f 98530->98520 98722 62f803 342 API calls 98530->98722 98533 664c95 98539 62a000 342 API calls 98533->98539 98534 664cdc Mailbox 98534->98519 98728 676c62 59 API calls 2 library calls 98534->98728 98544 640ff6 Mailbox 59 API calls 98536->98544 98541 664d52 98537->98541 98546 628720 59 API calls 98537->98546 98538 630004 98542 630092 98538->98542 98543 664f00 98538->98543 98582 6302d9 Mailbox _memmove 98538->98582 98539->98517 98541->98582 98737 676621 59 API calls Mailbox 98541->98737 98547 640ff6 Mailbox 59 API calls 98542->98547 98745 689d71 60 API calls 98543->98745 98586 630266 _memmove 98544->98586 98546->98541 98551 630099 98547->98551 98550->98515 98550->98516 98550->98518 98550->98523 98550->98530 98550->98536 98560 664c36 98550->98560 98697 62a000 98550->98697 98551->98557 98607 630b30 98551->98607 98553 664e77 98554 62a000 342 API calls 98553->98554 98556 664eb1 98554->98556 98556->98515 98740 628620 98556->98740 98720 68a0b5 90 API calls 4 library calls 98557->98720 98559 630112 98559->98536 98559->98557 98566 630146 98559->98566 98724 68a0b5 90 API calls 4 library calls 98560->98724 98564 664edc 98744 68a0b5 90 API calls 4 library calls 98564->98744 98567 6281a7 59 API calls 98566->98567 98573 630167 98566->98573 98567->98573 98569 629df0 Mailbox 59 API calls 98569->98586 98570 629e9c 60 API calls 98570->98582 98571 6304f8 98571->98494 98572 640ff6 59 API calls Mailbox 98572->98582 98573->98557 98574 664f4e 98573->98574 98579 6301ac 98573->98579 98576 629e9c 60 API calls 98574->98576 98575->98515 98746 68a0b5 90 API calls 4 library calls 98575->98746 98576->98575 98577 630238 98578 629e9c 60 API calls 98577->98578 98581 63024b 98578->98581 98579->98557 98579->98575 98579->98577 98580 664e46 98583 640ff6 Mailbox 59 API calls 98580->98583 98581->98557 98684 62843f 98581->98684 98582->98553 98582->98557 98582->98564 98582->98570 98582->98571 98582->98572 98582->98580 98695 6288a0 68 API calls __cinit 98582->98695 98696 6287c0 68 API calls 98582->98696 98738 685bd9 68 API calls 98582->98738 98739 628b13 69 API calls Mailbox 98582->98739 98583->98553 98586->98569 98586->98582 98587 6302c2 98586->98587 98587->98494 98588->98497 98589->98494 98590->98496 98592 6282ef 98591->98592 98595 62830a 98591->98595 98593 627faf 59 API calls 98592->98593 98594 6282f7 CharUpperBuffW 98593->98594 98594->98595 98595->98510 98597 62f3b1 98596->98597 98598 62f3d2 98597->98598 98747 68a0b5 90 API calls 4 library calls 98597->98747 98598->98550 98601 65f1e6 98600->98601 98602 6284ed 98600->98602 98603 640ff6 Mailbox 59 API calls 98602->98603 98604 6284f4 98603->98604 98605 628515 98604->98605 98748 628794 59 API calls Mailbox 98604->98748 98605->98528 98605->98538 98608 6650ed 98607->98608 98622 630b55 98607->98622 98813 68a0b5 90 API calls 4 library calls 98608->98813 98610 630e5a 98610->98559 98612 631044 98612->98610 98614 631051 98612->98614 98811 6311f3 342 API calls Mailbox 98614->98811 98615 630bab PeekMessageW 98683 630b65 Mailbox 98615->98683 98617 631058 LockWindowUpdate DestroyWindow GetMessageW 98617->98610 98620 63108a 98617->98620 98619 6652ab Sleep 98619->98683 98623 666082 TranslateMessage DispatchMessageW GetMessageW 98620->98623 98621 630e44 98621->98610 98810 6311d0 10 API calls Mailbox 98621->98810 98622->98683 98814 629fbd 60 API calls 98622->98814 98815 6768bf 342 API calls 98622->98815 98623->98623 98625 6660b2 98623->98625 98625->98610 98626 630fa3 PeekMessageW 98626->98683 98627 630fbf TranslateMessage DispatchMessageW 98627->98626 98628 66517a TranslateAcceleratorW 98628->98626 98628->98683 98629 640ff6 59 API calls Mailbox 98629->98683 98630 630e73 timeGetTime 98630->98683 98631 665c49 WaitForSingleObject 98633 665c66 GetExitCodeProcess CloseHandle 98631->98633 98631->98683 98667 6310f5 98633->98667 98634 630fdd Sleep 98666 630fee Mailbox 98634->98666 98635 6281a7 59 API calls 98635->98683 98636 6277c7 59 API calls 98636->98666 98637 665f22 Sleep 98637->98666 98640 640719 timeGetTime 98640->98666 98641 6310ae timeGetTime 98812 629fbd 60 API calls 98641->98812 98644 629997 85 API calls 98644->98683 98645 665fb9 GetExitCodeProcess 98646 665fe5 CloseHandle 98645->98646 98647 665fcf WaitForSingleObject 98645->98647 98646->98666 98647->98646 98647->98683 98650 6a61ac 111 API calls 98650->98666 98651 62b93d 110 API calls 98651->98666 98652 629fbd 60 API calls 98652->98683 98653 665c9e 98653->98667 98654 666041 Sleep 98654->98683 98655 6654a2 Sleep 98655->98683 98657 627f41 59 API calls 98657->98666 98662 62a000 315 API calls 98662->98683 98664 62fe40 315 API calls 98664->98683 98666->98636 98666->98640 98666->98645 98666->98650 98666->98651 98666->98653 98666->98654 98666->98655 98666->98657 98666->98667 98666->98683 98821 6828f7 60 API calls 98666->98821 98822 629fbd 60 API calls 98666->98822 98823 628b13 69 API calls Mailbox 98666->98823 98824 62b89c 342 API calls 98666->98824 98825 676a50 60 API calls 98666->98825 98826 6854e6 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 98666->98826 98827 683e91 66 API calls Mailbox 98666->98827 98667->98559 98669 68a0b5 90 API calls 98669->98683 98671 629df0 59 API calls Mailbox 98671->98683 98672 628620 69 API calls 98672->98683 98673 62b89c 315 API calls 98673->98683 98674 62843f 59 API calls 98674->98683 98675 6766f4 59 API calls Mailbox 98675->98683 98676 6659ff VariantClear 98676->98683 98677 628e34 59 API calls Mailbox 98677->98683 98678 665a95 VariantClear 98678->98683 98679 665843 VariantClear 98679->98683 98680 677405 59 API calls 98680->98683 98681 627f41 59 API calls 98681->98683 98682 628b13 69 API calls 98682->98683 98683->98615 98683->98619 98683->98621 98683->98626 98683->98627 98683->98628 98683->98629 98683->98630 98683->98631 98683->98634 98683->98635 98683->98637 98683->98641 98683->98644 98683->98652 98683->98662 98683->98664 98683->98666 98683->98667 98683->98669 98683->98671 98683->98672 98683->98673 98683->98674 98683->98675 98683->98676 98683->98677 98683->98678 98683->98679 98683->98680 98683->98681 98683->98682 98749 62e580 98683->98749 98756 62e800 98683->98756 98787 62f5c0 98683->98787 98805 6231ce 98683->98805 98816 6a629f 59 API calls 98683->98816 98817 689c9f 59 API calls Mailbox 98683->98817 98818 67d9e3 59 API calls 98683->98818 98819 676665 59 API calls 2 library calls 98683->98819 98820 628561 59 API calls 98683->98820 98685 65f1ca 98684->98685 98688 628452 98684->98688 98686 65f1da 98685->98686 99825 67671a 59 API calls 98685->99825 98689 62847c 98688->98689 98690 628720 59 API calls 98688->98690 98694 628499 Mailbox 98688->98694 98691 628482 98689->98691 98692 628720 59 API calls 98689->98692 98690->98689 98693 629df0 Mailbox 59 API calls 98691->98693 98691->98694 98692->98691 98693->98694 98694->98586 98695->98582 98696->98582 98698 62a01f 98697->98698 98718 62a04d Mailbox 98697->98718 98699 640ff6 Mailbox 59 API calls 98698->98699 98699->98718 98700 62b5da 99889 68a0b5 90 API calls 4 library calls 98700->99889 98701 62b5d5 98702 6281a7 59 API calls 98701->98702 98703 62a1b7 98702->98703 98703->98550 98704 640ff6 59 API calls Mailbox 98704->98718 98705 6277c7 59 API calls 98705->98718 98708 6281a7 59 API calls 98708->98718 98710 66047f 99886 68a0b5 90 API calls 4 library calls 98710->99886 98713 66048e 98713->98550 98714 642f80 67 API calls __cinit 98714->98718 98715 677405 59 API calls 98715->98718 98716 660e00 99888 68a0b5 90 API calls 4 library calls 98716->99888 98718->98700 98718->98701 98718->98703 98718->98704 98718->98705 98718->98708 98718->98710 98718->98714 98718->98715 98718->98716 98719 62a6ba 98718->98719 99826 62ca20 98718->99826 99885 62ba60 60 API calls Mailbox 98718->99885 99887 68a0b5 90 API calls 4 library calls 98719->99887 98720->98511 98721->98515 98722->98520 98723->98515 98724->98515 98725->98527 98726->98533 98727->98534 98728->98534 98730 62872e 98729->98730 98736 628756 98729->98736 98731 62873c 98730->98731 98732 628720 59 API calls 98730->98732 98733 628742 98731->98733 98734 628720 59 API calls 98731->98734 98732->98731 98735 629df0 Mailbox 59 API calls 98733->98735 98733->98736 98734->98733 98735->98736 98736->98537 98737->98582 98738->98582 98739->98582 98741 62862b 98740->98741 98742 628652 98741->98742 100022 628b13 69 API calls Mailbox 98741->100022 98742->98564 98744->98515 98745->98566 98746->98515 98747->98598 98748->98605 98750 62e5b1 98749->98750 98751 62e59d 98749->98751 98829 68a0b5 90 API calls 4 library calls 98750->98829 98828 62e060 342 API calls 2 library calls 98751->98828 98753 62e5a8 98753->98683 98755 663ece 98755->98755 98757 62e835 98756->98757 98758 663ed3 98757->98758 98761 62e89f 98757->98761 98770 62e8f9 98757->98770 98759 62a000 342 API calls 98758->98759 98760 663ee8 98759->98760 98785 62ead0 Mailbox 98760->98785 98831 68a0b5 90 API calls 4 library calls 98760->98831 98764 6277c7 59 API calls 98761->98764 98761->98770 98762 6277c7 59 API calls 98762->98770 98765 663f2e 98764->98765 98767 642f80 __cinit 67 API calls 98765->98767 98766 642f80 __cinit 67 API calls 98766->98770 98767->98770 98768 663f50 98768->98683 98769 628620 69 API calls 98769->98785 98770->98762 98770->98766 98770->98768 98772 62eaba 98770->98772 98770->98785 98772->98785 98832 68a0b5 90 API calls 4 library calls 98772->98832 98773 628ea0 59 API calls 98773->98785 98774 62f2f5 98836 68a0b5 90 API calls 4 library calls 98774->98836 98775 629df0 Mailbox 59 API calls 98775->98785 98776 62a000 342 API calls 98776->98785 98779 66424f 98779->98683 98781 68a0b5 90 API calls 98781->98785 98785->98769 98785->98773 98785->98774 98785->98775 98785->98776 98785->98781 98786 62ebd8 98785->98786 98830 6280d7 59 API calls 2 library calls 98785->98830 98833 677405 59 API calls 98785->98833 98834 69c8d7 342 API calls 98785->98834 98835 69b851 342 API calls Mailbox 98785->98835 98837 6996db 342 API calls Mailbox 98785->98837 98786->98683 98788 62f7b0 98787->98788 98789 62f61a 98787->98789 98790 627f41 59 API calls 98788->98790 98791 62f626 98789->98791 98792 664848 98789->98792 98798 62f6ec Mailbox 98790->98798 98924 62f3f0 342 API calls 2 library calls 98791->98924 98925 69bf80 342 API calls Mailbox 98792->98925 98795 664856 98799 62f790 98795->98799 98926 68a0b5 90 API calls 4 library calls 98795->98926 98797 62f65d 98797->98795 98797->98798 98797->98799 98838 683e73 98798->98838 98841 68cde5 98798->98841 98921 69e24b 98798->98921 98799->98683 98800 629df0 Mailbox 59 API calls 98801 62f743 98800->98801 98801->98799 98801->98800 98806 623212 98805->98806 98807 6231e0 98805->98807 98806->98683 98807->98806 98808 623205 IsDialogMessageW 98807->98808 98809 65d182 GetClassLongW 98807->98809 98808->98806 98808->98807 98809->98807 98809->98808 98810->98612 98811->98617 98812->98683 98813->98622 98814->98622 98815->98622 98816->98683 98817->98683 98818->98683 98819->98683 98820->98683 98821->98666 98822->98666 98823->98666 98824->98666 98825->98666 98826->98666 98827->98666 98828->98753 98829->98755 98830->98785 98831->98785 98832->98785 98833->98785 98834->98785 98835->98785 98836->98779 98837->98785 98927 684696 GetFileAttributesW 98838->98927 98842 6277c7 59 API calls 98841->98842 98843 68ce1a 98842->98843 98844 6277c7 59 API calls 98843->98844 98845 68ce23 98844->98845 98846 68ce37 98845->98846 99118 629c9c 59 API calls 98845->99118 98848 629997 85 API calls 98846->98848 98849 68ce54 98848->98849 98850 68cf55 98849->98850 98851 68ce76 98849->98851 98863 68cf85 Mailbox 98849->98863 98931 624f3d 98850->98931 98852 629997 85 API calls 98851->98852 98854 68ce82 98852->98854 98856 6281a7 59 API calls 98854->98856 98858 68ce8e 98856->98858 98857 68cf81 98860 6277c7 59 API calls 98857->98860 98857->98863 98865 68cea2 98858->98865 98866 68ced4 98858->98866 98859 624f3d 136 API calls 98859->98857 98861 68cfb6 98860->98861 98862 6277c7 59 API calls 98861->98862 98864 68cfbf 98862->98864 98863->98801 98868 6277c7 59 API calls 98864->98868 98869 6281a7 59 API calls 98865->98869 98867 629997 85 API calls 98866->98867 98870 68cee1 98867->98870 98871 68cfc8 98868->98871 98872 68ceb2 98869->98872 98873 6281a7 59 API calls 98870->98873 98874 6277c7 59 API calls 98871->98874 98875 627e0b 59 API calls 98872->98875 98876 68ceed 98873->98876 98877 68cfd1 98874->98877 98878 68cebc 98875->98878 99119 684cd3 GetFileAttributesW 98876->99119 98880 629997 85 API calls 98877->98880 98881 629997 85 API calls 98878->98881 98883 68cfde 98880->98883 98884 68cec8 98881->98884 98882 68cef6 98885 68cf09 98882->98885 98888 627b52 59 API calls 98882->98888 98955 6246f9 98883->98955 98887 627c8e 59 API calls 98884->98887 98890 629997 85 API calls 98885->98890 98895 68cf0f 98885->98895 98887->98866 98888->98885 98889 68cff9 99006 627b52 98889->99006 98892 68cf36 98890->98892 99120 683a2b 75 API calls Mailbox 98892->99120 98895->98863 98896 68d03c 98897 6281a7 59 API calls 98896->98897 98899 68d04a 98897->98899 98898 627b52 59 API calls 98900 68d019 98898->98900 98901 627c8e 59 API calls 98899->98901 98900->98896 98902 627d2c 59 API calls 98900->98902 98903 68d058 98901->98903 98904 68d02e 98902->98904 98905 627c8e 59 API calls 98903->98905 98906 627d2c 59 API calls 98904->98906 98907 68d066 98905->98907 98906->98896 98908 627c8e 59 API calls 98907->98908 98909 68d074 98908->98909 98910 629997 85 API calls 98909->98910 98911 68d080 98910->98911 99009 6842ad 98911->99009 98913 68d091 98914 683e73 3 API calls 98913->98914 98915 68d09b 98914->98915 98916 629997 85 API calls 98915->98916 98919 68d0cc 98915->98919 98917 68d0b9 98916->98917 99063 6893df 98917->99063 99121 624faa 98919->99121 98922 69cdf1 131 API calls 98921->98922 98923 69e25b 98922->98923 98923->98801 98924->98797 98925->98795 98926->98799 98928 683e7a 98927->98928 98929 6846b1 FindFirstFileW 98927->98929 98928->98801 98929->98928 98930 6846c6 FindClose 98929->98930 98930->98928 99127 624d13 98931->99127 98936 65dd0f 98939 624faa 84 API calls 98936->98939 98937 624f68 LoadLibraryExW 99137 624cc8 98937->99137 98941 65dd16 98939->98941 98943 624cc8 3 API calls 98941->98943 98945 65dd1e 98943->98945 98944 624f8f 98944->98945 98946 624f9b 98944->98946 99163 62506b 98945->99163 98947 624faa 84 API calls 98946->98947 98949 624fa0 98947->98949 98949->98857 98949->98859 98952 65dd45 99169 625027 98952->99169 98956 6277c7 59 API calls 98955->98956 98957 62470f 98956->98957 98958 6277c7 59 API calls 98957->98958 98959 624717 98958->98959 98960 6277c7 59 API calls 98959->98960 98961 62471f 98960->98961 98962 6277c7 59 API calls 98961->98962 98963 624727 98962->98963 98964 62475b 98963->98964 98965 65d8fb 98963->98965 98966 6279ab 59 API calls 98964->98966 98967 6281a7 59 API calls 98965->98967 98968 624769 98966->98968 98969 65d904 98967->98969 98970 627e8c 59 API calls 98968->98970 99451 627eec 98969->99451 98972 624773 98970->98972 98973 6279ab 59 API calls 98972->98973 98974 62479e 98972->98974 98977 624794 98973->98977 98975 6247de 98974->98975 98978 6247bd 98974->98978 98988 65d924 98974->98988 98976 6279ab 59 API calls 98975->98976 98979 6247ef 98976->98979 98980 627e8c 59 API calls 98977->98980 98982 627b52 59 API calls 98978->98982 98983 624801 98979->98983 98986 6281a7 59 API calls 98979->98986 98980->98974 98981 65d9f4 98984 627d2c 59 API calls 98981->98984 98985 6247c7 98982->98985 98987 624811 98983->98987 98989 6281a7 59 API calls 98983->98989 99001 65d9b1 98984->99001 98985->98975 98992 6279ab 59 API calls 98985->98992 98986->98983 98991 624818 98987->98991 98993 6281a7 59 API calls 98987->98993 98988->98981 98990 65d9dd 98988->98990 98999 65d95b 98988->98999 98989->98987 98990->98981 98995 65d9c8 98990->98995 98994 6281a7 59 API calls 98991->98994 99003 62481f Mailbox 98991->99003 98992->98975 98993->98991 98994->99003 98998 627d2c 59 API calls 98995->98998 98996 65d9b9 98997 627d2c 59 API calls 98996->98997 98997->99001 98998->99001 98999->98996 99004 65d9a4 98999->99004 99000 627b52 59 API calls 99000->99001 99001->98975 99001->99000 99455 627a84 59 API calls 2 library calls 99001->99455 99003->98889 99005 627d2c 59 API calls 99004->99005 99005->99001 99007 627faf 59 API calls 99006->99007 99008 627b5d 99007->99008 99008->98896 99008->98898 99010 6842c9 99009->99010 99011 6842dc 99010->99011 99012 6842ce 99010->99012 99014 6277c7 59 API calls 99011->99014 99013 6281a7 59 API calls 99012->99013 99062 6842d7 Mailbox 99013->99062 99015 6842e4 99014->99015 99016 6277c7 59 API calls 99015->99016 99017 6842ec 99016->99017 99018 6277c7 59 API calls 99017->99018 99019 6842f7 99018->99019 99020 6277c7 59 API calls 99019->99020 99021 6842ff 99020->99021 99022 6277c7 59 API calls 99021->99022 99023 684307 99022->99023 99024 6277c7 59 API calls 99023->99024 99025 68430f 99024->99025 99026 6277c7 59 API calls 99025->99026 99027 684317 99026->99027 99028 6277c7 59 API calls 99027->99028 99029 68431f 99028->99029 99030 6246f9 59 API calls 99029->99030 99031 684336 99030->99031 99062->98913 99064 6893ec __ftell_nolock 99063->99064 99065 640ff6 Mailbox 59 API calls 99064->99065 99066 689449 99065->99066 99067 62538e 59 API calls 99066->99067 99068 689453 99067->99068 99458 6891e9 99068->99458 99070 68945e 99118->98846 99119->98882 99120->98895 99122 624fb4 99121->99122 99123 624fbb 99121->99123 99124 6455d6 __fcloseall 83 API calls 99122->99124 99125 624fca 99123->99125 99126 624fdb FreeLibrary 99123->99126 99124->99123 99125->98863 99126->99125 99174 624d61 99127->99174 99130 624d3a 99131 624d53 99130->99131 99132 624d4a FreeLibrary 99130->99132 99134 64548b 99131->99134 99132->99131 99133 624d61 2 API calls 99133->99130 99178 6454a0 99134->99178 99136 624f5c 99136->98936 99136->98937 99259 624d94 99137->99259 99140 624ced 99142 624d08 99140->99142 99143 624cff FreeLibrary 99140->99143 99141 624d94 2 API calls 99141->99140 99144 624dd0 99142->99144 99143->99142 99145 640ff6 Mailbox 59 API calls 99144->99145 99146 624de5 99145->99146 99263 62538e 99146->99263 99148 624df1 _memmove 99149 624e2c 99148->99149 99150 624f21 99148->99150 99151 624ee9 99148->99151 99152 625027 69 API calls 99149->99152 99277 689ba5 95 API calls 99150->99277 99266 624fe9 CreateStreamOnHGlobal 99151->99266 99158 624e35 99152->99158 99155 62506b 74 API calls 99155->99158 99156 624ec9 99156->98944 99158->99155 99158->99156 99159 65dcd0 99158->99159 99272 625045 99158->99272 99160 625045 85 API calls 99159->99160 99161 65dce4 99160->99161 99162 62506b 74 API calls 99161->99162 99162->99156 99164 65ddf6 99163->99164 99165 62507d 99163->99165 99301 645812 99165->99301 99168 689393 GetSystemTimeAsFileTime 99168->98952 99170 625036 99169->99170 99171 65ddb9 99169->99171 99433 645e90 99170->99433 99173 62503e 99175 624d2e 99174->99175 99176 624d6a LoadLibraryA 99174->99176 99175->99130 99175->99133 99176->99175 99177 624d7b GetProcAddress 99176->99177 99177->99175 99181 6454ac __close 99178->99181 99179 6454bf 99227 648d68 58 API calls __getptd_noexit 99179->99227 99181->99179 99183 6454f0 99181->99183 99182 6454c4 99228 648ff6 9 API calls __beginthread 99182->99228 99197 650738 99183->99197 99186 6454f5 99187 6454fe 99186->99187 99188 64550b 99186->99188 99229 648d68 58 API calls __getptd_noexit 99187->99229 99189 645535 99188->99189 99190 645515 99188->99190 99212 650857 99189->99212 99230 648d68 58 API calls __getptd_noexit 99190->99230 99194 6454cf __close @_EH4_CallFilterFunc@8 99194->99136 99198 650744 __close 99197->99198 99199 649e4b __lock 58 API calls 99198->99199 99210 650752 99199->99210 99200 6507c6 99232 65084e 99200->99232 99201 6507cd 99237 648a5d 58 API calls __malloc_crt 99201->99237 99204 650843 __close 99204->99186 99205 6507d4 99205->99200 99238 64a06b InitializeCriticalSectionAndSpinCount 99205->99238 99206 649ed3 __mtinitlocknum 58 API calls 99206->99210 99209 6507fa EnterCriticalSection 99209->99200 99210->99200 99210->99201 99210->99206 99235 646e8d 59 API calls __lock 99210->99235 99236 646ef7 LeaveCriticalSection LeaveCriticalSection _doexit 99210->99236 99221 650877 __wopenfile 99212->99221 99213 650891 99243 648d68 58 API calls __getptd_noexit 99213->99243 99215 650a4c 99215->99213 99219 650aaf 99215->99219 99216 650896 99244 648ff6 9 API calls __beginthread 99216->99244 99218 645540 99231 645562 LeaveCriticalSection LeaveCriticalSection _fprintf 99218->99231 99240 6587f1 99219->99240 99221->99213 99221->99215 99221->99221 99245 643a0b 60 API calls 2 library calls 99221->99245 99223 650a45 99223->99215 99246 643a0b 60 API calls 2 library calls 99223->99246 99225 650a64 99225->99215 99247 643a0b 60 API calls 2 library calls 99225->99247 99227->99182 99228->99194 99229->99194 99230->99194 99231->99194 99239 649fb5 LeaveCriticalSection 99232->99239 99234 650855 99234->99204 99235->99210 99236->99210 99237->99205 99238->99209 99239->99234 99248 657fd5 99240->99248 99242 65880a 99242->99218 99243->99216 99244->99218 99245->99223 99246->99225 99247->99215 99249 657fe1 __close 99248->99249 99250 657ff7 99249->99250 99253 65802d 99249->99253 99251 648d68 __beginthread 58 API calls 99250->99251 99252 657ffc 99251->99252 99255 648ff6 __beginthread 9 API calls 99252->99255 99254 65809e __wsopen_nolock 109 API calls 99253->99254 99256 658049 99254->99256 99258 658006 __close 99255->99258 99257 658072 __wsopen_helper LeaveCriticalSection 99256->99257 99257->99258 99258->99242 99260 624ce1 99259->99260 99261 624d9d LoadLibraryA 99259->99261 99260->99140 99260->99141 99261->99260 99262 624dae GetProcAddress 99261->99262 99262->99260 99264 640ff6 Mailbox 59 API calls 99263->99264 99265 6253a0 99264->99265 99265->99148 99267 625003 FindResourceExW 99266->99267 99268 625020 99266->99268 99267->99268 99269 65dd5c LoadResource 99267->99269 99268->99149 99269->99268 99270 65dd71 SizeofResource 99269->99270 99270->99268 99271 65dd85 LockResource 99270->99271 99271->99268 99273 65ddd4 99272->99273 99274 625054 99272->99274 99278 645a7d 99274->99278 99276 625062 99276->99158 99277->99149 99281 645a89 __close 99278->99281 99279 645a9b 99291 648d68 58 API calls __getptd_noexit 99279->99291 99281->99279 99282 645ac1 99281->99282 99293 646e4e 99282->99293 99283 645aa0 99292 648ff6 9 API calls __beginthread 99283->99292 99288 645aab __close 99288->99276 99289 645ad6 99300 645af8 LeaveCriticalSection LeaveCriticalSection _fprintf 99289->99300 99291->99283 99292->99288 99294 646e80 EnterCriticalSection 99293->99294 99295 646e5e 99293->99295 99296 645ac7 99294->99296 99295->99294 99297 646e66 99295->99297 99299 6459ee 83 API calls 5 library calls 99296->99299 99298 649e4b __lock 58 API calls 99297->99298 99298->99296 99299->99289 99300->99288 99304 64582d 99301->99304 99303 62508e 99303->99168 99305 645839 __close 99304->99305 99306 64587c 99305->99306 99307 64584f _memset 99305->99307 99308 645874 __close 99305->99308 99309 646e4e __lock_file 59 API calls 99306->99309 99331 648d68 58 API calls __getptd_noexit 99307->99331 99308->99303 99311 645882 99309->99311 99317 64564d 99311->99317 99312 645869 99332 648ff6 9 API calls __beginthread 99312->99332 99320 645668 _memset 99317->99320 99324 645683 99317->99324 99318 645673 99429 648d68 58 API calls __getptd_noexit 99318->99429 99320->99318 99320->99324 99326 6456c3 99320->99326 99321 645678 99430 648ff6 9 API calls __beginthread 99321->99430 99333 6458b6 LeaveCriticalSection LeaveCriticalSection _fprintf 99324->99333 99325 6457d4 _memset 99432 648d68 58 API calls __getptd_noexit 99325->99432 99326->99324 99326->99325 99334 644916 99326->99334 99341 6510ab 99326->99341 99409 650df7 99326->99409 99431 650f18 58 API calls 3 library calls 99326->99431 99331->99312 99332->99308 99333->99308 99335 644935 99334->99335 99336 644920 99334->99336 99335->99326 99337 648d68 __beginthread 58 API calls 99336->99337 99338 644925 99337->99338 99339 648ff6 __beginthread 9 API calls 99338->99339 99340 644930 99339->99340 99340->99326 99342 6510e3 99341->99342 99343 6510cc 99341->99343 99345 65181b 99342->99345 99350 65111d 99342->99350 99344 648d34 __close 58 API calls 99343->99344 99347 6510d1 99344->99347 99346 648d34 __close 58 API calls 99345->99346 99348 651820 99346->99348 99349 648d68 __beginthread 58 API calls 99347->99349 99351 648d68 __beginthread 58 API calls 99348->99351 99354 6510d8 99349->99354 99352 651125 99350->99352 99359 65113c 99350->99359 99353 651131 99351->99353 99355 648d34 __close 58 API calls 99352->99355 99357 648ff6 __beginthread 9 API calls 99353->99357 99354->99326 99356 65112a 99355->99356 99360 648d68 __beginthread 58 API calls 99356->99360 99357->99354 99358 651151 99361 648d34 __close 58 API calls 99358->99361 99359->99354 99359->99358 99362 65116b 99359->99362 99363 651189 99359->99363 99360->99353 99361->99356 99362->99358 99367 651176 99362->99367 99364 648a5d __malloc_crt 58 API calls 99363->99364 99365 651199 99364->99365 99368 6511a1 99365->99368 99369 6511bc 99365->99369 99366 655ebb __read_nolock 58 API calls 99370 65128a 99366->99370 99367->99366 99371 648d68 __beginthread 58 API calls 99368->99371 99373 651b11 __lseeki64_nolock 60 API calls 99369->99373 99372 651303 ReadFile 99370->99372 99377 6512a0 GetConsoleMode 99370->99377 99374 6511a6 99371->99374 99375 651325 99372->99375 99376 6517e3 GetLastError 99372->99376 99373->99367 99378 648d34 __close 58 API calls 99374->99378 99375->99376 99383 6512f5 99375->99383 99379 6512e3 99376->99379 99380 6517f0 99376->99380 99381 6512b4 99377->99381 99382 651300 99377->99382 99378->99354 99386 648d47 __dosmaperr 58 API calls 99379->99386 99402 6512e9 99379->99402 99384 648d68 __beginthread 58 API calls 99380->99384 99381->99382 99385 6512ba ReadConsoleW 99381->99385 99382->99372 99393 65135a 99383->99393 99397 6515c7 99383->99397 99383->99402 99387 6517f5 99384->99387 99385->99383 99388 6512dd GetLastError 99385->99388 99386->99402 99389 648d34 __close 58 API calls 99387->99389 99388->99379 99389->99402 99390 642f95 _free 58 API calls 99390->99354 99392 6513c6 ReadFile 99394 6513e7 GetLastError 99392->99394 99405 6513f1 99392->99405 99393->99392 99400 651447 99393->99400 99394->99405 99395 651504 99403 6514b4 MultiByteToWideChar 99395->99403 99404 651b11 __lseeki64_nolock 60 API calls 99395->99404 99396 6514f4 99401 648d68 __beginthread 58 API calls 99396->99401 99398 6516cd ReadFile 99397->99398 99397->99402 99399 6516f0 GetLastError 99398->99399 99408 6516fe 99398->99408 99399->99408 99400->99395 99400->99396 99400->99402 99400->99403 99401->99402 99402->99354 99402->99390 99403->99388 99403->99402 99404->99403 99405->99393 99406 651b11 __lseeki64_nolock 60 API calls 99405->99406 99406->99405 99407 651b11 __lseeki64_nolock 60 API calls 99407->99408 99408->99397 99408->99407 99410 650e02 99409->99410 99414 650e17 99409->99414 99411 648d68 __beginthread 58 API calls 99410->99411 99412 650e07 99411->99412 99413 648ff6 __beginthread 9 API calls 99412->99413 99421 650e12 99413->99421 99415 650e4c 99414->99415 99416 656234 __getbuf 58 API calls 99414->99416 99414->99421 99417 644916 __fseek_nolock 58 API calls 99415->99417 99416->99415 99418 650e60 99417->99418 99419 650f97 __read 72 API calls 99418->99419 99420 650e67 99419->99420 99420->99421 99422 644916 __fseek_nolock 58 API calls 99420->99422 99421->99326 99423 650e8a 99422->99423 99423->99421 99424 644916 __fseek_nolock 58 API calls 99423->99424 99425 650e96 99424->99425 99425->99421 99426 644916 __fseek_nolock 58 API calls 99425->99426 99427 650ea3 99426->99427 99428 644916 __fseek_nolock 58 API calls 99427->99428 99428->99421 99429->99321 99430->99324 99431->99326 99432->99321 99434 645e9c __close 99433->99434 99435 645ec3 99434->99435 99436 645eae 99434->99436 99438 646e4e __lock_file 59 API calls 99435->99438 99447 648d68 58 API calls __getptd_noexit 99436->99447 99440 645ec9 99438->99440 99439 645eb3 99448 648ff6 9 API calls __beginthread 99439->99448 99449 645b00 67 API calls 6 library calls 99440->99449 99443 645ebe __close 99443->99173 99444 645ed4 99450 645ef4 LeaveCriticalSection LeaveCriticalSection _fprintf 99444->99450 99446 645ee6 99446->99443 99447->99439 99448->99443 99449->99444 99450->99446 99452 627f06 99451->99452 99454 627ef9 99451->99454 99453 640ff6 Mailbox 59 API calls 99452->99453 99453->99454 99454->98974 99455->99001 99526 64543a GetSystemTimeAsFileTime 99458->99526 99460 6891f8 99460->99070 99527 645468 __aulldiv 99526->99527 99527->99460 99825->98686 99827 62ca49 99826->99827 99846 62cac2 99826->99846 99829 6625ed 99827->99829 99830 62ca60 99827->99830 99839 662617 99827->99839 99828 6624f7 99832 6625e1 99828->99832 99864 62ca88 Mailbox 99828->99864 99877 62cbf2 Mailbox 99828->99877 99928 69c8d7 342 API calls 99828->99928 99890 69c9f3 99829->99890 99837 662745 99830->99837 99848 62ca71 99830->99848 99830->99864 99929 68a0b5 90 API calls 4 library calls 99832->99929 99834 62a000 342 API calls 99834->99846 99836 62cab7 99836->98718 99842 6281a7 59 API calls 99837->99842 99838 6624ef 99840 629df0 Mailbox 59 API calls 99838->99840 99841 66264b 99839->99841 99847 66262f 99839->99847 99840->99828 99841->99829 99931 69a528 59 API calls Mailbox 99841->99931 99842->99864 99843 62cc3a 99843->98718 99845 62cbe5 99845->99877 99927 68a0b5 90 API calls 4 library calls 99845->99927 99846->99828 99846->99834 99846->99838 99846->99843 99846->99845 99862 62cb82 99846->99862 99930 68a0b5 90 API calls 4 library calls 99847->99930 99848->99864 99936 677405 59 API calls 99848->99936 99849 662819 99855 66284f 99849->99855 99938 69c5f4 97 API calls Mailbox 99849->99938 99851 662541 99854 6281a7 59 API calls 99851->99854 99852 662661 99856 6626c5 99852->99856 99857 662679 99852->99857 99854->99864 99858 629e9c 60 API calls 99855->99858 99933 687ba4 59 API calls 99856->99933 99932 687581 59 API calls Mailbox 99857->99932 99858->99836 99861 6627f7 99865 629997 85 API calls 99861->99865 99862->99845 99870 628ea0 59 API calls 99862->99870 99864->99836 99864->99849 99937 69c4a7 86 API calls 2 library calls 99864->99937 99872 6627ff __NMSG_WRITE 99865->99872 99866 66282d 99868 629997 85 API calls 99866->99868 99873 662835 __NMSG_WRITE 99868->99873 99869 6626d7 99934 625ea1 59 API calls Mailbox 99869->99934 99870->99845 99872->99849 99879 629e9c 60 API calls 99872->99879 99873->99855 99881 629e9c 60 API calls 99873->99881 99875 6626e0 Mailbox 99935 687581 59 API calls Mailbox 99875->99935 99877->99851 99877->99864 99926 677405 59 API calls 99877->99926 99878 66269b 99880 62f5c0 342 API calls 99878->99880 99879->99849 99880->99828 99881->99855 99883 6626f9 99884 62fe40 342 API calls 99883->99884 99884->99828 99885->98718 99886->98713 99887->98703 99888->98700 99889->98703 99891 6277c7 59 API calls 99890->99891 99892 69ca18 99891->99892 99893 69ca51 99892->99893 99894 627f41 59 API calls 99892->99894 99896 69cab9 99893->99896 99897 69ca85 99893->99897 99895 69ca3a 99894->99895 99902 642f80 __cinit 67 API calls 99895->99902 99898 69cad0 99896->99898 99901 69caf3 99896->99901 99947 6996db 342 API calls Mailbox 99897->99947 99900 69cad5 99898->99900 99904 627d2c 59 API calls 99898->99904 99907 629e9c 60 API calls 99900->99907 99905 6281a7 59 API calls 99901->99905 99902->99893 99903 69ca99 99906 69ca9d 99903->99906 99909 69caaa 99903->99909 99910 69caf1 99904->99910 99905->99910 99950 68a0b5 90 API calls 4 library calls 99906->99950 99914 69cb46 Mailbox 99907->99914 99911 6877cf 59 API calls 99909->99911 99909->99914 99910->99906 99916 69cb48 99910->99916 99948 69a2d2 342 API calls 99910->99948 99911->99914 99913 69cb39 99913->99916 99917 69cb3d 99913->99917 99951 6766f4 59 API calls Mailbox 99914->99951 99916->99906 99939 69a1f2 99916->99939 99949 689ea3 90 API calls 4 library calls 99917->99949 99918 69cb7d 99918->99906 99919 69cb98 99918->99919 99919->99900 99923 69cbc2 99919->99923 99922 69cc36 99922->99864 99923->99909 99924 69cc0b 99923->99924 99925 69c9f3 342 API calls 99924->99925 99925->99914 99926->99877 99927->99838 99928->99828 99929->99829 99930->99836 99931->99852 99932->99878 99933->99869 99934->99875 99935->99883 99936->99864 99937->99861 99938->99866 99940 69a204 99939->99940 99946 69a247 Mailbox 99939->99946 99941 627f41 59 API calls 99940->99941 99942 69a213 99941->99942 99943 6877cf 59 API calls 99942->99943 99944 69a22a 99943->99944 99952 699d4c 99944->99952 99946->99918 99947->99903 99948->99913 99949->99914 99950->99914 99951->99922 99953 699d79 99952->99953 99955 699d62 99952->99955 99998 6996db 342 API calls Mailbox 99953->99998 99955->99953 99956 699d8b 99955->99956 99957 699dad 99956->99957 99958 699d96 99956->99958 99959 699db3 99957->99959 99960 699de4 99957->99960 99967 699e38 99958->99967 99994 6293ea 99959->99994 99964 6293ea 59 API calls 99960->99964 99966 699da8 99960->99966 99964->99966 99966->99946 99968 699e8e 99967->99968 99970 699e78 99967->99970 100016 6996db 342 API calls Mailbox 99968->100016 99970->99968 99999 677a1e 99970->99999 99972 699ed9 99972->99968 99973 699ee8 99972->99973 99979 699f11 99973->99979 100003 6776c5 99973->100003 99975 69a055 VariantInit 99984 69a08a _memset 99975->99984 99980 699f8d 99979->99980 100013 677096 VariantInit 99979->100013 99981 699fc7 99980->99981 100014 6770dc 108 API calls 99980->100014 99981->99975 99982 699fff VariantClear 99981->99982 99982->99981 99983 69a01e SysAllocString 99982->99983 99983->99981 99985 69a12d 99984->99985 99986 69a107 99984->99986 99989 687804 106 API calls 99985->99989 100015 6996db 342 API calls Mailbox 99986->100015 99988 69a126 99990 69a1bc VariantClear 99988->99990 99992 69a149 99989->99992 99991 69a1cd 99990->99991 99991->99966 99992->99990 99993 687804 106 API calls 99992->99993 99993->99992 99995 640ff6 Mailbox 59 API calls 99994->99995 99996 6293f7 99995->99996 99997 6869a9 93 API calls 99996->99997 99997->99966 99998->99966 100000 677a41 99999->100000 100001 677a2f __NMSG_WRITE 99999->100001 100000->99972 100001->100000 100017 63fec6 100001->100017 100004 6776ef 100003->100004 100005 677815 SysFreeString 100004->100005 100006 6778a2 100004->100006 100007 677700 100004->100007 100008 677821 100004->100008 100005->100008 100006->100007 100006->100008 100009 6778fc SysFreeString 100006->100009 100010 6778ec lstrcmpiW 100006->100010 100007->99979 100008->100007 100021 677579 RaiseException 100008->100021 100009->100006 100010->100009 100012 67791c SysFreeString 100010->100012 100012->100008 100013->99979 100014->99980 100015->99988 100016->99991 100018 63fed0 __NMSG_WRITE 100017->100018 100019 640ff6 Mailbox 59 API calls 100018->100019 100020 63fee5 _wcscpy 100019->100020 100020->100000 100021->100008 100022->98742 100023 647e93 100024 647e9f __close 100023->100024 100060 64a048 GetStartupInfoW 100024->100060 100026 647ea4 100062 648dbc GetProcessHeap 100026->100062 100028 647efc 100029 647f07 100028->100029 100145 647fe3 58 API calls 3 library calls 100028->100145 100063 649d26 100029->100063 100032 647f0d 100033 647f18 __RTC_Initialize 100032->100033 100146 647fe3 58 API calls 3 library calls 100032->100146 100084 64d812 100033->100084 100036 647f27 100037 647f33 GetCommandLineW 100036->100037 100147 647fe3 58 API calls 3 library calls 100036->100147 100103 655173 GetEnvironmentStringsW 100037->100103 100041 647f32 100041->100037 100043 647f4d 100044 647f58 100043->100044 100148 6432f5 58 API calls 3 library calls 100043->100148 100113 654fa8 100044->100113 100047 647f5e 100050 647f69 100047->100050 100149 6432f5 58 API calls 3 library calls 100047->100149 100127 64332f 100050->100127 100051 647f71 100052 647f7c __wwincmdln 100051->100052 100150 6432f5 58 API calls 3 library calls 100051->100150 100133 62492e 100052->100133 100055 647f90 100056 647f9f 100055->100056 100151 643598 58 API calls _doexit 100055->100151 100152 643320 58 API calls _doexit 100056->100152 100059 647fa4 __close 100061 64a05e 100060->100061 100061->100026 100062->100028 100153 6433c7 36 API calls 2 library calls 100063->100153 100065 649d2b 100154 649f7c InitializeCriticalSectionAndSpinCount __mtinitlocknum 100065->100154 100067 649d30 100068 649d34 100067->100068 100156 649fca TlsAlloc 100067->100156 100155 649d9c 61 API calls 2 library calls 100068->100155 100071 649d39 100071->100032 100072 649d46 100072->100068 100073 649d51 100072->100073 100157 648a15 100073->100157 100076 649d93 100165 649d9c 61 API calls 2 library calls 100076->100165 100079 649d98 100079->100032 100080 649d72 100080->100076 100081 649d78 100080->100081 100164 649c73 58 API calls 4 library calls 100081->100164 100083 649d80 GetCurrentThreadId 100083->100032 100085 64d81e __close 100084->100085 100086 649e4b __lock 58 API calls 100085->100086 100087 64d825 100086->100087 100088 648a15 __calloc_crt 58 API calls 100087->100088 100089 64d836 100088->100089 100090 64d8a1 GetStartupInfoW 100089->100090 100091 64d841 __close @_EH4_CallFilterFunc@8 100089->100091 100096 64d8b6 100090->100096 100098 64d9e5 100090->100098 100091->100036 100092 64daad 100179 64dabd LeaveCriticalSection _doexit 100092->100179 100094 648a15 __calloc_crt 58 API calls 100094->100096 100095 64da32 GetStdHandle 100095->100098 100096->100094 100096->100098 100099 64d904 100096->100099 100097 64da45 GetFileType 100097->100098 100098->100092 100098->100095 100098->100097 100178 64a06b InitializeCriticalSectionAndSpinCount 100098->100178 100099->100098 100100 64d938 GetFileType 100099->100100 100177 64a06b InitializeCriticalSectionAndSpinCount 100099->100177 100100->100099 100104 655184 100103->100104 100105 647f43 100103->100105 100180 648a5d 58 API calls __malloc_crt 100104->100180 100109 654d6b GetModuleFileNameW 100105->100109 100107 6551c0 FreeEnvironmentStringsW 100107->100105 100108 6551aa _memmove 100108->100107 100110 654d9f _wparse_cmdline 100109->100110 100112 654ddf _wparse_cmdline 100110->100112 100181 648a5d 58 API calls __malloc_crt 100110->100181 100112->100043 100114 654fb9 100113->100114 100115 654fc1 __NMSG_WRITE 100113->100115 100114->100047 100116 648a15 __calloc_crt 58 API calls 100115->100116 100123 654fea __NMSG_WRITE 100116->100123 100117 655041 100118 642f95 _free 58 API calls 100117->100118 100118->100114 100119 648a15 __calloc_crt 58 API calls 100119->100123 100120 655066 100122 642f95 _free 58 API calls 100120->100122 100122->100114 100123->100114 100123->100117 100123->100119 100123->100120 100124 65507d 100123->100124 100182 654857 58 API calls __beginthread 100123->100182 100183 649006 IsProcessorFeaturePresent 100124->100183 100126 655089 100126->100047 100128 64333b __IsNonwritableInCurrentImage 100127->100128 100198 64a711 100128->100198 100130 643359 __initterm_e 100131 642f80 __cinit 67 API calls 100130->100131 100132 643378 _doexit __IsNonwritableInCurrentImage 100130->100132 100131->100132 100132->100051 100134 624948 100133->100134 100144 6249e7 100133->100144 100135 624982 IsThemeActive 100134->100135 100201 6435ac 100135->100201 100139 6249ae 100213 624a5b SystemParametersInfoW SystemParametersInfoW 100139->100213 100141 6249ba 100214 623b4c 100141->100214 100143 6249c2 SystemParametersInfoW 100143->100144 100144->100055 100145->100029 100146->100033 100147->100041 100151->100056 100152->100059 100153->100065 100154->100067 100155->100071 100156->100072 100160 648a1c 100157->100160 100159 648a57 100159->100076 100163 64a026 TlsSetValue 100159->100163 100160->100159 100162 648a3a 100160->100162 100166 655446 100160->100166 100162->100159 100162->100160 100174 64a372 Sleep 100162->100174 100163->100080 100164->100083 100165->100079 100167 655451 100166->100167 100169 65546c 100166->100169 100168 65545d 100167->100168 100167->100169 100175 648d68 58 API calls __getptd_noexit 100168->100175 100171 65547c HeapAlloc 100169->100171 100172 655462 100169->100172 100176 6435e1 DecodePointer 100169->100176 100171->100169 100171->100172 100172->100160 100174->100162 100175->100172 100176->100169 100177->100099 100178->100098 100179->100091 100180->100108 100181->100112 100182->100123 100184 649011 100183->100184 100189 648e99 100184->100189 100188 64902c 100188->100126 100190 648eb3 _memset __call_reportfault 100189->100190 100191 648ed3 IsDebuggerPresent 100190->100191 100197 64a395 SetUnhandledExceptionFilter UnhandledExceptionFilter 100191->100197 100193 64c836 __87except 6 API calls 100194 648fba 100193->100194 100196 64a380 GetCurrentProcess TerminateProcess 100194->100196 100195 648f97 __call_reportfault 100195->100193 100196->100188 100197->100195 100199 64a714 EncodePointer 100198->100199 100199->100199 100200 64a72e 100199->100200 100200->100130 100202 649e4b __lock 58 API calls 100201->100202 100203 6435b7 DecodePointer EncodePointer 100202->100203 100266 649fb5 LeaveCriticalSection 100203->100266 100205 6249a7 100206 643614 100205->100206 100207 64361e 100206->100207 100208 643638 100206->100208 100207->100208 100267 648d68 58 API calls __getptd_noexit 100207->100267 100208->100139 100210 643628 100268 648ff6 9 API calls __beginthread 100210->100268 100212 643633 100212->100139 100213->100141 100215 623b59 __ftell_nolock 100214->100215 100216 6277c7 59 API calls 100215->100216 100217 623b63 GetCurrentDirectoryW 100216->100217 100269 623778 100217->100269 100219 623b8c IsDebuggerPresent 100220 65d4ad MessageBoxA 100219->100220 100221 623b9a 100219->100221 100223 65d4c7 100220->100223 100221->100223 100224 623bb7 100221->100224 100253 623c73 100221->100253 100222 623c7a SetCurrentDirectoryW 100225 623c87 Mailbox 100222->100225 100391 627373 59 API calls Mailbox 100223->100391 100350 6273e5 100224->100350 100225->100143 100228 65d4d7 100233 65d4ed SetCurrentDirectoryW 100228->100233 100233->100225 100253->100222 100266->100205 100267->100210 100268->100212 100270 6277c7 59 API calls 100269->100270 100271 62378e 100270->100271 100400 623d43 100271->100400 100273 6237ac 100274 624864 61 API calls 100273->100274 100275 6237c0 100274->100275 100276 627f41 59 API calls 100275->100276 100277 6237cd 100276->100277 100278 624f3d 136 API calls 100277->100278 100279 6237e6 100278->100279 100280 65d3ae 100279->100280 100281 6237ee Mailbox 100279->100281 100439 6897e5 100280->100439 100285 6281a7 59 API calls 100281->100285 100284 65d3cd 100287 642f95 _free 58 API calls 100284->100287 100288 623801 100285->100288 100286 624faa 84 API calls 100286->100284 100289 65d3da 100287->100289 100290 6293ea 59 API calls 100288->100290 100292 624faa 84 API calls 100289->100292 100291 62380d 100290->100291 100294 627f41 59 API calls 100291->100294 100293 65d3e3 100292->100293 100297 623ee2 59 API calls 100293->100297 100295 62381a 100294->100295 100296 628620 69 API calls 100295->100296 100298 62382c Mailbox 100296->100298 100299 65d3fe 100297->100299 100300 627f41 59 API calls 100298->100300 100301 623ee2 59 API calls 100299->100301 100302 623852 100300->100302 100303 65d41a 100301->100303 100304 628620 69 API calls 100302->100304 100305 624864 61 API calls 100303->100305 100307 623861 Mailbox 100304->100307 100306 65d43f 100305->100306 100308 623ee2 59 API calls 100306->100308 100310 6277c7 59 API calls 100307->100310 100309 65d44b 100308->100309 100312 6281a7 59 API calls 100309->100312 100311 62387f 100310->100311 100414 623ee2 100311->100414 100313 65d459 100312->100313 100315 623ee2 59 API calls 100313->100315 100317 65d468 100315->100317 100323 6281a7 59 API calls 100317->100323 100319 623899 100319->100293 100320 6238a3 100319->100320 100321 64313d _W_store_winword 60 API calls 100320->100321 100322 6238ae 100321->100322 100322->100299 100324 6238b8 100322->100324 100325 65d48a 100323->100325 100326 64313d _W_store_winword 60 API calls 100324->100326 100327 623ee2 59 API calls 100325->100327 100328 6238c3 100326->100328 100329 65d497 100327->100329 100328->100303 100330 6238cd 100328->100330 100329->100329 100331 64313d _W_store_winword 60 API calls 100330->100331 100332 6238d8 100331->100332 100332->100317 100333 623919 100332->100333 100334 623ee2 59 API calls 100332->100334 100333->100317 100335 623926 100333->100335 100336 6238fc 100334->100336 100337 62942e 59 API calls 100335->100337 100338 6281a7 59 API calls 100336->100338 100339 623936 100337->100339 100340 62390a 100338->100340 100341 6291b0 59 API calls 100339->100341 100342 623ee2 59 API calls 100340->100342 100343 623944 100341->100343 100342->100333 100430 629040 100343->100430 100345 6293ea 59 API calls 100347 623961 100345->100347 100346 629040 60 API calls 100346->100347 100347->100345 100347->100346 100348 623ee2 59 API calls 100347->100348 100349 6239a7 Mailbox 100347->100349 100348->100347 100349->100219 100351 6273f2 __ftell_nolock 100350->100351 100352 62740b 100351->100352 100353 65ee4b _memset 100351->100353 100486 6248ae 100352->100486 100355 65ee67 GetOpenFileNameW 100353->100355 100357 65eeb6 100355->100357 100359 627d2c 59 API calls 100357->100359 100361 65eecb 100359->100361 100361->100361 100391->100228 100401 623d50 __ftell_nolock 100400->100401 100402 627d2c 59 API calls 100401->100402 100406 623eb6 Mailbox 100401->100406 100404 623d82 100402->100404 100403 627b52 59 API calls 100403->100404 100404->100403 100412 623db8 Mailbox 100404->100412 100405 623e89 100405->100406 100407 627f41 59 API calls 100405->100407 100406->100273 100409 623eaa 100407->100409 100408 627f41 59 API calls 100408->100412 100410 623f84 59 API calls 100409->100410 100410->100406 100412->100405 100412->100406 100412->100408 100413 627b52 59 API calls 100412->100413 100474 623f84 100412->100474 100413->100412 100415 623f05 100414->100415 100416 623eec 100414->100416 100418 627d2c 59 API calls 100415->100418 100417 6281a7 59 API calls 100416->100417 100419 62388b 100417->100419 100418->100419 100420 64313d 100419->100420 100421 6431be 100420->100421 100422 643149 100420->100422 100482 6431d0 60 API calls 3 library calls 100421->100482 100429 64316e 100422->100429 100480 648d68 58 API calls __getptd_noexit 100422->100480 100424 6431cb 100424->100319 100426 643155 100481 648ff6 9 API calls __beginthread 100426->100481 100428 643160 100428->100319 100429->100319 100431 65f5a5 100430->100431 100433 629057 100430->100433 100431->100433 100483 628d3b 59 API calls Mailbox 100431->100483 100434 6291a0 100433->100434 100435 629158 100433->100435 100438 62915f 100433->100438 100436 629e9c 60 API calls 100434->100436 100437 640ff6 Mailbox 59 API calls 100435->100437 100436->100438 100437->100438 100438->100347 100440 625045 85 API calls 100439->100440 100441 689854 100440->100441 100484 6899be 96 API calls 2 library calls 100441->100484 100443 689866 100444 62506b 74 API calls 100443->100444 100472 65d3c1 100443->100472 100445 689881 100444->100445 100446 62506b 74 API calls 100445->100446 100447 689891 100446->100447 100448 62506b 74 API calls 100447->100448 100449 6898ac 100448->100449 100450 62506b 74 API calls 100449->100450 100451 6898c7 100450->100451 100452 625045 85 API calls 100451->100452 100453 6898de 100452->100453 100454 64594c __malloc_crt 58 API calls 100453->100454 100455 6898e5 100454->100455 100456 64594c __malloc_crt 58 API calls 100455->100456 100457 6898ef 100456->100457 100458 62506b 74 API calls 100457->100458 100459 689903 100458->100459 100485 689393 GetSystemTimeAsFileTime 100459->100485 100461 689916 100462 68992b 100461->100462 100463 689940 100461->100463 100464 642f95 _free 58 API calls 100462->100464 100465 6899a5 100463->100465 100466 689946 100463->100466 100467 689931 100464->100467 100469 642f95 _free 58 API calls 100465->100469 100468 688d90 116 API calls 100466->100468 100470 642f95 _free 58 API calls 100467->100470 100471 68999d 100468->100471 100469->100472 100470->100472 100473 642f95 _free 58 API calls 100471->100473 100472->100284 100472->100286 100473->100472 100475 623f92 100474->100475 100479 623fb4 _memmove 100474->100479 100477 640ff6 Mailbox 59 API calls 100475->100477 100476 640ff6 Mailbox 59 API calls 100478 623fc8 100476->100478 100477->100479 100478->100412 100479->100476 100480->100426 100481->100428 100482->100424 100483->100433 100484->100443 100485->100461 100548 651b90 100486->100548 100489 6248f7 100492 627eec 59 API calls 100489->100492 100490 6248da 100491 627d2c 59 API calls 100490->100491 100493 6248e6 100491->100493 100492->100493 100494 627886 59 API calls 100493->100494 100495 6248f2 100494->100495 100496 6409d5 100495->100496 100497 651b90 __ftell_nolock 100496->100497 100498 6409e2 GetLongPathNameW 100497->100498 100499 627d2c 59 API calls 100498->100499 100500 62741d 100499->100500 100501 62716b 100500->100501 100502 6277c7 59 API calls 100501->100502 100503 62717d 100502->100503 100504 6248ae 60 API calls 100503->100504 100505 627188 100504->100505 100506 627193 100505->100506 100507 65ecae 100505->100507 100508 623f84 59 API calls 100506->100508 100512 65ecc8 100507->100512 100556 627a68 61 API calls 100507->100556 100510 62719f 100508->100510 100549 6248bb GetFullPathNameW 100548->100549 100549->100489 100549->100490 100556->100507 100711 62e70b 100714 62d260 100711->100714 100713 62e719 100715 62d27d 100714->100715 100732 62d4dd 100714->100732 100716 662b0a 100715->100716 100717 662abb 100715->100717 100738 62d2a4 100715->100738 100758 69a6fb 342 API calls __cinit 100716->100758 100719 662abe 100717->100719 100728 662ad9 100717->100728 100721 662aca 100719->100721 100719->100738 100756 69ad0f 342 API calls 100721->100756 100722 642f80 __cinit 67 API calls 100722->100738 100725 62d594 100750 628bb2 68 API calls 100725->100750 100726 662cdf 100726->100726 100727 62d6ab 100727->100713 100728->100732 100757 69b1b7 342 API calls 3 library calls 100728->100757 100732->100727 100762 68a0b5 90 API calls 4 library calls 100732->100762 100733 662c26 100761 69aa66 90 API calls 100733->100761 100734 62d5a3 100734->100713 100737 628620 69 API calls 100737->100738 100738->100722 100738->100725 100738->100727 100738->100732 100738->100733 100738->100737 100743 629e9c 60 API calls 100738->100743 100745 62a000 342 API calls 100738->100745 100746 6281a7 59 API calls 100738->100746 100748 6288a0 68 API calls __cinit 100738->100748 100749 6286a2 68 API calls 100738->100749 100751 62859a 68 API calls 100738->100751 100752 62d0dc 342 API calls 100738->100752 100753 629f3a 59 API calls Mailbox 100738->100753 100754 62d060 90 API calls 100738->100754 100755 62cedd 342 API calls 100738->100755 100759 628bb2 68 API calls 100738->100759 100760 676d03 60 API calls 100738->100760 100743->100738 100745->100738 100746->100738 100748->100738 100749->100738 100750->100734 100751->100738 100752->100738 100753->100738 100754->100738 100755->100738 100756->100727 100757->100732 100758->100738 100759->100738 100760->100738 100761->100732 100762->100726 100763 62e608 100764 62d260 342 API calls 100763->100764 100765 62e616 100764->100765 100766 62107d 100771 6271eb 100766->100771 100768 62108c 100769 642f80 __cinit 67 API calls 100768->100769 100770 621096 100769->100770 100772 6271fb __ftell_nolock 100771->100772 100773 6277c7 59 API calls 100772->100773 100774 6272b1 100773->100774 100775 624864 61 API calls 100774->100775 100776 6272ba 100775->100776 100802 64074f 100776->100802 100779 627e0b 59 API calls 100780 6272d3 100779->100780 100781 623f84 59 API calls 100780->100781 100782 6272e2 100781->100782 100783 6277c7 59 API calls 100782->100783 100784 6272eb 100783->100784 100785 627eec 59 API calls 100784->100785 100786 6272f4 RegOpenKeyExW 100785->100786 100787 65ecda RegQueryValueExW 100786->100787 100790 627316 Mailbox 100786->100790 100788 65ecf7 100787->100788 100789 65ed6c RegCloseKey 100787->100789 100791 640ff6 Mailbox 59 API calls 100788->100791 100789->100790 100801 65ed7e _wcscat Mailbox __NMSG_WRITE 100789->100801 100790->100768 100792 65ed10 100791->100792 100793 62538e 59 API calls 100792->100793 100794 65ed1b RegQueryValueExW 100793->100794 100795 65ed38 100794->100795 100798 65ed52 100794->100798 100796 627d2c 59 API calls 100795->100796 100796->100798 100797 627b52 59 API calls 100797->100801 100798->100789 100799 627f41 59 API calls 100799->100801 100800 623f84 59 API calls 100800->100801 100801->100790 100801->100797 100801->100799 100801->100800 100803 651b90 __ftell_nolock 100802->100803 100804 64075c GetFullPathNameW 100803->100804 100805 64077e 100804->100805 100806 627d2c 59 API calls 100805->100806 100807 6272c5 100806->100807 100807->100779

                    Executed Functions

                    Function 00623B4C Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153windowCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00623B7A
                    • IsDebuggerPresent.KERNEL32 ref: 00623B8C
                    • GetFullPathNameW.KERNEL32(00007FFF,?,?,006E62F8,006E62E0,?,?), ref: 00623BFD
                      • Part of subcall function 00627D2C: _memmove.LIBCMT ref: 00627D66
                      • Part of subcall function 00630A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00623C26,006E62F8,?,?,?), ref: 00630ACE
                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00623C81
                    • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,006D93F0,00000010), ref: 0065D4BC
                    • SetCurrentDirectoryW.KERNEL32(?,006E62F8,?,?,?), ref: 0065D4F4
                    • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,006D5D40,006E62F8,?,?,?), ref: 0065D57A
                    • ShellExecuteW.SHELL32(00000000,?,?), ref: 0065D581
                      • Part of subcall function 00623A58: GetSysColorBrush.USER32(0000000F), ref: 00623A62
                      • Part of subcall function 00623A58: LoadCursorW.USER32(00000000,00007F00), ref: 00623A71
                      • Part of subcall function 00623A58: LoadIconW.USER32(00000063), ref: 00623A88
                      • Part of subcall function 00623A58: LoadIconW.USER32(000000A4), ref: 00623A9A
                      • Part of subcall function 00623A58: LoadIconW.USER32(000000A2), ref: 00623AAC
                      • Part of subcall function 00623A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00623AD2
                      • Part of subcall function 00623A58: RegisterClassExW.USER32(?), ref: 00623B28
                      • Part of subcall function 006239E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00623A15
                      • Part of subcall function 006239E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00623A36
                      • Part of subcall function 006239E7: ShowWindow.USER32(00000000,?,?), ref: 00623A4A
                      • Part of subcall function 006239E7: ShowWindow.USER32(00000000,?,?), ref: 00623A53
                      • Part of subcall function 006243DB: _memset.LIBCMT ref: 00624401
                      • Part of subcall function 006243DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 006244A6
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                    • String ID: This is a third-party compiled AutoIt script.$runas$%k
                    • API String ID: 529118366-1914796069
                    • Opcode ID: 40e066b1c1fbc01c3b8536cf3cd5ef9f857daaa4bc94f594fc4965d4cf7a46b6
                    • Instruction ID: b68db007986ceca37184697c6e6ed0f113986d525b6cef67b9281caa7c270131
                    • Opcode Fuzzy Hash: 40e066b1c1fbc01c3b8536cf3cd5ef9f857daaa4bc94f594fc4965d4cf7a46b6
                    • Instruction Fuzzy Hash: 9A511530E047A8AECF11ABB4EC45EED7B7BAB15340F004169F551AA2A1DB345706CF25
                    Function 00624FE9 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 62COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1237 624fe9-625001 CreateStreamOnHGlobal 1238 625003-62501a FindResourceExW 1237->1238 1239 625021-625026 1237->1239 1240 625020 1238->1240 1241 65dd5c-65dd6b LoadResource 1238->1241 1240->1239 1241->1240 1242 65dd71-65dd7f SizeofResource 1241->1242 1242->1240 1243 65dd85-65dd90 LockResource 1242->1243 1243->1240 1244 65dd96-65ddb4 1243->1244 1244->1240
                    APIs
                    • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00624EEE,?,?,00000000,00000000), ref: 00624FF9
                    • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00624EEE,?,?,00000000,00000000), ref: 00625010
                    • LoadResource.KERNEL32(?,00000000,?,?,00624EEE,?,?,00000000,00000000,?,?,?,?,?,?,00624F8F), ref: 0065DD60
                    • SizeofResource.KERNEL32(?,00000000,?,?,00624EEE,?,?,00000000,00000000,?,?,?,?,?,?,00624F8F), ref: 0065DD75
                    • LockResource.KERNEL32(Nb,?,?,00624EEE,?,?,00000000,00000000,?,?,?,?,?,?,00624F8F,00000000), ref: 0065DD88
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                    • String ID: SCRIPT$Nb
                    • API String ID: 3051347437-1100917352
                    • Opcode ID: 550bb2abbf84832286b1ef024f3be3d6b3062e772c37ec8ccc7d3cb302f3fc4f
                    • Instruction ID: dd3115b2b64bf8cdf0e5313344a0894b2e8f516a523734da64d3b58fd54baca7
                    • Opcode Fuzzy Hash: 550bb2abbf84832286b1ef024f3be3d6b3062e772c37ec8ccc7d3cb302f3fc4f
                    • Instruction Fuzzy Hash: B5115E75240B00AFD7319BA5EC58FA77BBAEBCAB11F104168F406C6660DB71EC008A61
                    Function 00624AFE Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1247 624afe-624b5e call 6277c7 GetVersionExW call 627d2c 1252 624b64 1247->1252 1253 624c69-624c6b 1247->1253 1254 624b67-624b6c 1252->1254 1255 65db90-65db9c 1253->1255 1257 624b72 1254->1257 1258 624c70-624c71 1254->1258 1256 65db9d-65dba1 1255->1256 1259 65dba4-65dbb0 1256->1259 1260 65dba3 1256->1260 1261 624b73-624baa call 627e8c call 627886 1257->1261 1258->1261 1259->1256 1262 65dbb2-65dbb7 1259->1262 1260->1259 1270 624bb0-624bb1 1261->1270 1271 65dc8d-65dc90 1261->1271 1262->1254 1264 65dbbd-65dbc4 1262->1264 1264->1255 1266 65dbc6 1264->1266 1269 65dbcb-65dbce 1266->1269 1272 65dbd4-65dbf2 1269->1272 1273 624bf1-624c08 GetCurrentProcess IsWow64Process 1269->1273 1270->1269 1274 624bb7-624bc2 1270->1274 1275 65dc92 1271->1275 1276 65dca9-65dcad 1271->1276 1272->1273 1277 65dbf8-65dbfe 1272->1277 1283 624c0a 1273->1283 1284 624c0d-624c1e 1273->1284 1278 65dc13-65dc19 1274->1278 1279 624bc8-624bca 1274->1279 1280 65dc95 1275->1280 1281 65dcaf-65dcb8 1276->1281 1282 65dc98-65dca1 1276->1282 1287 65dc00-65dc03 1277->1287 1288 65dc08-65dc0e 1277->1288 1291 65dc23-65dc29 1278->1291 1292 65dc1b-65dc1e 1278->1292 1289 624bd0-624bd3 1279->1289 1290 65dc2e-65dc3a 1279->1290 1280->1282 1281->1280 1293 65dcba-65dcbd 1281->1293 1282->1276 1283->1284 1285 624c20-624c30 call 624c95 1284->1285 1286 624c89-624c93 GetSystemInfo 1284->1286 1304 624c32-624c3f call 624c95 1285->1304 1305 624c7d-624c87 GetSystemInfo 1285->1305 1299 624c56-624c66 1286->1299 1287->1273 1288->1273 1297 624bd9-624be8 1289->1297 1298 65dc5a-65dc5d 1289->1298 1294 65dc44-65dc4a 1290->1294 1295 65dc3c-65dc3f 1290->1295 1291->1273 1292->1273 1293->1282 1294->1273 1295->1273 1302 65dc4f-65dc55 1297->1302 1303 624bee 1297->1303 1298->1273 1301 65dc63-65dc78 1298->1301 1306 65dc82-65dc88 1301->1306 1307 65dc7a-65dc7d 1301->1307 1302->1273 1303->1273 1312 624c41-624c45 GetNativeSystemInfo 1304->1312 1313 624c76-624c7b 1304->1313 1309 624c47-624c4b 1305->1309 1306->1273 1307->1273 1309->1299 1311 624c4d-624c50 FreeLibrary 1309->1311 1311->1299 1312->1309 1313->1312
                    APIs
                    • GetVersionExW.KERNEL32(?), ref: 00624B2B
                      • Part of subcall function 00627D2C: _memmove.LIBCMT ref: 00627D66
                    • GetCurrentProcess.KERNEL32(?,006AFAEC,00000000,00000000,?), ref: 00624BF8
                    • IsWow64Process.KERNEL32(00000000), ref: 00624BFF
                    • GetNativeSystemInfo.KERNEL32(00000000), ref: 00624C45
                    • FreeLibrary.KERNEL32(00000000), ref: 00624C50
                    • GetSystemInfo.KERNEL32(00000000), ref: 00624C81
                    • GetSystemInfo.KERNEL32(00000000), ref: 00624C8D
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                    • String ID:
                    • API String ID: 1986165174-0
                    • Opcode ID: 09d7f70fa35ec6513d2ae153e50661cf9532761e9130d27f12a75a79f777972c
                    • Instruction ID: e5049e17281d8778882b1e6d22f6ed2b6c057879d1bbba80602b085e1213955c
                    • Opcode Fuzzy Hash: 09d7f70fa35ec6513d2ae153e50661cf9532761e9130d27f12a75a79f777972c
                    • Instruction Fuzzy Hash: 7191F43154ABD0DEC732DB6894511EABFE6AF2A301F444D9DE4CB93B41D620F908CB1A
                    Function 0067DA5D Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 121comlibraryloaderCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1344 67da5d-67daab call 67dc20 1347 67dab1-67dacd CoCreateInstance 1344->1347 1348 67db9d-67dba5 1344->1348 1349 67dacf-67dadc call 67dcc1 1347->1349 1350 67daee-67daf3 1347->1350 1349->1348 1357 67dae2-67dae9 1349->1357 1352 67db96 1350->1352 1353 67daf9-67db16 SetErrorMode GetProcAddress 1350->1353 1352->1348 1355 67db86 1353->1355 1356 67db18-67db21 call 67dd22 1353->1356 1359 67db8d-67db94 SetErrorMode 1355->1359 1356->1359 1361 67db23-67db38 1356->1361 1357->1348 1359->1348 1363 67db7d-67db84 1361->1363 1364 67db3a-67db3f 1361->1364 1363->1359 1364->1363 1365 67db41-67db53 1364->1365 1367 67db65-67db69 1365->1367 1368 67db55-67db59 1365->1368 1370 67db72-67db7b 1367->1370 1371 67db6b 1367->1371 1368->1367 1369 67db5b-67db60 call 67dcc1 1368->1369 1369->1367 1370->1359 1371->1370
                    APIs
                    • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0067DAC5
                    • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0067DAFB
                    • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0067DB0C
                    • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0067DB8E
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: ErrorMode$AddressCreateInstanceProc
                    • String ID: ,,k$DllGetClassObject
                    • API String ID: 753597075-913296791
                    • Opcode ID: 1d8bfbd24a7ba504e6871081ac83b99501cab7653230ce1ff27d10d06106bf97
                    • Instruction ID: 2b1d8638c1d8a9604943462cfe2ea5bc5875a587ccbada547dede363979c3f12
                    • Opcode Fuzzy Hash: 1d8bfbd24a7ba504e6871081ac83b99501cab7653230ce1ff27d10d06106bf97
                    • Instruction Fuzzy Hash: 44418FB1600209EFDB15DF54C884A9A7BBAEF48710F15C9AEED099F205D7B1DD44CBA0
                    Function 0062FE40 Relevance: 9.8, APIs: 3, Strings: 2, Instructions: 1040COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: BuffCharUpper
                    • String ID: prn$%k
                    • API String ID: 3964851224-2951428792
                    • Opcode ID: 9a6aefd8781f9c43695a8148b905b40bb5ca6a60298d78f7864504744d6ce00e
                    • Instruction ID: 65da69cf8ab4b2a35b6aaace279180ccd640c6dfd4fa55cd6b32515383210721
                    • Opcode Fuzzy Hash: 9a6aefd8781f9c43695a8148b905b40bb5ca6a60298d78f7864504744d6ce00e
                    • Instruction Fuzzy Hash: 2C926A74608751CFE760DF14C490B6AB7E2BF89304F14896DE98A8B352DB71EC49CB92
                    Function 0062E800 Relevance: 7.4, Strings: 5, Instructions: 1102COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID:
                    • String ID: Dtn$Dtn$Dtn$Dtn$Variable must be of type 'Object'.
                    • API String ID: 0-3728122387
                    • Opcode ID: 3689dafd1801d9d01e3ab5f6a47eec66f845ce9c5ffe254348e91f3984025369
                    • Instruction ID: 79f7924cc3ed7fc6fd1ba28dfddb6d43f0cb0784a01b0f6db9b5a5acf622c091
                    • Opcode Fuzzy Hash: 3689dafd1801d9d01e3ab5f6a47eec66f845ce9c5ffe254348e91f3984025369
                    • Instruction Fuzzy Hash: 2CA28F74A04A25CFCB14CF98E580AA9B7B3FF58300F648169E916AB351D736ED42CF91
                    Function 00684696 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                    Download Yara Rule
                    APIs
                    • GetFileAttributesW.KERNEL32(?,0065E7C1), ref: 006846A6
                    • FindFirstFileW.KERNEL32(?,?), ref: 006846B7
                    • FindClose.KERNEL32(00000000), ref: 006846C7
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: FileFind$AttributesCloseFirst
                    • String ID:
                    • API String ID: 48322524-0
                    • Opcode ID: a0cfda598c16333944a6fc1b9fb10070f9918db2a6fdaf88a124be736d6f11d4
                    • Instruction ID: 814e33d68dd44e054eb52020e84d5bb4b8648a742abe7b09ce91ada108990838
                    • Opcode Fuzzy Hash: a0cfda598c16333944a6fc1b9fb10070f9918db2a6fdaf88a124be736d6f11d4
                    • Instruction Fuzzy Hash: 2CE0D8314104015B471077B8EC4D4EA779E9F07335F100715F835C11E0FBB06D908AD6
                    Function 00630B30 Relevance: 64.3, APIs: 27, Strings: 9, Instructions: 1300windowsleeptimeCOMMON
                    Download Yara Rule
                    APIs
                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00630BBB
                    • timeGetTime.WINMM ref: 00630E76
                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00630FB3
                    • TranslateMessage.USER32(?), ref: 00630FC7
                    • DispatchMessageW.USER32(?), ref: 00630FD5
                    • Sleep.KERNEL32(0000000A), ref: 00630FDF
                    • LockWindowUpdate.USER32(00000000,?,?), ref: 0063105A
                    • DestroyWindow.USER32 ref: 00631066
                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00631080
                    • Sleep.KERNEL32(0000000A,?,?), ref: 006652AD
                    • TranslateMessage.USER32(?), ref: 0066608A
                    • DispatchMessageW.USER32(?), ref: 00666098
                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 006660AC
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: Message$DispatchPeekSleepTranslateWindow$DestroyLockTimeUpdatetime
                    • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$prn$prn$prn$prn
                    • API String ID: 4003667617-1506231113
                    • Opcode ID: a0a5fdc177551849110bb8d5dbb39b60b23627a86c0b126c382ef7b6ba311a11
                    • Instruction ID: 004021c08a25bd527ace40fde2ad04792c66cf87f8a6ac4716573893a5913a43
                    • Opcode Fuzzy Hash: a0a5fdc177551849110bb8d5dbb39b60b23627a86c0b126c382ef7b6ba311a11
                    • Instruction Fuzzy Hash: F6B2AF70608741DFD724DF24C895BAAB7E7BF85304F14491DF48A8B2A1DB71E889CB86
                    Function 00687FA4 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 378timeCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 524 687fa4-687fbb 525 687fc1 524->525 526 688307-68830f 524->526 527 6881f5-68821f VariantInit 525->527 528 687fc7-687fca 525->528 529 6882fc 526->529 530 688311 526->530 588 6882f2-6882f6 VariantClear 527->588 589 688225-68822f 527->589 528->529 531 687fd0 528->531 532 6882fe-688304 529->532 530->529 533 6883e9-6883ee 530->533 534 688429-68842e 530->534 535 68838a-68838f 530->535 536 6883c2-6883c7 530->536 537 688364-688369 530->537 538 688318-68831c 530->538 539 6883fb-688402 530->539 540 68843d-688441 530->540 541 68839d-6883a2 530->541 542 6883b0-6883b5 530->542 543 6883d7-6883dc 530->543 544 688377-68837c 530->544 531->529 531->535 531->542 547 688089-688090 531->547 548 6880ca-6880db call 629863 531->548 549 68802a-68802e 531->549 550 6880e0-68812c VariantTimeToSystemTime call 6438d8 531->550 551 688041-688058 call 629a20 531->551 552 688158-68815d 531->552 553 688078-688087 531->553 554 68805a 531->554 555 68819b-6881a7 531->555 556 68803c-68803f 531->556 557 68815f-68818b call 627f41 call 686bbd call 6877cf 531->557 558 688030-688034 531->558 559 688073-688076 531->559 560 688016 531->560 561 688036-68803a 531->561 562 687fd7-687ffa call 640ff6 VariantInit VariantCopy 531->562 563 688137-688153 VarR8FromDec 531->563 545 68800f-688011 533->545 571 6883f4 533->571 534->545 575 688434 534->575 535->545 565 688395-688398 535->565 536->545 568 6883cd-6883cf 536->568 537->545 576 68836f 537->576 538->545 574 688322-688353 call 640ff6 VariantInit 538->574 572 688422 539->572 573 688404-688406 539->573 540->545 546 688447-68844f call 687804 540->546 541->545 566 6883a8 541->566 542->545 567 6883bb-6883bd 542->567 543->545 570 6883e2 543->570 544->545 564 688382 544->564 545->532 546->545 592 6880a8-6880b0 call 640ff6 547->592 593 688092-68809a call 640ff6 547->593 548->545 587 68801a-688028 call 629a20 549->587 581 68812d-688132 call 629bf8 550->581 551->545 552->581 580 68805d-688071 call 629a20 553->580 554->580 584 6881a9-6881cd call 627f41 call 686bbd call 6877cf 555->584 585 6881cf-6881f3 call 627f41 call 686bbd call 6877cf 555->585 556->587 663 688191-688196 call 625a64 557->663 558->587 559->580 560->587 561->587 562->545 617 687ffc-68800e VariantClear call 64106c 562->617 563->580 564->535 566->542 568->543 570->533 571->539 572->534 573->572 591 688408-688412 call 640ff6 573->591 574->545 615 688359-68835f 574->615 575->540 576->544 580->545 581->545 584->663 585->663 587->545 588->529 605 6882bf-6882cc call 640ff6 589->605 606 688235-688236 589->606 626 6880bb-6880c5 591->626 635 688418-68841b 591->635 592->626 627 6880b2-6880b4 call 6277c7 592->627 593->626 636 68809c-6880a1 call 627f41 593->636 639 6882da 605->639 640 6882ce-6882d3 call 685c77 605->640 620 688238-688239 606->620 621 688295-6882a8 call 640ff6 606->621 615->545 617->545 633 68823b-68824c call 640ff6 620->633 634 68825e-688271 call 640ff6 620->634 650 6882aa-6882b1 call 6277c7 621->650 651 6882b3 621->651 626->545 652 6880b9 627->652 633->639 666 688252-68825c call 681a84 633->666 667 68827c 634->667 668 688273-68827a call 6277c7 634->668 635->572 649 6880a6 636->649 654 6882dc-6882ed VariantClear 639->654 662 6882d8 640->662 649->652 661 6882b5-6882bd 650->661 651->661 652->626 654->545 661->654 662->639 663->545 666->662 673 68827e-688293 call 627d2c SysFreeString 667->673 668->673 673->654
                    APIs
                    • VariantInit.OLEAUT32(00000000), ref: 00687FE9
                    • VariantCopy.OLEAUT32(00000000,?), ref: 00687FF2
                    • VariantClear.OLEAUT32(00000000), ref: 00687FFE
                    • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 006880EC
                    • __swprintf.LIBCMT ref: 0068811C
                    • VarR8FromDec.OLEAUT32(?,?), ref: 00688148
                    • VariantInit.OLEAUT32(?), ref: 006881F9
                    • SysFreeString.OLEAUT32(00000016), ref: 0068828D
                    • VariantClear.OLEAUT32(?), ref: 006882E7
                    • VariantClear.OLEAUT32(?), ref: 006882F6
                    • VariantInit.OLEAUT32(00000000), ref: 00688334
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
                    • String ID: %4d%02d%02d%02d%02d%02d$Default
                    • API String ID: 3730832054-3931177956
                    • Opcode ID: 5c9f4a6c7d39779575d81e653a6eb13d43eee1c464b80bb8c26fa3f7883c0ae9
                    • Instruction ID: d20b30418fb28843c7277501b48e9718277d038f2ff33f1f74e563267dde671b
                    • Opcode Fuzzy Hash: 5c9f4a6c7d39779575d81e653a6eb13d43eee1c464b80bb8c26fa3f7883c0ae9
                    • Instruction Fuzzy Hash: 41D1F331604615DFDB20BF65D844BAAB7B7FF09300F548269E9059B281CF30EC49EBA1
                    Function 006893DF Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                      • Part of subcall function 006891E9: __time64.LIBCMT ref: 006891F3
                      • Part of subcall function 00625045: _fseek.LIBCMT ref: 0062505D
                    • __wsplitpath.LIBCMT ref: 006894BE
                      • Part of subcall function 0064432E: __wsplitpath_helper.LIBCMT ref: 0064436E
                    • _wcscpy.LIBCMT ref: 006894D1
                    • _wcscat.LIBCMT ref: 006894E4
                    • __wsplitpath.LIBCMT ref: 00689509
                    • _wcscat.LIBCMT ref: 0068951F
                    • _wcscat.LIBCMT ref: 00689532
                      • Part of subcall function 0068922F: _memmove.LIBCMT ref: 00689268
                      • Part of subcall function 0068922F: _memmove.LIBCMT ref: 00689277
                    • _wcscmp.LIBCMT ref: 00689479
                      • Part of subcall function 006899BE: _wcscmp.LIBCMT ref: 00689AAE
                      • Part of subcall function 006899BE: _wcscmp.LIBCMT ref: 00689AC1
                    • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 006896DC
                    • _wcsncpy.LIBCMT ref: 0068974F
                    • DeleteFileW.KERNEL32(?,?), ref: 00689785
                    • CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0068979B
                    • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 006897AC
                    • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 006897BE
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                    • String ID:
                    • API String ID: 1500180987-0
                    • Opcode ID: 41d63813ee4c5c064c755f27cf62ecda41d35d943b94cd588862b5facfe6a634
                    • Instruction ID: 53c90532a11b6d24742a36a6a3f85f7324d7cbf47e8535353ba215f6096f003e
                    • Opcode Fuzzy Hash: 41d63813ee4c5c064c755f27cf62ecda41d35d943b94cd588862b5facfe6a634
                    • Instruction Fuzzy Hash: BFC131B1D00229AEDF61EF95CC85AEEB7BEEF45300F0441AAF509E7151DB309A848F65
                    Function 00623015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 74windowregistryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    • GetSysColorBrush.USER32(0000000F), ref: 00623074
                    • RegisterClassExW.USER32(00000030), ref: 0062309E
                    • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 006230AF
                    • InitCommonControlsEx.COMCTL32(?), ref: 006230CC
                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 006230DC
                    • LoadIconW.USER32(000000A9), ref: 006230F2
                    • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00623101
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                    • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                    • API String ID: 2914291525-1005189915
                    • Opcode ID: fde4c662ebad99fdb413ee843d8191cd53277fb8c0e8adca846a38aae10abe19
                    • Instruction ID: 1884f0fc51d965ca7a8a3c86e50f7f385a713eca82baf24f82d80944093c2fe7
                    • Opcode Fuzzy Hash: fde4c662ebad99fdb413ee843d8191cd53277fb8c0e8adca846a38aae10abe19
                    • Instruction Fuzzy Hash: A4314BB1941349EFDB409FE4EC84ACEBBF5FB1A310F10552AF540AA2A0D3B65541CF91
                    Function 00623041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    • GetSysColorBrush.USER32(0000000F), ref: 00623074
                    • RegisterClassExW.USER32(00000030), ref: 0062309E
                    • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 006230AF
                    • InitCommonControlsEx.COMCTL32(?), ref: 006230CC
                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 006230DC
                    • LoadIconW.USER32(000000A9), ref: 006230F2
                    • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00623101
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                    • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                    • API String ID: 2914291525-1005189915
                    • Opcode ID: 27aaa417d191d00a83de9183a3baff59e44b01bffcf209e7502378201e5db50e
                    • Instruction ID: 7402043ce9faee4e5514f4f86e27577a875888014036d50a18888e9828a184e4
                    • Opcode Fuzzy Hash: 27aaa417d191d00a83de9183a3baff59e44b01bffcf209e7502378201e5db50e
                    • Instruction Fuzzy Hash: 9321E8B1911358EFDB00EFD4E888B9EBBF6FB09750F00512AF511AA2A0D7B155448FA1
                    Function 006271EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                      • Part of subcall function 00624864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,006E62F8,?,006237C0,?), ref: 00624882
                      • Part of subcall function 0064074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,006272C5), ref: 00640771
                    • RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00627308
                    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0065ECF1
                    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0065ED32
                    • RegCloseKey.ADVAPI32(?), ref: 0065ED70
                    • _wcscat.LIBCMT ref: 0065EDC9
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                    • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                    • API String ID: 2673923337-2727554177
                    • Opcode ID: 4d3294758c6d05e46633234a4a627be9dc7173e5cfddc1f2dc1d4947ef979856
                    • Instruction ID: 06acd003aeaba1c8135ab1f5eb0246bc1b9399898dcaa60aa225ce2a9eeb4533
                    • Opcode Fuzzy Hash: 4d3294758c6d05e46633234a4a627be9dc7173e5cfddc1f2dc1d4947ef979856
                    • Instruction Fuzzy Hash: B971AF714083519EC754EF65EC818ABBBFAFF59340F40152EF6458B2A0EB309A49CF66
                    Function 00623633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151windowtimeregistryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 915 623633-623681 917 623683-623686 915->917 918 6236e1-6236e3 915->918 919 6236e7 917->919 920 623688-62368f 917->920 918->917 921 6236e5 918->921 925 65d31c-65d34a call 6311d0 call 6311f3 919->925 926 6236ed-6236f0 919->926 922 623695-62369a 920->922 923 62375d-623765 PostQuitMessage 920->923 924 6236ca-6236d2 DefWindowProcW 921->924 927 6236a0-6236a2 922->927 928 65d38f-65d3a3 call 682a16 922->928 931 623711-623713 923->931 930 6236d8-6236de 924->930 961 65d34f-65d356 925->961 932 6236f2-6236f3 926->932 933 623715-62373c SetTimer RegisterWindowMessageW 926->933 934 623767-623771 call 624531 927->934 935 6236a8-6236ad 927->935 928->931 954 65d3a9 928->954 931->930 939 65d2bf-65d2c2 932->939 940 6236f9-62370c KillTimer call 6244cb call 623114 932->940 933->931 936 62373e-623749 CreatePopupMenu I_RpcFreeBuffer 933->936 956 623776 934->956 941 65d374-65d37b 935->941 942 6236b3-6236b8 935->942 943 62374b-62375b call 6245df 936->943 947 65d2c4-65d2c6 939->947 948 65d2f8-65d317 MoveWindow 939->948 940->931 941->924 951 65d381-65d38a call 67817e 941->951 942->943 952 6236be-6236c4 942->952 943->931 957 65d2e7-65d2f3 SetFocus 947->957 958 65d2c8-65d2cb 947->958 948->931 951->924 952->924 952->961 954->924 956->931 957->931 958->952 963 65d2d1-65d2e2 call 6311d0 958->963 961->924 966 65d35c-65d36f call 6244cb call 6243db 961->966 963->931 966->924
                    APIs
                    • DefWindowProcW.USER32(?,?,?,?), ref: 006236D2
                    • KillTimer.USER32(?,00000001), ref: 006236FC
                    • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0062371F
                    • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0062372A
                    • CreatePopupMenu.USER32 ref: 0062373E
                    • PostQuitMessage.USER32(00000000), ref: 0062375F
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                    • String ID: TaskbarCreated$%k
                    • API String ID: 129472671-2455537126
                    • Opcode ID: 73bb031fc4cdd07e33bbe96431cf7780a8533522e9b8dcaa7ee038582a12a5b8
                    • Instruction ID: cfe9f21d3dfe07d9dafade70823c35a81dd24b920c6779368dcaa20f5ac0bbd1
                    • Opcode Fuzzy Hash: 73bb031fc4cdd07e33bbe96431cf7780a8533522e9b8dcaa7ee038582a12a5b8
                    • Instruction Fuzzy Hash: 43415EB1100A75BBDF206F64FC49BBA375BE711340F000128FA42863E1CB69AE059F7A
                    Function 00623A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    • GetSysColorBrush.USER32(0000000F), ref: 00623A62
                    • LoadCursorW.USER32(00000000,00007F00), ref: 00623A71
                    • LoadIconW.USER32(00000063), ref: 00623A88
                    • LoadIconW.USER32(000000A4), ref: 00623A9A
                    • LoadIconW.USER32(000000A2), ref: 00623AAC
                    • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00623AD2
                    • RegisterClassExW.USER32(?), ref: 00623B28
                      • Part of subcall function 00623041: GetSysColorBrush.USER32(0000000F), ref: 00623074
                      • Part of subcall function 00623041: RegisterClassExW.USER32(00000030), ref: 0062309E
                      • Part of subcall function 00623041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 006230AF
                      • Part of subcall function 00623041: InitCommonControlsEx.COMCTL32(?), ref: 006230CC
                      • Part of subcall function 00623041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 006230DC
                      • Part of subcall function 00623041: LoadIconW.USER32(000000A9), ref: 006230F2
                      • Part of subcall function 00623041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00623101
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                    • String ID: #$0$AutoIt v3
                    • API String ID: 423443420-4155596026
                    • Opcode ID: 554d19adb8733e9ca8b78ec659e43f9008ca069d126e2855d156023a11012560
                    • Instruction ID: bf3fc0d6dfdfe0d1fbb51f5b6e7d2f4cad0f0794ce00de6790675a4bc4a92c91
                    • Opcode Fuzzy Hash: 554d19adb8733e9ca8b78ec659e43f9008ca069d126e2855d156023a11012560
                    • Instruction Fuzzy Hash: AA217E70D00354AFDB109FA4EC89B9D7FB6FB18751F001129F604AE2E0C3BAA6448F84
                    Function 00623778 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267COMMON
                    Download Yara Rule

                    Control-flow Graph

                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
                    • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$bn
                    • API String ID: 1825951767-3767551264
                    • Opcode ID: 225bd4b126ec8a3fae2c19a4af6d2f0e86b7d4b1f927477d6d21595cc7b38462
                    • Instruction ID: 40e9fcdb388054038c20029dbdcd19c7a56e0ab7fd00720b00342222937a432f
                    • Opcode Fuzzy Hash: 225bd4b126ec8a3fae2c19a4af6d2f0e86b7d4b1f927477d6d21595cc7b38462
                    • Instruction Fuzzy Hash: ADA14D71C106799ACB54EBA0EC91AEEB77ABF14300F10042EF512B7291EF345A09CF65
                    Function 00699E38 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1097 699e38-699e72 1098 69a1d9-69a1dd 1097->1098 1099 699e78-699e7d 1097->1099 1100 69a1e2-69a1e3 1098->1100 1099->1098 1101 699e83-699e8c call 676543 1099->1101 1103 69a1e4 call 6996db 1100->1103 1107 699e9f-699ea5 1101->1107 1108 699e8e-699e96 1101->1108 1106 69a1e9-69a1ef 1103->1106 1110 699eab 1107->1110 1111 699ea7-699ea9 1107->1111 1109 699e98-699e9a 1108->1109 1109->1103 1112 699ead-699eb5 1110->1112 1111->1112 1113 699ec3-699edc call 677a1e 1112->1113 1114 699eb7-699ec1 1112->1114 1117 699ee8-699eef 1113->1117 1118 699ede-699ee3 1113->1118 1114->1109 1119 699f3e-699f6c call 640fa5 1117->1119 1120 699ef1-699efd 1117->1120 1118->1100 1126 699f6e-699f7c 1119->1126 1127 699f95-699f97 1119->1127 1120->1119 1122 699eff-699f0c call 6776c5 1120->1122 1125 699f11-699f16 1122->1125 1125->1119 1129 699f18-699f1f 1125->1129 1128 699f9a-699fa1 1126->1128 1130 699f7e 1126->1130 1127->1128 1131 699fa3-699fad 1128->1131 1132 699fd2-699fd9 1128->1132 1133 699f2e-699f35 1129->1133 1134 699f21-699f28 1129->1134 1135 699f80-699f8b call 677096 1130->1135 1136 699faf-699fc5 call 6770dc 1131->1136 1139 69a058-69a065 1132->1139 1140 699fdb-699fe2 1132->1140 1133->1119 1138 699f37 1133->1138 1134->1133 1137 699f2a 1134->1137 1150 699f8d-699f93 1135->1150 1152 699fc7-699fcf 1136->1152 1137->1133 1138->1119 1142 69a074-69a0a3 VariantInit call 643020 1139->1142 1143 69a067-69a071 1139->1143 1140->1139 1145 699fe4-699ff4 1140->1145 1156 69a0a8-69a0ab 1142->1156 1157 69a0a5-69a0a6 1142->1157 1143->1142 1149 699ff5-699ffd 1145->1149 1153 69a04a-69a053 1149->1153 1154 699fff-69a01c VariantClear 1149->1154 1150->1128 1152->1132 1153->1149 1155 69a055 1153->1155 1158 69a01e-69a032 SysAllocString 1154->1158 1159 69a035-69a045 1154->1159 1155->1139 1160 69a0ac-69a0c5 call 67dcec 1156->1160 1157->1160 1158->1159 1159->1153 1161 69a047 1159->1161 1163 69a103-69a105 1160->1163 1164 69a0c7-69a0cb 1160->1164 1161->1153 1165 69a12d-69a144 call 676aa3 call 687804 1163->1165 1166 69a107-69a10e 1163->1166 1167 69a11a-69a11e 1164->1167 1168 69a0cd-69a100 1164->1168 1178 69a149-69a150 1165->1178 1166->1167 1169 69a110-69a118 1166->1169 1170 69a11f-69a128 call 6996db 1167->1170 1168->1163 1169->1170 1177 69a1bc-69a1cb VariantClear 1170->1177 1179 69a1cd-69a1d0 call 67df93 1177->1179 1180 69a1d5-69a1d7 1177->1180 1178->1177 1181 69a152-69a15b 1178->1181 1179->1180 1180->1106 1183 69a15d-69a16a 1181->1183 1184 69a16c-69a173 1183->1184 1185 69a1b3-69a1ba 1183->1185 1186 69a1a1-69a1a5 1184->1186 1187 69a175-69a185 1184->1187 1185->1177 1185->1183 1188 69a1ab 1186->1188 1189 69a1a7-69a1a9 1186->1189 1187->1185 1190 69a187-69a18f 1187->1190 1192 69a1ad-69a1ae call 687804 1188->1192 1189->1192 1190->1186 1191 69a191-69a197 1190->1191 1191->1186 1193 69a199-69a19f 1191->1193 1192->1185 1193->1185 1193->1186
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID:
                    • String ID: NULL Pointer assignment$Not an Object type
                    • API String ID: 0-572801152
                    • Opcode ID: bd78841b4b1da6905576f572115e947e7530f41851156b1d68fb6229d81bce8d
                    • Instruction ID: 208f3daec0daaa8067a16bc123365dfc45c21251a5a90b714ce10e076c64de81
                    • Opcode Fuzzy Hash: bd78841b4b1da6905576f572115e947e7530f41851156b1d68fb6229d81bce8d
                    • Instruction Fuzzy Hash: 26C18071A0020A9FDF10DFA8C885AEEB7FAEB48314F14856DE905AB780D7709D45CBA1
                    Function 0062F8CF Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168comCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                      • Part of subcall function 006403A2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 006403D3
                      • Part of subcall function 006403A2: MapVirtualKeyW.USER32(00000010,00000000), ref: 006403DB
                      • Part of subcall function 006403A2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 006403E6
                      • Part of subcall function 006403A2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 006403F1
                      • Part of subcall function 006403A2: MapVirtualKeyW.USER32(00000011,00000000), ref: 006403F9
                      • Part of subcall function 006403A2: MapVirtualKeyW.USER32(00000012,00000000), ref: 00640401
                      • Part of subcall function 00636259: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,0062FA90), ref: 006362B4
                    • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0062FB2D
                    • OleInitialize.OLE32(00000000), ref: 0062FBAA
                    • CloseHandle.KERNEL32(00000000), ref: 006649F2
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                    • String ID: <gn$\dn$%k$cn
                    • API String ID: 1986988660-1507471717
                    • Opcode ID: 7996d7bdfed47b884922c221ab3f0457ed09d2403d070d1949e91e8aeab86ca6
                    • Instruction ID: bb3881c844c26755a5e8df7bcc967427e1337f19f702871319b40f72a0bfef4c
                    • Opcode Fuzzy Hash: 7996d7bdfed47b884922c221ab3f0457ed09d2403d070d1949e91e8aeab86ca6
                    • Instruction Fuzzy Hash: EE81ACB09013D0CEC784EF6AE9956557BE7EB78398710A13EB019CF2A1EB3154098F55
                    Function 00F30920 Relevance: 10.7, APIs: 7, Instructions: 151fileCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1314 f30920-f30972 call f30820 CreateFileW 1317 f30974-f30976 1314->1317 1318 f3097b-f30988 1314->1318 1319 f30ad4-f30ad8 1317->1319 1321 f3099b-f309b2 VirtualAlloc 1318->1321 1322 f3098a-f30996 1318->1322 1323 f309b4-f309b6 1321->1323 1324 f309bb-f309e1 CreateFileW 1321->1324 1322->1319 1323->1319 1326 f309e3-f30a00 1324->1326 1327 f30a05-f30a1f ReadFile 1324->1327 1326->1319 1328 f30a43-f30a47 1327->1328 1329 f30a21-f30a3e 1327->1329 1330 f30a49-f30a66 1328->1330 1331 f30a68-f30a7f WriteFile 1328->1331 1329->1319 1330->1319 1334 f30a81-f30aa8 1331->1334 1335 f30aaa-f30acf CloseHandle VirtualFree 1331->1335 1334->1319 1335->1319
                    APIs
                    • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00F30965
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309826710.0000000000F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_f30000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: CreateFile
                    • String ID:
                    • API String ID: 823142352-0
                    • Opcode ID: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
                    • Instruction ID: aa11bb7a4713479dee012ea064e97ed5fec483db82be1e3574ff934f5534f41c
                    • Opcode Fuzzy Hash: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
                    • Instruction Fuzzy Hash: 5F510876A50208FBEF20DFA4CC59FDEB778EF48710F108555F60AEA280DA749A45DB60
                    Function 006239E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                    Download Yara Rule
                    APIs
                    • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00623A15
                    • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00623A36
                    • ShowWindow.USER32(00000000,?,?), ref: 00623A4A
                    • ShowWindow.USER32(00000000,?,?), ref: 00623A53
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: Window$CreateShow
                    • String ID: AutoIt v3$edit
                    • API String ID: 1584632944-3779509399
                    • Opcode ID: af7e43a1f191a44ef4ea907605917b9b888a80523f46d53cebb713ec4b52fd36
                    • Instruction ID: 3e5530b9a58fc66026365aa8075b7892a3f84c26d67ef5cefb9fe0f720f6ba7b
                    • Opcode Fuzzy Hash: af7e43a1f191a44ef4ea907605917b9b888a80523f46d53cebb713ec4b52fd36
                    • Instruction Fuzzy Hash: 62F030706003D07EEB301753AC88E773E7FD7D7FA0B001029BA00A61B0C1A51840CEB1
                    Function 0062410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                    Download Yara Rule
                    APIs
                    • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0065D5EC
                      • Part of subcall function 00627D2C: _memmove.LIBCMT ref: 00627D66
                    • _memset.LIBCMT ref: 0062418D
                    • _wcscpy.LIBCMT ref: 006241E1
                    • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 006241F1
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                    • String ID: Line:
                    • API String ID: 3942752672-1585850449
                    • Opcode ID: f7333f9e64fc6c41b0096b638a2007321aa3f7eabe46fe6f9cde9629d1ad3ae1
                    • Instruction ID: 216e956f36c2b920803b28c7bbff503ca761f44f30d891de5e6ba3ce7a271447
                    • Opcode Fuzzy Hash: f7333f9e64fc6c41b0096b638a2007321aa3f7eabe46fe6f9cde9629d1ad3ae1
                    • Instruction Fuzzy Hash: 8731C1710087649ED761EB60EC86FDB77EAAF54300F10491EB185961A1EF70A748CF97
                    Function 0064564D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                    • String ID:
                    • API String ID: 1559183368-0
                    • Opcode ID: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
                    • Instruction ID: 796443faea8dc5d7818a43a0fb82a5020b810ca70a887d30a1c7e4ea766f8c87
                    • Opcode Fuzzy Hash: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
                    • Instruction Fuzzy Hash: 1F519030A01B05DBDB249FA9C8806AE77A7AF41320F258739F826962E2D7709D558B44
                    Function 00677652 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                    Download Yara Rule
                    APIs
                    • CLSIDFromProgID.COMBASE(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0067758C,80070057,?,?,?,0067799D), ref: 0067766F
                    • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0067758C,80070057,?,?), ref: 0067768A
                    • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0067758C,80070057,?,?), ref: 00677698
                    • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0067758C,80070057,?), ref: 006776A8
                    • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0067758C,80070057,?,?), ref: 006776B4
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: From$Prog$FreeStringTasklstrcmpi
                    • String ID:
                    • API String ID: 3897988419-0
                    • Opcode ID: cc4c0562b9586d1c964ae1b56e87bdb6aba9b853e925eff5326da773e24f5c80
                    • Instruction ID: 4ead645a5596e807462867a8b59ad4f9e3cee1670d05add9dcc2ba52ae5b3c48
                    • Opcode Fuzzy Hash: cc4c0562b9586d1c964ae1b56e87bdb6aba9b853e925eff5326da773e24f5c80
                    • Instruction Fuzzy Hash: E901D476600604FBDB106F58DC04BAABBBEEB45751F204128FD08D2225E735EE008BA0
                    Function 006269CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00624F3D: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,006E62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00624F6F
                    • _free.LIBCMT ref: 0065E68C
                    • _free.LIBCMT ref: 0065E6D3
                      • Part of subcall function 00626BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00626D0D
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: _free$CurrentDirectoryLibraryLoad
                    • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                    • API String ID: 2861923089-1757145024
                    • Opcode ID: 879752a9d73582548d98e7bda2a74ba9094baeaf5fa77df445f88a11aa1ff267
                    • Instruction ID: a5b78750d539d481067f99023741edb735c9470233f4bf9ab122b054ded4dd97
                    • Opcode Fuzzy Hash: 879752a9d73582548d98e7bda2a74ba9094baeaf5fa77df445f88a11aa1ff267
                    • Instruction Fuzzy Hash: A0919F719106299FCF48EFA4D8919EDB7B6FF15300F14442EF815AB291EB319A09CF64
                    Function 00F323B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 140fileCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00F322A0: Sleep.KERNEL32(000001F4), ref: 00F322B1
                    • CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00F324A5
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309826710.0000000000F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_f30000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: CreateFileSleep
                    • String ID: GGWIBKIU3IZ6OK
                    • API String ID: 2694422964-2496954480
                    • Opcode ID: c66dd5cd2ef4e813f288cdd4d5c9276431fa01897a6da45dc18578ed1f81633c
                    • Instruction ID: 6720f9d64be4e5a4f8b0517c83d33ec65346ce4ca478a6692ebd83627e4f1177
                    • Opcode Fuzzy Hash: c66dd5cd2ef4e813f288cdd4d5c9276431fa01897a6da45dc18578ed1f81633c
                    • Instruction Fuzzy Hash: E0517071D04259EBEF10DBA4C815BEEBB78AF14310F004199E608BB2C0DBB95B45DBA5
                    Function 006235B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,006235A1,SwapMouseButtons,00000004,?), ref: 006235D4
                    • RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,006235A1,SwapMouseButtons,00000004,?,?,?,?,00622754), ref: 006235F5
                    • RegCloseKey.KERNEL32(00000000,?,?,006235A1,SwapMouseButtons,00000004,?,?,?,?,00622754), ref: 00623617
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: CloseOpenQueryValue
                    • String ID: Control Panel\Mouse
                    • API String ID: 3677997916-824357125
                    • Opcode ID: fc5f1fcb132bca16bad12ac881556eb961d392402bf4d1f4ba9d32e19fa31037
                    • Instruction ID: 4b2f9c9a7873933a64a06338a8652e5240d6d838875a4134420fa81ebffb05ff
                    • Opcode Fuzzy Hash: fc5f1fcb132bca16bad12ac881556eb961d392402bf4d1f4ba9d32e19fa31037
                    • Instruction Fuzzy Hash: CC114871610628BFDB209FA4EC40AEEB7BEEF05740F015469E805D7310E371AE409B60
                    Function 006776C5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 7ddc295d04edc00465aad524984119eca507cecd738de7c2aa9c8277b3c5e1d1
                    • Instruction ID: a4fc8eaaa4c46c73d0365caaf851a8c74bf2b73d9d11cc28f78c2a010dc579df
                    • Opcode Fuzzy Hash: 7ddc295d04edc00465aad524984119eca507cecd738de7c2aa9c8277b3c5e1d1
                    • Instruction Fuzzy Hash: 4CC16E75A04216EFDB14CFA4C884EAEB7B6FF48714B1185A9E909EB351D730ED81CB90
                    Function 006983A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                    Download Yara Rule
                    APIs
                    • CoInitialize.OLE32(00000000), ref: 006983D8
                    • CoUninitialize.OLE32 ref: 006983E3
                      • Part of subcall function 0067DA5D: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0067DAC5
                    • VariantInit.OLEAUT32(?), ref: 006983EE
                    • VariantClear.OLEAUT32(?), ref: 006986BF
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                    • String ID:
                    • API String ID: 780911581-0
                    • Opcode ID: ece9a3583f846a1176234aff805732838bd70457931e4945286687a610b572e5
                    • Instruction ID: 37350d2769d0a60d61a1a9163388cc968a6160c2cc414d7ec2cc760e499e8214
                    • Opcode Fuzzy Hash: ece9a3583f846a1176234aff805732838bd70457931e4945286687a610b572e5
                    • Instruction Fuzzy Hash: 75A16B75604B119FDB50DF14C481A2AB7EABF89324F08884DF99A9B7A1CB30EC44CF56
                    Function 0064493A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                    • String ID:
                    • API String ID: 2782032738-0
                    • Opcode ID: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
                    • Instruction ID: e46de704283f389da5bdce2e2246ecaf8a5244e27728834553701a2bf92bd016
                    • Opcode Fuzzy Hash: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
                    • Instruction Fuzzy Hash: FF41C471A006059BDB28CEA9C882BAF77A7EF80360B24817DE85587784DF70DD819B48
                    Function 00624531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 00624560
                      • Part of subcall function 0062410D: _memset.LIBCMT ref: 0062418D
                      • Part of subcall function 0062410D: _wcscpy.LIBCMT ref: 006241E1
                      • Part of subcall function 0062410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 006241F1
                    • KillTimer.USER32(?,00000001,?,?), ref: 006245B5
                    • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 006245C4
                    • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0065D6CE
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                    • String ID:
                    • API String ID: 1378193009-0
                    • Opcode ID: 971bb85744f873078909ba79025d06c78eb5e6416dee3cbf43252733ecfda3bc
                    • Instruction ID: 326e0e20724f3ce98e5fc227e296a185d6ca2a8d07e832e381db4c5840f6180f
                    • Opcode Fuzzy Hash: 971bb85744f873078909ba79025d06c78eb5e6416dee3cbf43252733ecfda3bc
                    • Instruction Fuzzy Hash: C5212970904794AFEB328B24DC45BE7BBEE9F01305F00009DE6DE66291C7B45A89CF51
                    Function 00624DD0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: _memmove
                    • String ID: AU3!P/k$EA06
                    • API String ID: 4104443479-947634993
                    • Opcode ID: ed02bafc2aab95af9c5443d8396a843885075d7f2eb2744a7cd6bc3347a736a6
                    • Instruction ID: 894c744ddf08f5096d66fd4f804c31bff25e585811efbdd3e19fda6eff165732
                    • Opcode Fuzzy Hash: ed02bafc2aab95af9c5443d8396a843885075d7f2eb2744a7cd6bc3347a736a6
                    • Instruction Fuzzy Hash: 81418C21A04E745BEF219B64EC517FE7FA7AF41340F194068ECC29B282DE319D858FA1
                    Function 006273E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 0065EE62
                    • GetOpenFileNameW.COMDLG32(?), ref: 0065EEAC
                      • Part of subcall function 006248AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006248A1,?,?,006237C0,?), ref: 006248CE
                      • Part of subcall function 006409D5: GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 006409F4
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: Name$Path$FileFullLongOpen_memset
                    • String ID: X
                    • API String ID: 3777226403-3081909835
                    • Opcode ID: 24b1c5fd526606bb7fd250991bd4f8ae55ea4162d8ce2a35670f7626b9698aa9
                    • Instruction ID: 50df8c0017672f510f53539e32d15c1b30f7da0dde45549f76a2d98a59e31115
                    • Opcode Fuzzy Hash: 24b1c5fd526606bb7fd250991bd4f8ae55ea4162d8ce2a35670f7626b9698aa9
                    • Instruction Fuzzy Hash: 8E21C671D106689BCF45DF94D845BEE7BFA9F49300F00441AF408E7381DBB45A898FA5
                    Function 0068901B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: __fread_nolock_memmove
                    • String ID: EA06
                    • API String ID: 1988441806-3962188686
                    • Opcode ID: e7d157aa4257261df02cb4515d9789bc05b3e66965ee5343f48f4e693d261333
                    • Instruction ID: 3999354e0636c14ae2ca577c39e323ab3aabff2fe1aebe128fb1869047e9f195
                    • Opcode Fuzzy Hash: e7d157aa4257261df02cb4515d9789bc05b3e66965ee5343f48f4e693d261333
                    • Instruction Fuzzy Hash: CD01F9718042186FDB28C6A8C816EFE7BF89B11301F00429EF553D2181E975A604CB60
                    Function 00F31000 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41processCOMMON
                    Download Yara Rule
                    APIs
                    • CreateProcessW.KERNEL32(?,00000000), ref: 00F31045
                    • ExitProcess.KERNEL32(00000000), ref: 00F31064
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309826710.0000000000F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_f30000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: Process$CreateExit
                    • String ID: D
                    • API String ID: 126409537-2746444292
                    • Opcode ID: e5dfa926c3cfd43f8158a8dca75bcf8ff518f9dd03fead9f205cfafa536a5c87
                    • Instruction ID: d24a94daa03f13e60efcfa06cd17960a0dc1f8cd1f38378d0fa288cbff0d2faa
                    • Opcode Fuzzy Hash: e5dfa926c3cfd43f8158a8dca75bcf8ff518f9dd03fead9f205cfafa536a5c87
                    • Instruction Fuzzy Hash: E1F0E1B254024CABDB60DFE0CC49FEE777CBF08711F148508BA099A140DB7896489B61
                    Function 00689B6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                    Download Yara Rule
                    APIs
                    • GetTempPathW.KERNEL32(00000104,?), ref: 00689B82
                    • GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00689B99
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: Temp$FileNamePath
                    • String ID: aut
                    • API String ID: 3285503233-3010740371
                    • Opcode ID: 687327fc7aeb3794374f96d444e79ab2f91bdcdf3d0dab16a1db6a0751fef771
                    • Instruction ID: f172440a8a0d5deaf7127b854cfd0ffb467cd282095a4691fa92d5fcf8700d17
                    • Opcode Fuzzy Hash: 687327fc7aeb3794374f96d444e79ab2f91bdcdf3d0dab16a1db6a0751fef771
                    • Instruction Fuzzy Hash: F5D05E7994030DABDB10ABD0DC0EFDA776DE704701F0042A1BE94911A1DEB466988F92
                    Function 0069CDF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: e0a1d51966e9d5da9aed78bdc8a89459bff246cea4f12666da1cb2f4121610f5
                    • Instruction ID: 5899c4d7603fc0f3161d11427ca960f8647bb88016b6f06634675ea7bf9f5029
                    • Opcode Fuzzy Hash: e0a1d51966e9d5da9aed78bdc8a89459bff246cea4f12666da1cb2f4121610f5
                    • Instruction Fuzzy Hash: 9AF15D719087019FCB54DF28C485A6ABBEAFF88314F14892EF8999B351D731E945CF82
                    Function 006243DB Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 00624401
                    • Shell_NotifyIconW.SHELL32(00000000,?), ref: 006244A6
                    • Shell_NotifyIconW.SHELL32(00000001,?), ref: 006244C3
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: IconNotifyShell_$_memset
                    • String ID:
                    • API String ID: 1505330794-0
                    • Opcode ID: b883e19f50dd6e0f39e361a942450e6abf0f4307c13bd35662bce0327e9a2de7
                    • Instruction ID: b078b183ded5e333b1414087801dfd2951bd4c4346cfc6541f8392b8e4242c13
                    • Opcode Fuzzy Hash: b883e19f50dd6e0f39e361a942450e6abf0f4307c13bd35662bce0327e9a2de7
                    • Instruction Fuzzy Hash: 423181705047518FD720EF24E88479BBBE9FB59344F00092EF69A87351DB75AA48CF92
                    Function 0064594C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • __FF_MSGBANNER.LIBCMT ref: 00645963
                      • Part of subcall function 0064A3AB: __NMSG_WRITE.LIBCMT ref: 0064A3D2
                      • Part of subcall function 0064A3AB: __NMSG_WRITE.LIBCMT ref: 0064A3DC
                    • __NMSG_WRITE.LIBCMT ref: 0064596A
                      • Part of subcall function 0064A408: GetModuleFileNameW.KERNEL32(00000000,006E43BA,00000104,?,00000001,00000000), ref: 0064A49A
                      • Part of subcall function 0064A408: ___crtMessageBoxW.LIBCMT ref: 0064A548
                      • Part of subcall function 006432DF: ___crtCorExitProcess.LIBCMT ref: 006432E5
                      • Part of subcall function 006432DF: ExitProcess.KERNEL32 ref: 006432EE
                      • Part of subcall function 00648D68: __getptd_noexit.LIBCMT ref: 00648D68
                    • RtlAllocateHeap.NTDLL(00FF0000,00000000,00000001,00000000,?,?,?,00641013,?), ref: 0064598F
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                    • String ID:
                    • API String ID: 1372826849-0
                    • Opcode ID: 5aaef4bb1ad50fae3327757f32b630175e47e8f135bfe0b7532bc315c207d036
                    • Instruction ID: 3e707a415265bbf5a8feb1589b43565354c6c6d0809eabf6c276f24610bd9ad5
                    • Opcode Fuzzy Hash: 5aaef4bb1ad50fae3327757f32b630175e47e8f135bfe0b7532bc315c207d036
                    • Instruction Fuzzy Hash: 3C01DE32241B95EFE7613B75E842AAE738B9F52770F10002EF502AB282DF709D018669
                    Function 00687804 Relevance: 4.5, APIs: 3, Instructions: 46COMMON
                    Download Yara Rule
                    APIs
                    • VariantInit.OLEAUT32(00000000), ref: 00687844
                    • VariantCopy.OLEAUT32(00000000,?), ref: 0068784D
                    • VariantClear.OLEAUT32(00000000), ref: 00687859
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: Variant$ClearCopyInit
                    • String ID:
                    • API String ID: 1785138364-0
                    • Opcode ID: 394d864650b6be1bc7dba87c1360a7c356a52096d22173ecd9ee00171ce3eea8
                    • Instruction ID: 2a7fe7044f33a95a9ca855bf108b1d929601facdffd544951d2bf4d06ecf7d5b
                    • Opcode Fuzzy Hash: 394d864650b6be1bc7dba87c1360a7c356a52096d22173ecd9ee00171ce3eea8
                    • Instruction Fuzzy Hash: AAF0D1716045109BDB213F7D9819A5BB7EBAF95B50F20063EF5C1C22A1DF72D880CBA9
                    Function 00689B2C Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                    Download Yara Rule
                    APIs
                    • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,006897D2,?,?,?,?,?,00000004), ref: 00689B45
                    • SetFileTime.KERNEL32(00000000,?,00000000,?,?,006897D2,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00689B5B
                    • CloseHandle.KERNEL32(00000000,?,006897D2,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00689B62
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: File$CloseCreateHandleTime
                    • String ID:
                    • API String ID: 3397143404-0
                    • Opcode ID: 984edd8c5cfcb4c7cdee43a64191c4dea6422ca9f85afe1b74265d5536eacb40
                    • Instruction ID: d6e73b8dc1bfe3bb73f162948e4fc33a5b32c478d98d88e0f6827d83df354a12
                    • Opcode Fuzzy Hash: 984edd8c5cfcb4c7cdee43a64191c4dea6422ca9f85afe1b74265d5536eacb40
                    • Instruction Fuzzy Hash: 9AE08632280214BBDB313B94EC09FDA7B5AAB06761F144220FB54690E087B179119B99
                    Function 00688F97 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                    Download Yara Rule
                    APIs
                    • _free.LIBCMT ref: 00688FA5
                      • Part of subcall function 00642F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00649C64), ref: 00642FA9
                      • Part of subcall function 00642F95: GetLastError.KERNEL32(00000000,?,00649C64), ref: 00642FBB
                    • _free.LIBCMT ref: 00688FB6
                    • _free.LIBCMT ref: 00688FC8
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: _free$ErrorFreeHeapLast
                    • String ID:
                    • API String ID: 776569668-0
                    • Opcode ID: 6740c19424ad1a37d1e510644c69b04a79e8c94fc3ec92f8705ee7c8fdd8006d
                    • Instruction ID: 90bd830bd0dceba243c70f9c6b87466d8eed754a851eff3a1fdc75781f92f270
                    • Opcode Fuzzy Hash: 6740c19424ad1a37d1e510644c69b04a79e8c94fc3ec92f8705ee7c8fdd8006d
                    • Instruction Fuzzy Hash: 4BE012A16097128ECBA4B978AD50AD35BEF5F483D07E8091DB509DB242DE24F8558628
                    Function 0062AB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID:
                    • String ID: CALL
                    • API String ID: 0-4196123274
                    • Opcode ID: fc3cc3671b26733de39d386598481248e458f6d955d00961f88612548cf8bc44
                    • Instruction ID: 1c840fe79e919f7eeb286968d62654283f33072c0aae1568cfb13274e9420db3
                    • Opcode Fuzzy Hash: fc3cc3671b26733de39d386598481248e458f6d955d00961f88612548cf8bc44
                    • Instruction Fuzzy Hash: 0E223770508661CFD724DF54D494A6ABBE2FF84300F15896DE8868B362D771ED86CF82
                    Function 0062492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                    Download Yara Rule
                    APIs
                    • IsThemeActive.UXTHEME ref: 00624992
                      • Part of subcall function 006435AC: __lock.LIBCMT ref: 006435B2
                      • Part of subcall function 006435AC: DecodePointer.KERNEL32(00000001,?,006249A7,006781BC), ref: 006435BE
                      • Part of subcall function 006435AC: EncodePointer.KERNEL32(?,?,006249A7,006781BC), ref: 006435C9
                      • Part of subcall function 00624A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00624A73
                      • Part of subcall function 00624A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00624A88
                      • Part of subcall function 00623B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00623B7A
                      • Part of subcall function 00623B4C: IsDebuggerPresent.KERNEL32 ref: 00623B8C
                      • Part of subcall function 00623B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,006E62F8,006E62E0,?,?), ref: 00623BFD
                      • Part of subcall function 00623B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 00623C81
                    • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 006249D2
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
                    • String ID:
                    • API String ID: 1438897964-0
                    • Opcode ID: ec3491c9b377ced40d971db9b2051c8908d41cbcb8b7572fbd7d29ae1015063a
                    • Instruction ID: 3b9358cf653f9f0df3a262adcb3db7cc8f453fa1559ca9e6d2c1ac6cd3490698
                    • Opcode Fuzzy Hash: ec3491c9b377ced40d971db9b2051c8908d41cbcb8b7572fbd7d29ae1015063a
                    • Instruction Fuzzy Hash: 92118C719083619FC700EF69EC8590ABFEAEB94750F00451EF5458B2B1DB709645CF96
                    Function 00640FF6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0064594C: __FF_MSGBANNER.LIBCMT ref: 00645963
                      • Part of subcall function 0064594C: __NMSG_WRITE.LIBCMT ref: 0064596A
                      • Part of subcall function 0064594C: RtlAllocateHeap.NTDLL(00FF0000,00000000,00000001,00000000,?,?,?,00641013,?), ref: 0064598F
                    • std::exception::exception.LIBCMT ref: 0064102C
                    • __CxxThrowException@8.LIBCMT ref: 00641041
                      • Part of subcall function 006487DB: RaiseException.KERNEL32(?,?,?,006DBAF8,00000000,?,?,?,?,00641046,?,006DBAF8,?,00000001), ref: 00648830
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                    • String ID:
                    • API String ID: 3902256705-0
                    • Opcode ID: e4cd725b6760611ca5dd3264a95d9bd8df9f1596c475656d6bcc3baf8a2c3a05
                    • Instruction ID: 8a640efbcb1436be535114733047498eb8c6cbe16b2df871646ae4b89d4cce38
                    • Opcode Fuzzy Hash: e4cd725b6760611ca5dd3264a95d9bd8df9f1596c475656d6bcc3baf8a2c3a05
                    • Instruction Fuzzy Hash: 12F0A47550025DA6CB60BE58EC259DF7BEF9F02750F10042AF8049A692DFB18AD08298
                    Function 0064582D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: __lock_file_memset
                    • String ID:
                    • API String ID: 26237723-0
                    • Opcode ID: f57d7ef24d560aab537a6f3498eac3088a6cb1f3289ed9f815160f726ed0d3a5
                    • Instruction ID: 881636028c4d6ca3f1780ef8472b15208a7debd513359e81d29e7ee33201fc58
                    • Opcode Fuzzy Hash: f57d7ef24d560aab537a6f3498eac3088a6cb1f3289ed9f815160f726ed0d3a5
                    • Instruction Fuzzy Hash: 3601D431C00618EFCF62BF698C014CE7B63AF80360F048219F8141B2A2DF318A11DB95
                    Function 006455D6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00648D68: __getptd_noexit.LIBCMT ref: 00648D68
                    • __lock_file.LIBCMT ref: 0064561B
                      • Part of subcall function 00646E4E: __lock.LIBCMT ref: 00646E71
                    • __fclose_nolock.LIBCMT ref: 00645626
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                    • String ID:
                    • API String ID: 2800547568-0
                    • Opcode ID: f21cfc1e9c249882f85c3b1c6eedab7a5256e18935a4df2bce50ef126903bfa4
                    • Instruction ID: b78b62e7f0a2d20cff908d82cf9a3e53ec68d4e53e43f650a28ddc1719cec6ec
                    • Opcode Fuzzy Hash: f21cfc1e9c249882f85c3b1c6eedab7a5256e18935a4df2bce50ef126903bfa4
                    • Instruction Fuzzy Hash: 9FF0B471801B059FDBA0BF75880276E77E36F42734F56820EA416AB1D3CF7C89029B59
                    Function 00F31070 Relevance: 1.7, APIs: 1, Instructions: 157COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00F308E0: GetFileAttributesW.KERNEL32(?), ref: 00F308EB
                    • CreateDirectoryW.KERNEL32(?,00000000), ref: 00F3119F
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309826710.0000000000F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_f30000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: AttributesCreateDirectoryFile
                    • String ID:
                    • API String ID: 3401506121-0
                    • Opcode ID: 492a5999c500b8d4a7084f373d412d20450be35b9ed68f2ad82e57f36821b48c
                    • Instruction ID: 662d27f382a2ddd0691bd7911686d77930daf21197f7b83bc1a0470f2a1aca62
                    • Opcode Fuzzy Hash: 492a5999c500b8d4a7084f373d412d20450be35b9ed68f2ad82e57f36821b48c
                    • Instruction Fuzzy Hash: E4518431A1020996EF14EFA0CD55BEF7339EF58310F0045A9B609E7280EB79AB44CBA5
                    Function 0069D95D Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: _free
                    • String ID:
                    • API String ID: 269201875-0
                    • Opcode ID: 6dcf0173066d1d90bbabf4ed64d252a8e9357e9795dc1f05d34625e1f33428b7
                    • Instruction ID: cd8644dcb42d52ebc9f6c4e20dbaf232ea15132232e624e6d391bdfaa333c860
                    • Opcode Fuzzy Hash: 6dcf0173066d1d90bbabf4ed64d252a8e9357e9795dc1f05d34625e1f33428b7
                    • Instruction Fuzzy Hash: AD31C335608624DFCF10AF04D08166EBBB6FF85320F2080AEE99A5F785C731A956DF91
                    Function 006600D6 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: ClearVariant
                    • String ID:
                    • API String ID: 1473721057-0
                    • Opcode ID: 70b47e761dfc5ddd872326bd97f3461b5551cb7a3ab4992b9003584dd2c1a870
                    • Instruction ID: 66f41c52c23191bd635fcdf1239f31de582caee9cf3efdf49cc0a0daf24dc1c0
                    • Opcode Fuzzy Hash: 70b47e761dfc5ddd872326bd97f3461b5551cb7a3ab4992b9003584dd2c1a870
                    • Instruction Fuzzy Hash: 01412474508751CFDB24DF54C484B5ABBE2BF45318F0988ACE8898B362C772E886CF52
                    Function 00624F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00624D13: FreeLibrary.KERNEL32(00000000,?), ref: 00624D4D
                      • Part of subcall function 0064548B: __wfsopen.LIBCMT ref: 00645496
                    • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,006E62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00624F6F
                      • Part of subcall function 00624CC8: FreeLibrary.KERNEL32(00000000), ref: 00624D02
                      • Part of subcall function 00624DD0: _memmove.LIBCMT ref: 00624E1A
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: Library$Free$Load__wfsopen_memmove
                    • String ID:
                    • API String ID: 1396898556-0
                    • Opcode ID: d6bae24cf44a4519f17293f17586dcc36533b6f3fb913c42afea8aa56c4aca5a
                    • Instruction ID: 78780230c171e067005537197f19b5cdee6f181c6758b176bbe9b519976b749d
                    • Opcode Fuzzy Hash: d6bae24cf44a4519f17293f17586dcc36533b6f3fb913c42afea8aa56c4aca5a
                    • Instruction Fuzzy Hash: CA11EB31600B25ABCB60BF74EC02BAD77A79F80701F10842DF541961C1DE715A059F65
                    Function 006601AF Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: ClearVariant
                    • String ID:
                    • API String ID: 1473721057-0
                    • Opcode ID: 2209e6e5f9f656d8ae7d9354e1131febdfa940be3289a9b12bb2b41b43fc4a4d
                    • Instruction ID: 00a90603bb18d4981b2b4efdd18fae8e11c32eba83334bf7e2bb87254a0665f7
                    • Opcode Fuzzy Hash: 2209e6e5f9f656d8ae7d9354e1131febdfa940be3289a9b12bb2b41b43fc4a4d
                    • Instruction Fuzzy Hash: 1E215374508751CFCB24DF50D444A5ABBE2BF89304F05896CE88A4B321C731E886CFA3
                    Function 00627F41 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: _memmove
                    • String ID:
                    • API String ID: 4104443479-0
                    • Opcode ID: ed56d5d637e767e41a7aa07cf3a5fedc34d30b2a08da54b212d3041c8e260b7a
                    • Instruction ID: a911df16220214efd159d6ac69da6c2e3c10a99c3fd05001b91f81b65ffceca8
                    • Opcode Fuzzy Hash: ed56d5d637e767e41a7aa07cf3a5fedc34d30b2a08da54b212d3041c8e260b7a
                    • Instruction Fuzzy Hash: 6E01F9722087117ED3605F39DC02F67BB9AEF44760F10853EFA5ACA2D1EA31E5408B64
                    Function 0067DC20 Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00677652: CLSIDFromProgID.COMBASE(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0067758C,80070057,?,?,?,0067799D), ref: 0067766F
                      • Part of subcall function 00677652: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0067758C,80070057,?,?), ref: 0067768A
                      • Part of subcall function 00677652: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0067758C,80070057,?,?), ref: 00677698
                      • Part of subcall function 00677652: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0067758C,80070057,?), ref: 006776A8
                    • IIDFromString.OLE32(00000000,?,?,?,0067DAA9,?,?,?,?,?,?,?,?,?), ref: 0067DC57
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: From$Prog$FreeStringTasklstrcmpi
                    • String ID:
                    • API String ID: 3897988419-0
                    • Opcode ID: 311be8c026e2152ff7578412c99d4d8836f06dbdfee697e0991648dfc1235162
                    • Instruction ID: 2a34306de5fa7675df6b48f8abe6f58520406e30dcf13d32cb6150253225ccae
                    • Opcode Fuzzy Hash: 311be8c026e2152ff7578412c99d4d8836f06dbdfee697e0991648dfc1235162
                    • Instruction Fuzzy Hash: D3F06DB5200605EBCB01CF05D880A967BAEFF05360B10C126ED0CDE116D3F1E940DBA0
                    Function 00644A93 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                    Download Yara Rule
                    APIs
                    • __lock_file.LIBCMT ref: 00644AD6
                      • Part of subcall function 00648D68: __getptd_noexit.LIBCMT ref: 00648D68
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: __getptd_noexit__lock_file
                    • String ID:
                    • API String ID: 2597487223-0
                    • Opcode ID: 927c9d17f70f3bb57bad6ca12b09cb0d10e26f140fd4bdfe49acf69c819f3830
                    • Instruction ID: 7efd6b01dd4c5cf196547782fc979a08d9eb78cdf1fef68684a1b73afb352f1a
                    • Opcode Fuzzy Hash: 927c9d17f70f3bb57bad6ca12b09cb0d10e26f140fd4bdfe49acf69c819f3830
                    • Instruction Fuzzy Hash: 7DF0AF31940209AFDFA1AF64CC073DE36A3AF00325F058519B824AB2D5CF788A91EF59
                    Function 00624FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                    Download Yara Rule
                    APIs
                    • FreeLibrary.KERNEL32(?,?,006E62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00624FDE
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: FreeLibrary
                    • String ID:
                    • API String ID: 3664257935-0
                    • Opcode ID: 68f0e42ab24fcb6b5bf4a8309113a0cb0f4a36799444ef4f18f7793598555811
                    • Instruction ID: 8168628c3678dcb48458535c1f12c2369d5b2879ef674b46224e2828d833dbdf
                    • Opcode Fuzzy Hash: 68f0e42ab24fcb6b5bf4a8309113a0cb0f4a36799444ef4f18f7793598555811
                    • Instruction Fuzzy Hash: 07F03971105B22CFCB349F64E594862BBE2BF843293208A3EE1D782A10CB31A844DF40
                    Function 006409D5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                    Download Yara Rule
                    APIs
                    • GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 006409F4
                      • Part of subcall function 00627D2C: _memmove.LIBCMT ref: 00627D66
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: LongNamePath_memmove
                    • String ID:
                    • API String ID: 2514874351-0
                    • Opcode ID: 6d127d237a6e34ced6c5044d25e236965cf00fd665eee2d5490e229b6635f73e
                    • Instruction ID: b966aaf48a041ab929c2f961123adefc588f5d931bb0c5af4c093155048d6e31
                    • Opcode Fuzzy Hash: 6d127d237a6e34ced6c5044d25e236965cf00fd665eee2d5490e229b6635f73e
                    • Instruction Fuzzy Hash: E7E0CD3690522857C720E6989C05FFA77EEDFC9791F0401B5FC4CD7205D9A0AD818A95
                    Function 00689129 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: __fread_nolock
                    • String ID:
                    • API String ID: 2638373210-0
                    • Opcode ID: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
                    • Instruction ID: 1db15d27ee06616c43d422e056546c702c6ea7e03d54480db0ad2c1fec8e6e91
                    • Opcode Fuzzy Hash: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
                    • Instruction Fuzzy Hash: 9BE092B0118B005FD7349A24D8147E377E1AB06315F04091CF2EB83342EF6378418759
                    Function 00F308E0 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                    Download Yara Rule
                    APIs
                    • GetFileAttributesW.KERNEL32(?), ref: 00F308EB
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309826710.0000000000F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_f30000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: AttributesFile
                    • String ID:
                    • API String ID: 3188754299-0
                    • Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                    • Instruction ID: 2456abd0e538b9cef91f56c1b1c845218a850f55f90bc3d2f86e774d82f18183
                    • Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                    • Instruction Fuzzy Hash: 04E08C72A0620CEBEB20CBB89828BA973A8DB04330F104656E81AC3281D930CE40B658
                    Function 00F308B0 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                    Download Yara Rule
                    APIs
                    • GetFileAttributesW.KERNEL32(?), ref: 00F308BB
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309826710.0000000000F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_f30000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: AttributesFile
                    • String ID:
                    • API String ID: 3188754299-0
                    • Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                    • Instruction ID: 7914658330f380b0beba965e6255ecdc740b739bf0939a8ac2e31c8ff3212591
                    • Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                    • Instruction Fuzzy Hash: 4BD0A731D0620CFBCB10CFB89C04ADA73A8DB04330F104755FD15D3280DA319D44A7A0
                    Function 0064548B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: __wfsopen
                    • String ID:
                    • API String ID: 197181222-0
                    • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                    • Instruction ID: 126fe1666cbe3c7d14d820acbc5053d3efe81823d136888e512cb336dd9b7f96
                    • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                    • Instruction Fuzzy Hash: 56B0927684020C77DF412E82EC02A593B5A9B40778F808020FB0C1C162A673AAA09689
                    Function 00640E48 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                    • Instruction ID: c5de99f0ef067f12105bc2f9b9b121b0f05637f8ed4660246ba1f565ec3b2b1c
                    • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                    • Instruction Fuzzy Hash: BE31D371A00115EBE718DF58D4809A9F7A7FF99300B648AA5EA0ACB751D731EDD1CB80
                    Function 00F3229C Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309826710.0000000000F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_f30000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: Sleep
                    • String ID:
                    • API String ID: 3472027048-0
                    • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                    • Instruction ID: b87fa97d242d5ca7a79ee9fb7d3ff57b7236095882ee6bdc2261bff969ea0735
                    • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                    • Instruction Fuzzy Hash: 2AE0BF7494010EEFDB00EFA8D9496DE7BB4EF04711F1005A1FD05D7680DB309E549A62
                    Function 00F322A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309826710.0000000000F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_f30000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: Sleep
                    • String ID:
                    • API String ID: 3472027048-0
                    • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                    • Instruction ID: 07845be81ec1cd16ba2ee8c4323d5b8130942f70853ede9f843c26280f92a27c
                    • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                    • Instruction Fuzzy Hash: 63E0E67494010EDFDB00EFB8D94969E7FB4EF04711F100161FD01D2280D6309D509A72

                    Non-executed Functions

                    Function 006ACDAC Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 637windowkeyboardCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00622612: GetWindowLongW.USER32(?,000000EB), ref: 00622623
                    • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 006ACE50
                    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 006ACE91
                    • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 006ACED6
                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 006ACF00
                    • SendMessageW.USER32 ref: 006ACF29
                    • _wcsncpy.LIBCMT ref: 006ACFA1
                    • GetKeyState.USER32(00000011), ref: 006ACFC2
                    • GetKeyState.USER32(00000009), ref: 006ACFCF
                    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 006ACFE5
                    • GetKeyState.USER32(00000010), ref: 006ACFEF
                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 006AD018
                    • SendMessageW.USER32 ref: 006AD03F
                    • SendMessageW.USER32(?,00001030,?,006AB602), ref: 006AD145
                    • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 006AD15B
                    • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 006AD16E
                    • SetCapture.USER32(?), ref: 006AD177
                    • ClientToScreen.USER32(?,?), ref: 006AD1DC
                    • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 006AD1E9
                    • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 006AD203
                    • ReleaseCapture.USER32 ref: 006AD20E
                    • GetCursorPos.USER32(?), ref: 006AD248
                    • ScreenToClient.USER32(?,?), ref: 006AD255
                    • SendMessageW.USER32(?,00001012,00000000,?), ref: 006AD2B1
                    • SendMessageW.USER32 ref: 006AD2DF
                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 006AD31C
                    • SendMessageW.USER32 ref: 006AD34B
                    • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 006AD36C
                    • SendMessageW.USER32(?,0000110B,00000009,?), ref: 006AD37B
                    • GetCursorPos.USER32(?), ref: 006AD39B
                    • ScreenToClient.USER32(?,?), ref: 006AD3A8
                    • GetParent.USER32(?), ref: 006AD3C8
                    • SendMessageW.USER32(?,00001012,00000000,?), ref: 006AD431
                    • SendMessageW.USER32 ref: 006AD462
                    • ClientToScreen.USER32(?,?), ref: 006AD4C0
                    • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 006AD4F0
                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 006AD51A
                    • SendMessageW.USER32 ref: 006AD53D
                    • ClientToScreen.USER32(?,?), ref: 006AD58F
                    • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 006AD5C3
                      • Part of subcall function 006225DB: GetWindowLongW.USER32(?,000000EB), ref: 006225EC
                    • GetWindowLongW.USER32(?,000000F0), ref: 006AD65F
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                    • String ID: @GUI_DRAGID$F$prn
                    • API String ID: 3977979337-3802375623
                    • Opcode ID: 58212058333c0cfebc15a329347d8577cd80dbf5865e7fa4497c0acd5be13d4a
                    • Instruction ID: f3be10944a8387a784906cbb591112a5575e41428e905faf9d0ffc03d8b74f22
                    • Opcode Fuzzy Hash: 58212058333c0cfebc15a329347d8577cd80dbf5865e7fa4497c0acd5be13d4a
                    • Instruction Fuzzy Hash: 6E427C30204341EFD725EF68C884AAABBE6FF4A364F14151DF696872A1C731AC51CF92
                    Function 006A804A Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 006A873F
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: MessageSend
                    • String ID: %d/%02d/%02d
                    • API String ID: 3850602802-328681919
                    • Opcode ID: 08e30f8c0ae83c98749b33d3ac5741569bb3197c68fc0cc5125eb241cc7a2c75
                    • Instruction ID: e15c69c8c4907ecd63480543ebdc5401e675520bd2265cb1f264693b1439d78d
                    • Opcode Fuzzy Hash: 08e30f8c0ae83c98749b33d3ac5741569bb3197c68fc0cc5125eb241cc7a2c75
                    • Instruction Fuzzy Hash: CA12BE71500214AFEB25AF64CC49FAE7BBAEF8A710F244129F915EB2A1DB709D41CF50
                    Function 0063710E Relevance: 52.3, APIs: 19, Strings: 8, Instructions: 5093COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: _memmove$_memset
                    • String ID: 0wm$DEFINE$Oac$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
                    • API String ID: 1357608183-261310638
                    • Opcode ID: b97c2cbe8ed1e6d2616e6bb923af12f94eef5d5ad65cb5c9d5fc21fe80f44306
                    • Instruction ID: 58caa4d147c838421bce4a33c846d29864c8dd3a9b22f81ca364b57bf3655bcc
                    • Opcode Fuzzy Hash: b97c2cbe8ed1e6d2616e6bb923af12f94eef5d5ad65cb5c9d5fc21fe80f44306
                    • Instruction Fuzzy Hash: 41939471A00216DFDB24CF58C8917EDB7B2FF48710F25816AE959AB381E7709E81DB90
                    Function 00624A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
                    Download Yara Rule
                    APIs
                    • GetForegroundWindow.USER32(00000000,?), ref: 00624A3D
                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0065DA8E
                    • IsIconic.USER32(?), ref: 0065DA97
                    • ShowWindow.USER32(?,00000009), ref: 0065DAA4
                    • SetForegroundWindow.USER32(?), ref: 0065DAAE
                    • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0065DAC4
                    • GetCurrentThreadId.KERNEL32 ref: 0065DACB
                    • GetWindowThreadProcessId.USER32(?,00000000), ref: 0065DAD7
                    • AttachThreadInput.USER32(?,00000000,00000001), ref: 0065DAE8
                    • AttachThreadInput.USER32(?,00000000,00000001), ref: 0065DAF0
                    • AttachThreadInput.USER32(00000000,?,00000001), ref: 0065DAF8
                    • SetForegroundWindow.USER32(?), ref: 0065DAFB
                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 0065DB10
                    • keybd_event.USER32(00000012,00000000), ref: 0065DB1B
                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 0065DB25
                    • keybd_event.USER32(00000012,00000000), ref: 0065DB2A
                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 0065DB33
                    • keybd_event.USER32(00000012,00000000), ref: 0065DB38
                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 0065DB42
                    • keybd_event.USER32(00000012,00000000), ref: 0065DB47
                    • SetForegroundWindow.USER32(?), ref: 0065DB4A
                    • AttachThreadInput.USER32(?,?,00000000), ref: 0065DB71
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                    • String ID: Shell_TrayWnd
                    • API String ID: 4125248594-2988720461
                    • Opcode ID: 5d5c0677efe059cda06f6842e4658f1f582d3dbeb611319de250b036e3afdc7c
                    • Instruction ID: 7ba12d964978c2250ecbc26e0c9e60bd4180cb34944bbcc7d131243da65850e1
                    • Opcode Fuzzy Hash: 5d5c0677efe059cda06f6842e4658f1f582d3dbeb611319de250b036e3afdc7c
                    • Instruction Fuzzy Hash: 75316071A40318BAEB306FA19C49FBF3E6EEB45B51F115025FA04AA1D0D6B06901AFA1
                    Function 0069425A Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                    Download Yara Rule
                    APIs
                    • OpenClipboard.USER32(006AF910), ref: 00694284
                    • IsClipboardFormatAvailable.USER32(0000000D), ref: 00694292
                    • GetClipboardData.USER32(0000000D), ref: 0069429A
                    • CloseClipboard.USER32 ref: 006942A6
                    • GlobalLock.KERNEL32(00000000), ref: 006942C2
                    • CloseClipboard.USER32 ref: 006942CC
                    • GlobalUnlock.KERNEL32(00000000), ref: 006942E1
                    • IsClipboardFormatAvailable.USER32(00000001), ref: 006942EE
                    • GetClipboardData.USER32(00000001), ref: 006942F6
                    • GlobalLock.KERNEL32(00000000), ref: 00694303
                    • GlobalUnlock.KERNEL32(00000000), ref: 00694337
                    • CloseClipboard.USER32 ref: 00694447
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                    • String ID:
                    • API String ID: 3222323430-0
                    • Opcode ID: 4888cfd9302308d9a07c54109206376bb377c711dada9d0565bbb17d63f4f56c
                    • Instruction ID: 15a6889e8802f93a4db3a5c77c66bbfdef52a8d4333aa59670bfcb74e112a979
                    • Opcode Fuzzy Hash: 4888cfd9302308d9a07c54109206376bb377c711dada9d0565bbb17d63f4f56c
                    • Instruction Fuzzy Hash: 84519131204701ABDB10BFA0EC86F6E77AEAF85B01F10552DF556D21A1DF70E9068F66
                    Function 0068C9C7 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                    Download Yara Rule
                    APIs
                    • FindFirstFileW.KERNEL32(?,?), ref: 0068C9F8
                    • FindClose.KERNEL32(00000000), ref: 0068CA4C
                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0068CA71
                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0068CA88
                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 0068CAAF
                    • __swprintf.LIBCMT ref: 0068CAFB
                    • __swprintf.LIBCMT ref: 0068CB3E
                      • Part of subcall function 00627F41: _memmove.LIBCMT ref: 00627F82
                    • __swprintf.LIBCMT ref: 0068CB92
                      • Part of subcall function 006438D8: __woutput_l.LIBCMT ref: 00643931
                    • __swprintf.LIBCMT ref: 0068CBE0
                      • Part of subcall function 006438D8: __flsbuf.LIBCMT ref: 00643953
                      • Part of subcall function 006438D8: __flsbuf.LIBCMT ref: 0064396B
                    • __swprintf.LIBCMT ref: 0068CC2F
                    • __swprintf.LIBCMT ref: 0068CC7E
                    • __swprintf.LIBCMT ref: 0068CCCD
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                    • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                    • API String ID: 3953360268-2428617273
                    • Opcode ID: 879474cae5e65b1645007de4395acac378369a16d0c64a7b10a6e5103845871a
                    • Instruction ID: 916e3079c826c004b1c97d6c21128b305c0d509971a937198ae232be0867d16c
                    • Opcode Fuzzy Hash: 879474cae5e65b1645007de4395acac378369a16d0c64a7b10a6e5103845871a
                    • Instruction Fuzzy Hash: 6FA15FB1408714ABC750FBA4D986DAFB7EEEF94700F40491EF586D2191EA34DA08CB66
                    Function 0068F200 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                    Download Yara Rule
                    APIs
                    • FindFirstFileW.KERNEL32(?,?,774C8FB0,?,00000000), ref: 0068F221
                    • _wcscmp.LIBCMT ref: 0068F236
                    • _wcscmp.LIBCMT ref: 0068F24D
                    • GetFileAttributesW.KERNEL32(?), ref: 0068F25F
                    • SetFileAttributesW.KERNEL32(?,?), ref: 0068F279
                    • FindNextFileW.KERNEL32(00000000,?), ref: 0068F291
                    • FindClose.KERNEL32(00000000), ref: 0068F29C
                    • FindFirstFileW.KERNEL32(*.*,?), ref: 0068F2B8
                    • _wcscmp.LIBCMT ref: 0068F2DF
                    • _wcscmp.LIBCMT ref: 0068F2F6
                    • SetCurrentDirectoryW.KERNEL32(?), ref: 0068F308
                    • SetCurrentDirectoryW.KERNEL32(006DA5A0), ref: 0068F326
                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 0068F330
                    • FindClose.KERNEL32(00000000), ref: 0068F33D
                    • FindClose.KERNEL32(00000000), ref: 0068F34F
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                    • String ID: *.*
                    • API String ID: 1803514871-438819550
                    • Opcode ID: 320b031a41f2767d21c2e6d22cfce408b8b6d8125d19d384083b18c09eb0d7ef
                    • Instruction ID: 78ad512f895e6debf78e2450adc64d37b061e95166cc9d01476592b4edc32d57
                    • Opcode Fuzzy Hash: 320b031a41f2767d21c2e6d22cfce408b8b6d8125d19d384083b18c09eb0d7ef
                    • Instruction Fuzzy Hash: 0731B3765002196BDB10FBF4EC58ADE77AEAF09361F100276E840D3290EB71EE458FA5
                    Function 006A0AE2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 006A0BDE
                    • RegCreateKeyExW.ADVAPI32(?,?,00000000,006AF910,00000000,?,00000000,?,?), ref: 006A0C4C
                    • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 006A0C94
                    • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 006A0D1D
                    • RegCloseKey.ADVAPI32(?), ref: 006A103D
                    • RegCloseKey.ADVAPI32(00000000), ref: 006A104A
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: Close$ConnectCreateRegistryValue
                    • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                    • API String ID: 536824911-966354055
                    • Opcode ID: d9663e4296353d5b8b7e90e835b9efbc40d5d7209581cf65c74d5e82ddb152e7
                    • Instruction ID: 836b21a02dc3fffeb3ba3f40c070a3490b43ed9ad868d588701b01ed36faf047
                    • Opcode Fuzzy Hash: d9663e4296353d5b8b7e90e835b9efbc40d5d7209581cf65c74d5e82ddb152e7
                    • Instruction Fuzzy Hash: AA0257356006119FDB54EF24D891E2AB7E6EF89724F04885DF88A9B362CB31EC41CF95
                    Function 0068F35D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                    Download Yara Rule
                    APIs
                    • FindFirstFileW.KERNEL32(?,?,774C8FB0,?,00000000), ref: 0068F37E
                    • _wcscmp.LIBCMT ref: 0068F393
                    • _wcscmp.LIBCMT ref: 0068F3AA
                      • Part of subcall function 006845C1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 006845DC
                    • FindNextFileW.KERNEL32(00000000,?), ref: 0068F3D9
                    • FindClose.KERNEL32(00000000), ref: 0068F3E4
                    • FindFirstFileW.KERNEL32(*.*,?), ref: 0068F400
                    • _wcscmp.LIBCMT ref: 0068F427
                    • _wcscmp.LIBCMT ref: 0068F43E
                    • SetCurrentDirectoryW.KERNEL32(?), ref: 0068F450
                    • SetCurrentDirectoryW.KERNEL32(006DA5A0), ref: 0068F46E
                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 0068F478
                    • FindClose.KERNEL32(00000000), ref: 0068F485
                    • FindClose.KERNEL32(00000000), ref: 0068F497
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                    • String ID: *.*
                    • API String ID: 1824444939-438819550
                    • Opcode ID: 890530b190aaffcef33628512f278b5c6b84f58d90a8d82d069d9bb3e78d0ba4
                    • Instruction ID: fa0f6971e8cf4e9639fea5931bc38c90c38ea5901fd146faa16a9cb6b0e426c2
                    • Opcode Fuzzy Hash: 890530b190aaffcef33628512f278b5c6b84f58d90a8d82d069d9bb3e78d0ba4
                    • Instruction Fuzzy Hash: 0C31B7715011196BCF10BBA4EC84ADE77EE9F49360F100376E850A32A1DB70DE45CFA5
                    Function 006781F7 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0067874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00678766
                      • Part of subcall function 0067874A: GetLastError.KERNEL32(?,0067822A,?,?,?), ref: 00678770
                      • Part of subcall function 0067874A: GetProcessHeap.KERNEL32(00000008,?,?,0067822A,?,?,?), ref: 0067877F
                      • Part of subcall function 0067874A: HeapAlloc.KERNEL32(00000000,?,0067822A,?,?,?), ref: 00678786
                      • Part of subcall function 0067874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0067879D
                      • Part of subcall function 006787E7: GetProcessHeap.KERNEL32(00000008,00678240,00000000,00000000,?,00678240,?), ref: 006787F3
                      • Part of subcall function 006787E7: HeapAlloc.KERNEL32(00000000,?,00678240,?), ref: 006787FA
                      • Part of subcall function 006787E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00678240,?), ref: 0067880B
                    • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0067825B
                    • _memset.LIBCMT ref: 00678270
                    • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0067828F
                    • GetLengthSid.ADVAPI32(?), ref: 006782A0
                    • GetAce.ADVAPI32(?,00000000,?), ref: 006782DD
                    • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 006782F9
                    • GetLengthSid.ADVAPI32(?), ref: 00678316
                    • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00678325
                    • HeapAlloc.KERNEL32(00000000), ref: 0067832C
                    • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0067834D
                    • CopySid.ADVAPI32(00000000), ref: 00678354
                    • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00678385
                    • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 006783AB
                    • SetUserObjectSecurity.USER32(?,00000004,?), ref: 006783BF
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                    • String ID:
                    • API String ID: 3996160137-0
                    • Opcode ID: acf473918f453581bf34993f6e78a24a753ff784c4f34f70ea8aa9fe9fbf3b0b
                    • Instruction ID: 834e8adb88c9c2e72f321324c60731931e4e5e736525d034ca735e9b028e9b52
                    • Opcode Fuzzy Hash: acf473918f453581bf34993f6e78a24a753ff784c4f34f70ea8aa9fe9fbf3b0b
                    • Instruction Fuzzy Hash: DD612A71940219EFDF109F94DC48AEEBBBAFF05710B148269F819A7291DB359E05CF60
                    Function 00636843 Relevance: 20.9, Strings: 16, Instructions: 883COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID:
                    • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$Oac$PJl$UCP)$UTF)$UTF16)
                    • API String ID: 0-3239182561
                    • Opcode ID: a8294f2ab482824a260511882bdaec6f93567423d50acb7071e9519c2d3349ee
                    • Instruction ID: 809d628c56a982d3a5bd69e974260a9a80890f8378f0a7de068c2d99a6a7de30
                    • Opcode Fuzzy Hash: a8294f2ab482824a260511882bdaec6f93567423d50acb7071e9519c2d3349ee
                    • Instruction Fuzzy Hash: 0F725E75E002199BDB24CF59C8907EEB7B6EF49710F14816AE949EB390EB709D81CB90
                    Function 006A0665 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 006A10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,006A0038,?,?), ref: 006A10BC
                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 006A0737
                      • Part of subcall function 00629997: __itow.LIBCMT ref: 006299C2
                      • Part of subcall function 00629997: __swprintf.LIBCMT ref: 00629A0C
                    • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 006A07D6
                    • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 006A086E
                    • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 006A0AAD
                    • RegCloseKey.ADVAPI32(00000000), ref: 006A0ABA
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                    • String ID:
                    • API String ID: 1240663315-0
                    • Opcode ID: 0d1fcd4bdbdadbc39200cffcd81c58747592854493bf8062ce91e06494cb6450
                    • Instruction ID: 1d0acd46db280b03178d3a9ec45f9b28e62f3e9e7747073b258d8e8dd1baec8d
                    • Opcode Fuzzy Hash: 0d1fcd4bdbdadbc39200cffcd81c58747592854493bf8062ce91e06494cb6450
                    • Instruction Fuzzy Hash: BDE16F31604310AFDB54EF28C891D6ABBE6EF89714F04856DF54ADB262DA31ED01CF51
                    Function 00680219 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON
                    Download Yara Rule
                    APIs
                    • GetKeyboardState.USER32(?), ref: 00680241
                    • GetAsyncKeyState.USER32(000000A0), ref: 006802C2
                    • GetKeyState.USER32(000000A0), ref: 006802DD
                    • GetAsyncKeyState.USER32(000000A1), ref: 006802F7
                    • GetKeyState.USER32(000000A1), ref: 0068030C
                    • GetAsyncKeyState.USER32(00000011), ref: 00680324
                    • GetKeyState.USER32(00000011), ref: 00680336
                    • GetAsyncKeyState.USER32(00000012), ref: 0068034E
                    • GetKeyState.USER32(00000012), ref: 00680360
                    • GetAsyncKeyState.USER32(0000005B), ref: 00680378
                    • GetKeyState.USER32(0000005B), ref: 0068038A
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: State$Async$Keyboard
                    • String ID:
                    • API String ID: 541375521-0
                    • Opcode ID: 403e061dc7c655cdd2f68f4e8b8326c3025775570df6fa793576fc5171272238
                    • Instruction ID: 73ecea21d654cfc9aa1c0133053d62583b6bc756fdf5959a9d0900b25e7dadcd
                    • Opcode Fuzzy Hash: 403e061dc7c655cdd2f68f4e8b8326c3025775570df6fa793576fc5171272238
                    • Instruction Fuzzy Hash: F64187349047CA6FFFB1BBA488183E5BAA26F22340F184A9DD5C5563C2D7D45ACC8792
                    Function 00694458 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                    • String ID:
                    • API String ID: 1737998785-0
                    • Opcode ID: ad70dc84da74f4a29cf199a1fd70bf9cc3a59e8b2c5d4cfef7fde2aff67dddb6
                    • Instruction ID: bd19bf7dcf4b5133dcadfb41f78f1c222db4fd18338cf38df71cd63c734de0a6
                    • Opcode Fuzzy Hash: ad70dc84da74f4a29cf199a1fd70bf9cc3a59e8b2c5d4cfef7fde2aff67dddb6
                    • Instruction Fuzzy Hash: 192180356006209FDB10AFA0EC49F697BAAEF45711F14901AF946DB261DB30BD02CF59
                    Function 00683A2B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 006248AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006248A1,?,?,006237C0,?), ref: 006248CE
                      • Part of subcall function 00684CD3: GetFileAttributesW.KERNEL32(?,00683947), ref: 00684CD4
                    • FindFirstFileW.KERNEL32(?,?), ref: 00683ADF
                    • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00683B87
                    • MoveFileW.KERNEL32(?,?), ref: 00683B9A
                    • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00683BB7
                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 00683BD9
                    • FindClose.KERNEL32(00000000,?,?,?,?), ref: 00683BF5
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                    • String ID: \*.*
                    • API String ID: 4002782344-1173974218
                    • Opcode ID: f97739751b8524d8141c0bc5e97dc595e95cdb738d8a5c6a3983840fe7d94a1c
                    • Instruction ID: aac20ee85e261e0f61f34790dd6e40f0c762a4212fa4010177edb2b6e4cd95bf
                    • Opcode Fuzzy Hash: f97739751b8524d8141c0bc5e97dc595e95cdb738d8a5c6a3983840fe7d94a1c
                    • Instruction Fuzzy Hash: E6517D318016699ACF55FBA0D9929EDB77AAF14300F244269E44277291EF306F09CFA4
                    Function 00634140 Relevance: 13.4, APIs: 1, Strings: 6, Instructions: 1132COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID:
                    • String ID: ERCP$Oac$VUUU$VUUU$VUUU$VUUU
                    • API String ID: 0-600082611
                    • Opcode ID: c0026eac12160585abec7710b8de897e42de589557b5c3634ba2dd907aee1b53
                    • Instruction ID: d7c6a79bf2d24ab72a702b93d9db77a4cc872e5e55914618e90162e0ef7d2638
                    • Opcode Fuzzy Hash: c0026eac12160585abec7710b8de897e42de589557b5c3634ba2dd907aee1b53
                    • Instruction Fuzzy Hash: B5A25D70E0421A8BDF24CF58C9907EDF7B2BF55314F1486AAD856A7380DB74AE85CB90
                    Function 0068F65E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00627F41: _memmove.LIBCMT ref: 00627F82
                    • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0068F6AB
                    • Sleep.KERNEL32(0000000A), ref: 0068F6DB
                    • _wcscmp.LIBCMT ref: 0068F6EF
                    • _wcscmp.LIBCMT ref: 0068F70A
                    • FindNextFileW.KERNEL32(?,?), ref: 0068F7A8
                    • FindClose.KERNEL32(00000000), ref: 0068F7BE
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                    • String ID: *.*
                    • API String ID: 713712311-438819550
                    • Opcode ID: 0dcee286482e92a1d6660a54ece730d9c043ba249dc7e6089d1e68851649ead9
                    • Instruction ID: cb19c19b2f258876b876adf854b8049287ece437d78dd2b27357e51e3ff455e6
                    • Opcode Fuzzy Hash: 0dcee286482e92a1d6660a54ece730d9c043ba249dc7e6089d1e68851649ead9
                    • Instruction Fuzzy Hash: 0441917190021A9FDF50EFA4DC45AEEBBB6FF05310F14466AE815A3290EB309E44CFA4
                    Function 006358C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: _memmove
                    • String ID:
                    • API String ID: 4104443479-0
                    • Opcode ID: 16d649d592e220f7f3de6682f2e6597416994588fc0465a3b3ced113830dd592
                    • Instruction ID: ed871253ee992cd4c75dcf378d9d2ce6edf9f7dc7cd27d5ae18a2d89dac309ca
                    • Opcode Fuzzy Hash: 16d649d592e220f7f3de6682f2e6597416994588fc0465a3b3ced113830dd592
                    • Instruction Fuzzy Hash: A0128E70A00A19DFDF14DFA4D985AEEB7F6FF48300F108569E406A7291EB35AD11CBA4
                    Function 00635680 Relevance: 11.0, APIs: 5, Strings: 1, Instructions: 516COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00640FF6: std::exception::exception.LIBCMT ref: 0064102C
                      • Part of subcall function 00640FF6: __CxxThrowException@8.LIBCMT ref: 00641041
                    • _memmove.LIBCMT ref: 0067062F
                    • _memmove.LIBCMT ref: 00670744
                    • _memmove.LIBCMT ref: 006707EB
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: _memmove$Exception@8Throwstd::exception::exception
                    • String ID: yZc
                    • API String ID: 1300846289-814616561
                    • Opcode ID: fb20f538d029b415d2798dd19a941b126dd824c6f680a42cadec27c9f172148a
                    • Instruction ID: cdda8c0e440d41e342a030945dd7e3aab8c6c624d36d1957e84c38c2d27560b2
                    • Opcode Fuzzy Hash: fb20f538d029b415d2798dd19a941b126dd824c6f680a42cadec27c9f172148a
                    • Instruction Fuzzy Hash: 4A02A0B0E00619DFDF44DF64D981AAEBBB6EF44300F148069E80ADB395EB31D951CBA5
                    Function 0068545F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00678CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00678D0D
                      • Part of subcall function 00678CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00678D3A
                      • Part of subcall function 00678CC3: GetLastError.KERNEL32 ref: 00678D47
                    • ExitWindowsEx.USER32(?,00000000), ref: 0068549B
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                    • String ID: $@$SeShutdownPrivilege
                    • API String ID: 2234035333-194228
                    • Opcode ID: 4fc6870d78378d751b8a03fbbd99c5ca3cef1b85fe0135353fe3a166110dddf3
                    • Instruction ID: 45d49c4cbf4a1d01962d2ee482498e4ba6705fa52c6c82cae4d7b83100fdd681
                    • Opcode Fuzzy Hash: 4fc6870d78378d751b8a03fbbd99c5ca3cef1b85fe0135353fe3a166110dddf3
                    • Instruction Fuzzy Hash: D6012431A94A112AE76873B89C4ABFA729AAB01742F200335FC07E22C2DA601C848395
                    Function 00633190 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 587COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: __itow__swprintf
                    • String ID: Oac
                    • API String ID: 674341424-752515563
                    • Opcode ID: 1bae02c4fd73ebc06590abc702513ab0fe8e03888682e9afa6bff0dc42fc4a6f
                    • Instruction ID: 3d5df8df8b223ba4d03d0046d30de0d300722fd09047d248c1538dc5999f0541
                    • Opcode Fuzzy Hash: 1bae02c4fd73ebc06590abc702513ab0fe8e03888682e9afa6bff0dc42fc4a6f
                    • Instruction Fuzzy Hash: B922BC716083119FD760DF24C891BAFB7E6AF84714F00891DF88A97391DB30EA45CB96
                    Function 00696596 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                    Download Yara Rule
                    APIs
                    • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 006965EF
                    • WSAGetLastError.WSOCK32(00000000), ref: 006965FE
                    • bind.WSOCK32(00000000,?,00000010), ref: 0069661A
                    • listen.WSOCK32(00000000,00000005), ref: 00696629
                    • WSAGetLastError.WSOCK32(00000000), ref: 00696643
                    • closesocket.WSOCK32(00000000,00000000), ref: 00696657
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: ErrorLast$bindclosesocketlistensocket
                    • String ID:
                    • API String ID: 1279440585-0
                    • Opcode ID: 23c51119ef66ca8f6fca4ed61c28c4802b67cdda5b2cf6a46bec3145a32613a8
                    • Instruction ID: ad0da5d92464fce17e173bdedbb9603e737422b70649ffd7c0a79cd033df9356
                    • Opcode Fuzzy Hash: 23c51119ef66ca8f6fca4ed61c28c4802b67cdda5b2cf6a46bec3145a32613a8
                    • Instruction Fuzzy Hash: C5219C306006109FDF10AF64D889A6EB7BAEF49720F14816DF95AE73D1CB70AD01CB66
                    Function 00678AF9 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
                    Download Yara Rule
                    APIs
                    • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00678B2A
                    • OpenProcessToken.ADVAPI32(00000000), ref: 00678B31
                    • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00678B40
                    • CloseHandle.KERNEL32(00000004), ref: 00678B4B
                    • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00678B7A
                    • DestroyEnvironmentBlock.USERENV(00000000), ref: 00678B8E
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                    • String ID:
                    • API String ID: 1413079979-0
                    • Opcode ID: 3b8057cb75608b99c534bb8ef083008e17fe207b56640a301da7e04e80f25262
                    • Instruction ID: 3c18cc337248d3bd9bd9d4fbe85a1d2a5fc63b4857885815b29d0eebbcf64090
                    • Opcode Fuzzy Hash: 3b8057cb75608b99c534bb8ef083008e17fe207b56640a301da7e04e80f25262
                    • Instruction Fuzzy Hash: FD1159B2540209AFDF019FE4ED49FDA7BAAEF09704F049064FE08A2160C7729D60AB61
                    Function 00621287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00622612: GetWindowLongW.USER32(?,000000EB), ref: 00622623
                    • DefDlgProcW.USER32(?,?,?,?,?), ref: 006219FA
                    • GetSysColor.USER32(0000000F), ref: 00621A4E
                    • SetBkColor.GDI32(?,00000000), ref: 00621A61
                      • Part of subcall function 00621290: DefDlgProcW.USER32(?,00000020,?), ref: 006212D8
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: ColorProc$LongWindow
                    • String ID:
                    • API String ID: 3744519093-0
                    • Opcode ID: c184b44729d9b0bdf301a314e7ce5371cd751a538556758920a082b9111a759a
                    • Instruction ID: 7dd92563720663fef9a0b07e4e4f2ff3d056cc15be84ec3c48ea383d0e882ea3
                    • Opcode Fuzzy Hash: c184b44729d9b0bdf301a314e7ce5371cd751a538556758920a082b9111a759a
                    • Instruction Fuzzy Hash: 47A16A70109DA4BAD738AB28AC55EFF255FDB63392F14010DF802DD291CE129D429EBA
                    Function 00696A5A Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 006980A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 006980CB
                    • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00696AB1
                    • WSAGetLastError.WSOCK32(00000000), ref: 00696ADA
                    • bind.WSOCK32(00000000,?,00000010), ref: 00696B13
                    • WSAGetLastError.WSOCK32(00000000), ref: 00696B20
                    • closesocket.WSOCK32(00000000,00000000), ref: 00696B34
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: ErrorLast$bindclosesocketinet_addrsocket
                    • String ID:
                    • API String ID: 99427753-0
                    • Opcode ID: d70d0146a00056a365824f144b26e3a8516d3ef56b231e3776103cca862785fa
                    • Instruction ID: 5980af3c8d941c2059e17db81bf4feea3d2d9b5e737826613d07f407673b98af
                    • Opcode Fuzzy Hash: d70d0146a00056a365824f144b26e3a8516d3ef56b231e3776103cca862785fa
                    • Instruction Fuzzy Hash: 1E41B875B007209FEB50BF64EC86F6E77AA9B45720F04805CF95AAB3C2DA705D018B65
                    Function 006A55FD Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: Window$EnabledForegroundIconicVisibleZoomed
                    • String ID:
                    • API String ID: 292994002-0
                    • Opcode ID: be49ddaa520a370df366ab498f7d1e8e12af782e62959ab76cafeee86acf569f
                    • Instruction ID: f6fa8269d32b169700089b781a19857d21ff23694865ad7db616ccb7231a6981
                    • Opcode Fuzzy Hash: be49ddaa520a370df366ab498f7d1e8e12af782e62959ab76cafeee86acf569f
                    • Instruction Fuzzy Hash: 0811C831B00A206FD721BF66DC44A6F779BEF56721B446029F447D7251CB70ED018EA5
                    Function 0069C304 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryA.KERNEL32(kernel32.dll,?,00661D88,?), ref: 0069C312
                    • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0069C324
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: AddressLibraryLoadProc
                    • String ID: GetSystemWow64DirectoryW$kernel32.dll
                    • API String ID: 2574300362-1816364905
                    • Opcode ID: b153108118aeb41b2419bf1c290f027d7bf2282df3f03ec9e73eaf4b8b220707
                    • Instruction ID: 1c1906e39962db70979077478d31aa10fdb7c396dbc5bf335e9d553c06608ada
                    • Opcode Fuzzy Hash: b153108118aeb41b2419bf1c290f027d7bf2282df3f03ec9e73eaf4b8b220707
                    • Instruction Fuzzy Hash: 2FE08C70600703CFDF206F65C814A8676EAEB09765B809439E895C2710E770E841CBA0
                    Function 0069F121 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                    Download Yara Rule
                    APIs
                    • CreateToolhelp32Snapshot.KERNEL32 ref: 0069F151
                    • Process32FirstW.KERNEL32(00000000,?), ref: 0069F15F
                      • Part of subcall function 00627F41: _memmove.LIBCMT ref: 00627F82
                    • Process32NextW.KERNEL32(00000000,?), ref: 0069F21F
                    • CloseHandle.KERNEL32(00000000,?,?,?), ref: 0069F22E
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                    • String ID:
                    • API String ID: 2576544623-0
                    • Opcode ID: 10de3efe5086b2b7de6c3c74b60578c400a9fe89f4519ba800b86c674792ac15
                    • Instruction ID: 30e9fb436e4fc92022ca2be840f08a67a0c1f7adb77cae54df22344537bbe020
                    • Opcode Fuzzy Hash: 10de3efe5086b2b7de6c3c74b60578c400a9fe89f4519ba800b86c674792ac15
                    • Instruction Fuzzy Hash: 89519E715047119FD750EF24EC82E6BB7EAFF88710F14482DF49697291EB70AA08CB96
                    Function 0067EB07 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
                    Download Yara Rule
                    APIs
                    • lstrlenW.KERNEL32(?,?,?,00000000), ref: 0067EB19
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: lstrlen
                    • String ID: ($|
                    • API String ID: 1659193697-1631851259
                    • Opcode ID: 7bf91054a77c2d88a66f39a1b167650e30051d85c6a3906c0cb7d360dff8fc6a
                    • Instruction ID: 4604e0eb13f43f38f55815e8b77c954f3a70890e6bc18597f2271e45b89e4890
                    • Opcode Fuzzy Hash: 7bf91054a77c2d88a66f39a1b167650e30051d85c6a3906c0cb7d360dff8fc6a
                    • Instruction Fuzzy Hash: F0324775A007059FD728CF29C4819AAB7F2FF48710B15C5AEE89ADB3A1E770E941CB44
                    Function 006925E2 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                    Download Yara Rule
                    APIs
                    • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00691AFE,00000000), ref: 006926D5
                    • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 0069270C
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: Internet$AvailableDataFileQueryRead
                    • String ID:
                    • API String ID: 599397726-0
                    • Opcode ID: 4951d73e4298132ff8a25d5e6c142369fd9e510392d17054b1bff5fc25a5fc12
                    • Instruction ID: ac8e10845c3bcb82bf5e0fed2558c502fe92c207577597bc9401fccb08a6f92d
                    • Opcode Fuzzy Hash: 4951d73e4298132ff8a25d5e6c142369fd9e510392d17054b1bff5fc25a5fc12
                    • Instruction Fuzzy Hash: 8041D67550420ABFEF20DF94DC95EFBB7FEEB40714F10406EF601AAA40EA71AE419664
                    Function 0068B59E Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                    Download Yara Rule
                    APIs
                    • SetErrorMode.KERNEL32(00000001), ref: 0068B5AE
                    • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0068B608
                    • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0068B655
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: ErrorMode$DiskFreeSpace
                    • String ID:
                    • API String ID: 1682464887-0
                    • Opcode ID: a8529d01cc9abec94d9327392e4e19c5088aedd60b47c55e0237e704d1cadc3b
                    • Instruction ID: 9ab07dc85f5759b58eb328f0ef2998a67783abbf05d87d0610f675ee1c29bd77
                    • Opcode Fuzzy Hash: a8529d01cc9abec94d9327392e4e19c5088aedd60b47c55e0237e704d1cadc3b
                    • Instruction Fuzzy Hash: AC219035A00618EFCB00EFA5D881EADBBB9FF89310F0480A9E805AB351DB31A945CF55
                    Function 00678CC3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00640FF6: std::exception::exception.LIBCMT ref: 0064102C
                      • Part of subcall function 00640FF6: __CxxThrowException@8.LIBCMT ref: 00641041
                    • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00678D0D
                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00678D3A
                    • GetLastError.KERNEL32 ref: 00678D47
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                    • String ID:
                    • API String ID: 1922334811-0
                    • Opcode ID: 29d5b57fcc1dcd938273d1e8d83234c342c6ca827211dc9c58ff9c05b34b0b49
                    • Instruction ID: ff584e7043d73de80b9ce62746fe858a8a4429202db3d0d1eacceddf20f236ad
                    • Opcode Fuzzy Hash: 29d5b57fcc1dcd938273d1e8d83234c342c6ca827211dc9c58ff9c05b34b0b49
                    • Instruction Fuzzy Hash: 761182B1414209AFE728EF64DC85D6BB7BEEF44711B10852EF45597241DB30BC418A64
                    Function 00684021 Relevance: 4.6, APIs: 3, Instructions: 61fileCOMMON
                    Download Yara Rule
                    APIs
                    • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0068404B
                    • DeviceIoControl.KERNEL32(00000000,002D1400,00000007,0000000C,?,0000000C,?,00000000), ref: 00684088
                    • CloseHandle.KERNEL32(00000000,?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00684091
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: CloseControlCreateDeviceFileHandle
                    • String ID:
                    • API String ID: 33631002-0
                    • Opcode ID: a607be82088e7902060537c94925b3cf93544ef3898886d223614c0d0120f051
                    • Instruction ID: 5fe8919d668dc3882b2d696828171f421a7e0f503c24c0c419810f0ae5fe0019
                    • Opcode Fuzzy Hash: a607be82088e7902060537c94925b3cf93544ef3898886d223614c0d0120f051
                    • Instruction Fuzzy Hash: 071186B1D00229BEE710EBE8DC44FAFBBBDEB09710F000656BA04E7190C6745D0547E1
                    Function 00684C03 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                    Download Yara Rule
                    APIs
                    • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00684C2C
                    • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00684C43
                    • FreeSid.ADVAPI32(?), ref: 00684C53
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: AllocateCheckFreeInitializeMembershipToken
                    • String ID:
                    • API String ID: 3429775523-0
                    • Opcode ID: 22efc697dd797eb4ea8c907821d7c49fae9a281ffd72cac6305375a69a442b0d
                    • Instruction ID: 4add5b5fa732cf0c9ec5ec2efc59275e0801fb0bb0b8a977f5a55b3c7da7d24c
                    • Opcode Fuzzy Hash: 22efc697dd797eb4ea8c907821d7c49fae9a281ffd72cac6305375a69a442b0d
                    • Instruction Fuzzy Hash: 1DF04975A1130DBFDF04EFF0DC99AAEBBBDEF08201F0044A9A901E2281E6706A448B51
                    Function 00688B13 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON
                    Download Yara Rule
                    APIs
                    • __time64.LIBCMT ref: 00688B25
                      • Part of subcall function 0064543A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,006891F8,00000000,?,?,?,?,006893A9,00000000,?), ref: 00645443
                      • Part of subcall function 0064543A: __aulldiv.LIBCMT ref: 00645463
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: Time$FileSystem__aulldiv__time64
                    • String ID: 0un
                    • API String ID: 2893107130-594083182
                    • Opcode ID: bbb403f9d7eea51e82d14c86b7a615713157a4f0473f58a45b1e7620928b95d2
                    • Instruction ID: cdd2fe97890f66e66170747fe7e8d54155425eb216bc6b212a4950c81d838f64
                    • Opcode Fuzzy Hash: bbb403f9d7eea51e82d14c86b7a615713157a4f0473f58a45b1e7620928b95d2
                    • Instruction Fuzzy Hash: 4721A2726256108FC729CF25D441A92B3E2EBA5311B688F6CD1E5CF2D0CE74BD45CB94
                    Function 0062E060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: af8eb52b4d6bae248d5d9aed57128a2591903827a87d13542a0b537096d7be77
                    • Instruction ID: 4da9631dd5d50af1f18b08d3e50d265e73db9f0eb588438d53fbf4640c2a753d
                    • Opcode Fuzzy Hash: af8eb52b4d6bae248d5d9aed57128a2591903827a87d13542a0b537096d7be77
                    • Instruction Fuzzy Hash: 16229E74A00626CFDB24DF54E485AAEB7F2FF08300F148179E856AB341E736A985CF91
                    Function 0068C93C Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                    Download Yara Rule
                    APIs
                    • FindFirstFileW.KERNEL32(?,?), ref: 0068C966
                    • FindClose.KERNEL32(00000000), ref: 0068C996
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: Find$CloseFileFirst
                    • String ID:
                    • API String ID: 2295610775-0
                    • Opcode ID: e7060d9aaed8ba6c3202e4fc8b1f6a9512079da73110057b39e45af9051cc912
                    • Instruction ID: 91fbac5ae4ce1fa7042d49ad8f9fdfe1e78f6408eaf3efd2d6497f17ae4c3726
                    • Opcode Fuzzy Hash: e7060d9aaed8ba6c3202e4fc8b1f6a9512079da73110057b39e45af9051cc912
                    • Instruction Fuzzy Hash: 0711A5316006109FDB10EF29D845A2AF7E6FF85320F00895EF8A9D7291DB30AC00CF95
                    Function 0068A2D5 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,0069977D,?,006AFB84,?), ref: 0068A302
                    • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,0069977D,?,006AFB84,?), ref: 0068A314
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: ErrorFormatLastMessage
                    • String ID:
                    • API String ID: 3479602957-0
                    • Opcode ID: eebdef662a46044a397985283c5bc5eb6166fb77df18e217d260bd40f6160d87
                    • Instruction ID: cb1fc4407ed84f7748abacfc4b1f8e6e17a1682028b250f9e1cf8d1b91ce8eb7
                    • Opcode Fuzzy Hash: eebdef662a46044a397985283c5bc5eb6166fb77df18e217d260bd40f6160d87
                    • Instruction Fuzzy Hash: 12F0823554422DBBEB10AFE4CC48FEA776EBF09762F00426ABD08D6181D6309944CFE1
                    Function 00678713 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                    Download Yara Rule
                    APIs
                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00678851), ref: 00678728
                    • CloseHandle.KERNEL32(?,?,00678851), ref: 0067873A
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: AdjustCloseHandlePrivilegesToken
                    • String ID:
                    • API String ID: 81990902-0
                    • Opcode ID: 6c4091113d70277dd84aa8a16fd7c5ae0f1a1e19514d9044a6320daeb8a50362
                    • Instruction ID: c9ffd368d18b2838ae79ae1fa32de02596dd2a2dbd94e4da1cfcfdf28b32015f
                    • Opcode Fuzzy Hash: 6c4091113d70277dd84aa8a16fd7c5ae0f1a1e19514d9044a6320daeb8a50362
                    • Instruction Fuzzy Hash: 48E0EC76010650EFEB652B60EC09D77BBEAEF05750724993DF49684470DB62ACD0DB50
                    Function 0064A395 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00648F97,?,?,?,00000001), ref: 0064A39A
                    • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0064A3A3
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: ExceptionFilterUnhandled
                    • String ID:
                    • API String ID: 3192549508-0
                    • Opcode ID: b24af25b72076449e2fd8c1f451b728a956d4323268f5cacef8b6b492d247c47
                    • Instruction ID: 5c85b47a9ca5b165b631710f4af02afe2340066ed290384afa5387285e4f0ed4
                    • Opcode Fuzzy Hash: b24af25b72076449e2fd8c1f451b728a956d4323268f5cacef8b6b492d247c47
                    • Instruction Fuzzy Hash: 6FB09231054208ABCF003BD1EC59B883F6AEB46AA2F405020F60D84060CFA264508ED2
                    Function 0064F419 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 63008b15ba1aecddb184ce8883c4bf4e67c9e11081837e19bffc2b8bab8c42e6
                    • Instruction ID: 527728fb85bc77a6f23567bd6c88dfe5a5ea450d1fc02d2f055a2292363fe23e
                    • Opcode Fuzzy Hash: 63008b15ba1aecddb184ce8883c4bf4e67c9e11081837e19bffc2b8bab8c42e6
                    • Instruction Fuzzy Hash: F0320661D69F414DD7239A34D872336A28AAFB73C4F15E737E819B5AA6EB29C4C34100
                    Function 0065267E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 1a6796f2c6ef5f5173263e5ef29dbede143c0688f7cb9bd0078eac47621ad5c4
                    • Instruction ID: b2e34f7a5f20aaf746769600f585e87c328fdeff188d8a135365c2b726a399fd
                    • Opcode Fuzzy Hash: 1a6796f2c6ef5f5173263e5ef29dbede143c0688f7cb9bd0078eac47621ad5c4
                    • Instruction Fuzzy Hash: A1B1BA70D2AF414DD72396398831336BA8DAFBB2C5F51E71BFC2674922EB2185C34241
                    Function 006941FD Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                    Download Yara Rule
                    APIs
                    • BlockInput.USER32(00000001), ref: 00694218
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: BlockInput
                    • String ID:
                    • API String ID: 3456056419-0
                    • Opcode ID: c6badf24650ca70dfa603b473a27348e3d68b08986ed6cfce47adf7433e660db
                    • Instruction ID: 0b7d1c2335ff90ec607b3491c5e21c9879b06574ee9dceaea8675bae3d4854b3
                    • Opcode Fuzzy Hash: c6badf24650ca70dfa603b473a27348e3d68b08986ed6cfce47adf7433e660db
                    • Instruction Fuzzy Hash: B6E04F312406149FDB10EF5AE845E9AF7EEAF98760F00802AFC49C7752DA71E9418FA1
                    Function 00684EF5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                    Download Yara Rule
                    APIs
                    • mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 00684F18
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: mouse_event
                    • String ID:
                    • API String ID: 2434400541-0
                    • Opcode ID: 6c68284c96cfff2663245c11875f17d6956d21996fe1f0d06d7e0bda7bd6d249
                    • Instruction ID: 496537a596ebbeb583c6776f7c086ea77f6b917d3216e696247d3eb176461ca2
                    • Opcode Fuzzy Hash: 6c68284c96cfff2663245c11875f17d6956d21996fe1f0d06d7e0bda7bd6d249
                    • Instruction Fuzzy Hash: 0FD05EF016420738FC187B20AC0FFB6110BF3C0781F845B8D3301855C1ADE56801A635
                    Function 00678C93 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                    Download Yara Rule
                    APIs
                    • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,006788D1), ref: 00678CB3
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: LogonUser
                    • String ID:
                    • API String ID: 1244722697-0
                    • Opcode ID: a160111d4390295db2277937de674a0e445223d3a9b6d0c1fa73d2d122585ac6
                    • Instruction ID: 47a9b81596f014605f68be65e8699609b4d55a97aa46cd00c40cc4b43bcce695
                    • Opcode Fuzzy Hash: a160111d4390295db2277937de674a0e445223d3a9b6d0c1fa73d2d122585ac6
                    • Instruction Fuzzy Hash: 73D05E322A050EABEF019FA4DC01EAE3B6AEB04B01F408111FE15C50A1C775E835AF60
                    Function 00662230 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                    Download Yara Rule
                    APIs
                    • GetUserNameW.ADVAPI32(?,?), ref: 00662242
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: NameUser
                    • String ID:
                    • API String ID: 2645101109-0
                    • Opcode ID: d314e144aa22bf2e00de8a2ba1158ad967813c73277a79aea95a2206e93d7c5f
                    • Instruction ID: a369a6b1ed7f8a76e2469b0fee12177ec63058149550e58bae63cb1d80932b75
                    • Opcode Fuzzy Hash: d314e144aa22bf2e00de8a2ba1158ad967813c73277a79aea95a2206e93d7c5f
                    • Instruction Fuzzy Hash: 28C048F1800109DBDB05EBA0DA98DEEB7BDAB09304F2440A6A142F2100E774AB448E72
                    Function 0064A364 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                    Download Yara Rule
                    APIs
                    • SetUnhandledExceptionFilter.KERNEL32(?), ref: 0064A36A
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: ExceptionFilterUnhandled
                    • String ID:
                    • API String ID: 3192549508-0
                    • Opcode ID: 6d16c002c506000ceb37ec727f433fe47e4454512ee7840c44290adaaff0518b
                    • Instruction ID: e300dd6a5b13f515c8a84b0e758eabf73ea11fd834e5986c6950148cfd82a771
                    • Opcode Fuzzy Hash: 6d16c002c506000ceb37ec727f433fe47e4454512ee7840c44290adaaff0518b
                    • Instruction Fuzzy Hash: CDA0113000020CAB8F002B82EC08888BFAEEA022A0B008020F80C800228F32A8208AC2
                    Function 00638A0E Relevance: .6, Instructions: 608COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 7836dce13caca725d406847fe388fcfa0babeb9505be0b99f6ec9add04ee4b4e
                    • Instruction ID: c26132b0b9f8676cd38e9bb27132cf4d3b4111e84bc958c273cf5f3e525b3beb
                    • Opcode Fuzzy Hash: 7836dce13caca725d406847fe388fcfa0babeb9505be0b99f6ec9add04ee4b4e
                    • Instruction Fuzzy Hash: 7F22D6309057568FDF288B14C4946FDB7B3FB41304F6484AAE4578B792EB749D82CBA1
                    Function 00642405 Relevance: .3, Instructions: 345COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                    • Instruction ID: 512080266b007a102f1a7e182d96342824a42534abc291db7d7f38c334ad8934
                    • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                    • Instruction Fuzzy Hash: A0C1A4322050530AEB5D4639D4341BEBAE26AA37B13AA075DF4B3CF6C5FF20D569D620
                    Function 0064283A Relevance: .3, Instructions: 341COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                    • Instruction ID: 711ce4d88399cedcb8ede87d093e93f0ac3c5c7e7ab885a47e8bb418ae45ad84
                    • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                    • Instruction Fuzzy Hash: 97C1963220519309EB6D463A847407EBBE26B937B13AA075DF4B2DF6C4FF20D569D620
                    Function 00F335F0 Relevance: .1, Instructions: 92COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309826710.0000000000F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_f30000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                    • Instruction ID: 468786a34ab551baf6ab82520c03d4104507236316327b6b991093e5244d44d2
                    • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                    • Instruction Fuzzy Hash: 5541C271D1051CEBCF48CFADC991AAEBBF2AF88201F548299D516AB345D730AB41DB40
                    Function 00F334E0 Relevance: .0, Instructions: 35COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309826710.0000000000F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_f30000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                    • Instruction ID: ba98880264510614f660e570b7f0e6c1fc4e0c3518fa09b66616da70dda83a8a
                    • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                    • Instruction Fuzzy Hash: DC019279E01109EFCB84DF98C5909AEF7B5FB48320F248599E809A7701D730AE41DB80
                    Function 00F33480 Relevance: .0, Instructions: 35COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309826710.0000000000F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_f30000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                    • Instruction ID: a75cffcb24fc932d6f1f79b0ccc09df19aef8dc157501111a7ad0608ecfb4401
                    • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                    • Instruction Fuzzy Hash: 0F019278E00109EFCB44DF98C5909AEF7B5FB48320F208599E809A7701D734AF41EB90
                    Function 00F31E70 Relevance: .0, Instructions: 6COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309826710.0000000000F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_f30000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                    • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                    • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                    • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                    Function 006A37F3 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
                    Download Yara Rule
                    APIs
                    • CharUpperBuffW.USER32(?,?,006AF910), ref: 006A38AF
                    • IsWindowVisible.USER32(?), ref: 006A38D3
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: BuffCharUpperVisibleWindow
                    • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                    • API String ID: 4105515805-45149045
                    • Opcode ID: 9741a4ce0a487b704e62a45636c0a2b7deab936cea4d129c50aebf9e45296697
                    • Instruction ID: 9f8ab15a91dfd5a31a36ff43b4ea1afe382d5a73eb62f8db09a90f83a8c53add
                    • Opcode Fuzzy Hash: 9741a4ce0a487b704e62a45636c0a2b7deab936cea4d129c50aebf9e45296697
                    • Instruction Fuzzy Hash: 95D19130604325DBCB54FF10C851AAABBE3AF95354F11845DB8865B3A6CB31EE0ACF95
                    Function 006AA849 Relevance: 49.8, APIs: 33, Instructions: 274COMMON
                    Download Yara Rule
                    APIs
                    • SetTextColor.GDI32(?,00000000), ref: 006AA89F
                    • GetSysColorBrush.USER32(0000000F), ref: 006AA8D0
                    • GetSysColor.USER32(0000000F), ref: 006AA8DC
                    • SetBkColor.GDI32(?,000000FF), ref: 006AA8F6
                    • SelectObject.GDI32(?,?), ref: 006AA905
                    • InflateRect.USER32(?,000000FF,000000FF), ref: 006AA930
                    • GetSysColor.USER32(00000010), ref: 006AA938
                    • CreateSolidBrush.GDI32(00000000), ref: 006AA93F
                    • FrameRect.USER32(?,?,00000000), ref: 006AA94E
                    • DeleteObject.GDI32(00000000), ref: 006AA955
                    • InflateRect.USER32(?,000000FE,000000FE), ref: 006AA9A0
                    • FillRect.USER32(?,?,?), ref: 006AA9D2
                    • GetWindowLongW.USER32(?,000000F0), ref: 006AA9FD
                      • Part of subcall function 006AAB60: GetSysColor.USER32(00000012), ref: 006AAB99
                      • Part of subcall function 006AAB60: SetTextColor.GDI32(?,?), ref: 006AAB9D
                      • Part of subcall function 006AAB60: GetSysColorBrush.USER32(0000000F), ref: 006AABB3
                      • Part of subcall function 006AAB60: GetSysColor.USER32(0000000F), ref: 006AABBE
                      • Part of subcall function 006AAB60: GetSysColor.USER32(00000011), ref: 006AABDB
                      • Part of subcall function 006AAB60: CreatePen.GDI32(00000000,00000001,00743C00), ref: 006AABE9
                      • Part of subcall function 006AAB60: SelectObject.GDI32(?,00000000), ref: 006AABFA
                      • Part of subcall function 006AAB60: SetBkColor.GDI32(?,00000000), ref: 006AAC03
                      • Part of subcall function 006AAB60: SelectObject.GDI32(?,?), ref: 006AAC10
                      • Part of subcall function 006AAB60: InflateRect.USER32(?,000000FF,000000FF), ref: 006AAC2F
                      • Part of subcall function 006AAB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 006AAC46
                      • Part of subcall function 006AAB60: GetWindowLongW.USER32(00000000,000000F0), ref: 006AAC5B
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                    • String ID:
                    • API String ID: 4124339563-0
                    • Opcode ID: 6e5a6939029985415bacb0d79a768777c005f60e4028285a6623ae87c0fc5aad
                    • Instruction ID: 842353946206770ca17c27a5a71eb5cf78cdf3027ef8304b6705f4f62a76db30
                    • Opcode Fuzzy Hash: 6e5a6939029985415bacb0d79a768777c005f60e4028285a6623ae87c0fc5aad
                    • Instruction Fuzzy Hash: 17A18471408301AFD710AFA4DC08A5B77EAFF4A321F105B2AF562961A1D735E945CF53
                    Function 00622C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON
                    Download Yara Rule
                    APIs
                    • DestroyWindow.USER32(?,?,?), ref: 00622CA2
                    • DeleteObject.GDI32(00000000), ref: 00622CE8
                    • DeleteObject.GDI32(00000000), ref: 00622CF3
                    • DestroyIcon.USER32(00000000,?,?,?), ref: 00622CFE
                    • DestroyWindow.USER32(00000000,?,?,?), ref: 00622D09
                    • SendMessageW.USER32(?,00001308,?,00000000), ref: 0065C68B
                    • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0065C6C4
                    • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0065CAED
                      • Part of subcall function 00621B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00622036,?,00000000,?,?,?,?,006216CB,00000000,?), ref: 00621B9A
                    • SendMessageW.USER32(?,00001053), ref: 0065CB2A
                    • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0065CB41
                    • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0065CB57
                    • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0065CB62
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                    • String ID: 0
                    • API String ID: 464785882-4108050209
                    • Opcode ID: b92b7fd5f7e025474f1435666be141a897259e9818004cb2c2c3f515b21dd296
                    • Instruction ID: 360daa67cfb97d49bd5351f5c7ebabef1d017a3302914f8b620adf77d0bab56d
                    • Opcode Fuzzy Hash: b92b7fd5f7e025474f1435666be141a897259e9818004cb2c2c3f515b21dd296
                    • Instruction Fuzzy Hash: 2B12AD30604612EFCB60DF24D894BA9BBE2BF49321F544569F885DB662C731E886CF91
                    Function 006977BE Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                    Download Yara Rule
                    APIs
                    • DestroyWindow.USER32(00000000), ref: 006977F1
                    • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 006978B0
                    • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 006978EE
                    • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00697900
                    • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00697946
                    • GetClientRect.USER32(00000000,?), ref: 00697952
                    • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00697996
                    • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 006979A5
                    • GetStockObject.GDI32(00000011), ref: 006979B5
                    • SelectObject.GDI32(00000000,00000000), ref: 006979B9
                    • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 006979C9
                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 006979D2
                    • DeleteDC.GDI32(00000000), ref: 006979DB
                    • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00697A07
                    • SendMessageW.USER32(00000030,00000000,00000001), ref: 00697A1E
                    • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00697A59
                    • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00697A6D
                    • SendMessageW.USER32(00000404,00000001,00000000), ref: 00697A7E
                    • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00697AAE
                    • GetStockObject.GDI32(00000011), ref: 00697AB9
                    • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00697AC4
                    • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00697ACE
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                    • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                    • API String ID: 2910397461-517079104
                    • Opcode ID: 92c3a50c4aa6114d7417c7fa74af44387bc1871a66942d64f553a4f42e5d9b15
                    • Instruction ID: 69f2e7f87fdad2253f56d6c9bdd5d0a2e2bfb6a02cba95339f0514b5d648540a
                    • Opcode Fuzzy Hash: 92c3a50c4aa6114d7417c7fa74af44387bc1871a66942d64f553a4f42e5d9b15
                    • Instruction Fuzzy Hash: BFA17371A40215BFEB14DBA4DD4AFAE7BBAEB45714F008118FA15AB2E0D770AD00CF65
                    Function 0068AF7B Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                    Download Yara Rule
                    APIs
                    • SetErrorMode.KERNEL32(00000001), ref: 0068AF89
                    • GetDriveTypeW.KERNEL32(?,006AFAC0,?,\\.\,006AF910), ref: 0068B066
                    • SetErrorMode.KERNEL32(00000000,006AFAC0,?,\\.\,006AF910), ref: 0068B1C4
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: ErrorMode$DriveType
                    • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                    • API String ID: 2907320926-4222207086
                    • Opcode ID: 575b80b53005dcdd9169c9fc1e69e90469f19e7044450ea559f2b8cde236c602
                    • Instruction ID: 3239e88f90e27fde9e265931444f179318b0e4ad44fae0475b5204b82d8cc225
                    • Opcode Fuzzy Hash: 575b80b53005dcdd9169c9fc1e69e90469f19e7044450ea559f2b8cde236c602
                    • Instruction Fuzzy Hash: B051F534B88305EBCB00FB90C996CBD73B3AB54341B61621AF44AAB391CB359D42DF52
                    Function 00626A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: __wcsnicmp
                    • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                    • API String ID: 1038674560-86951937
                    • Opcode ID: a02e6635e3880bc5fb775cea750631e06f43753ddac32a7d2499d498b7eef122
                    • Instruction ID: c465134b10936029e170d259c4e049b566892beedd62371d86f83e0e3b4f9c0c
                    • Opcode Fuzzy Hash: a02e6635e3880bc5fb775cea750631e06f43753ddac32a7d2499d498b7eef122
                    • Instruction Fuzzy Hash: 9C815A70640626AACF24AF60DC92FEB776BAF15301F044029FD41AA281EB61DB99CB55
                    Function 006AAB60 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetSysColor.USER32(00000012), ref: 006AAB99
                    • SetTextColor.GDI32(?,?), ref: 006AAB9D
                    • GetSysColorBrush.USER32(0000000F), ref: 006AABB3
                    • GetSysColor.USER32(0000000F), ref: 006AABBE
                    • CreateSolidBrush.GDI32(?), ref: 006AABC3
                    • GetSysColor.USER32(00000011), ref: 006AABDB
                    • CreatePen.GDI32(00000000,00000001,00743C00), ref: 006AABE9
                    • SelectObject.GDI32(?,00000000), ref: 006AABFA
                    • SetBkColor.GDI32(?,00000000), ref: 006AAC03
                    • SelectObject.GDI32(?,?), ref: 006AAC10
                    • InflateRect.USER32(?,000000FF,000000FF), ref: 006AAC2F
                    • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 006AAC46
                    • GetWindowLongW.USER32(00000000,000000F0), ref: 006AAC5B
                    • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 006AACA7
                    • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 006AACCE
                    • InflateRect.USER32(?,000000FD,000000FD), ref: 006AACEC
                    • DrawFocusRect.USER32(?,?), ref: 006AACF7
                    • GetSysColor.USER32(00000011), ref: 006AAD05
                    • SetTextColor.GDI32(?,00000000), ref: 006AAD0D
                    • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 006AAD21
                    • SelectObject.GDI32(?,006AA869), ref: 006AAD38
                    • DeleteObject.GDI32(?), ref: 006AAD43
                    • SelectObject.GDI32(?,?), ref: 006AAD49
                    • DeleteObject.GDI32(?), ref: 006AAD4E
                    • SetTextColor.GDI32(?,?), ref: 006AAD54
                    • SetBkColor.GDI32(?,?), ref: 006AAD5E
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                    • String ID:
                    • API String ID: 1996641542-0
                    • Opcode ID: d91bc56b4ed8521530e06c4fbee542b9ec99fd65b9fad74bb3af616de7104251
                    • Instruction ID: a4586e4d3c10fdda092a7bdcce7f3d3d99b21749f2735c3fd7157506eb8a663a
                    • Opcode Fuzzy Hash: d91bc56b4ed8521530e06c4fbee542b9ec99fd65b9fad74bb3af616de7104251
                    • Instruction Fuzzy Hash: 51615F71900218EFDB11AFE4DC48EAE7B7AEF0A320F105126F915AB2A1D775AD40DF91
                    Function 006A8C44 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 006A8D34
                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 006A8D45
                    • CharNextW.USER32(0000014E), ref: 006A8D74
                    • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 006A8DB5
                    • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 006A8DCB
                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 006A8DDC
                    • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 006A8DF9
                    • SetWindowTextW.USER32(?,0000014E), ref: 006A8E45
                    • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 006A8E5B
                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 006A8E8C
                    • _memset.LIBCMT ref: 006A8EB1
                    • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 006A8EFA
                    • _memset.LIBCMT ref: 006A8F59
                    • SendMessageW.USER32(?,00001053,000000FF,?), ref: 006A8F83
                    • SendMessageW.USER32(?,00001074,?,00000001), ref: 006A8FDB
                    • SendMessageW.USER32(?,0000133D,?,?), ref: 006A9088
                    • InvalidateRect.USER32(?,00000000,00000001), ref: 006A90AA
                    • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 006A90F4
                    • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 006A9121
                    • DrawMenuBar.USER32(?), ref: 006A9130
                    • SetWindowTextW.USER32(?,0000014E), ref: 006A9158
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                    • String ID: 0
                    • API String ID: 1073566785-4108050209
                    • Opcode ID: 8a0ed1d4aace2b33bf0038a7d47c4fdf3367217ce62b26960371b1786d2ce2ae
                    • Instruction ID: aa49d9751b9f1a71e64cc9a54dbb806a44ee14d4a539b045243e277c31cc3930
                    • Opcode Fuzzy Hash: 8a0ed1d4aace2b33bf0038a7d47c4fdf3367217ce62b26960371b1786d2ce2ae
                    • Instruction Fuzzy Hash: 1CE18170900219AEDF20AF60CC84EEE7BBAEF06710F148159F9169B291DB749E85DF61
                    Function 006A4B16 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetCursorPos.USER32(?), ref: 006A4C51
                    • GetDesktopWindow.USER32 ref: 006A4C66
                    • GetWindowRect.USER32(00000000), ref: 006A4C6D
                    • GetWindowLongW.USER32(?,000000F0), ref: 006A4CCF
                    • DestroyWindow.USER32(?), ref: 006A4CFB
                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 006A4D24
                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 006A4D42
                    • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 006A4D68
                    • SendMessageW.USER32(?,00000421,?,?), ref: 006A4D7D
                    • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 006A4D90
                    • IsWindowVisible.USER32(?), ref: 006A4DB0
                    • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 006A4DCB
                    • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 006A4DDF
                    • GetWindowRect.USER32(?,?), ref: 006A4DF7
                    • MonitorFromPoint.USER32(?,?,00000002), ref: 006A4E1D
                    • GetMonitorInfoW.USER32(00000000,?), ref: 006A4E37
                    • CopyRect.USER32(?,?), ref: 006A4E4E
                    • SendMessageW.USER32(?,00000412,00000000), ref: 006A4EB9
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                    • String ID: ($0$tooltips_class32
                    • API String ID: 698492251-4156429822
                    • Opcode ID: 6211b787cd656f6c98f390b4a6272c0f05449aa65f1797adf7a0673c6e991ea2
                    • Instruction ID: 1792fdc773441defc97e8b4bad44136b14e3da3f2aab42b997618ff2a85cd2ff
                    • Opcode Fuzzy Hash: 6211b787cd656f6c98f390b4a6272c0f05449aa65f1797adf7a0673c6e991ea2
                    • Instruction Fuzzy Hash: E0B18D71604350AFDB44EF64C844B6ABBE6BF85314F00891CF5899B2A1DBB1EC05CFA6
                    Function 006846D6 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON
                    Download Yara Rule
                    APIs
                    • GetFileVersionInfoSizeW.VERSION(?,?), ref: 006846E8
                    • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0068470E
                    • _wcscpy.LIBCMT ref: 0068473C
                    • _wcscmp.LIBCMT ref: 00684747
                    • _wcscat.LIBCMT ref: 0068475D
                    • _wcsstr.LIBCMT ref: 00684768
                    • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00684784
                    • _wcscat.LIBCMT ref: 006847CD
                    • _wcscat.LIBCMT ref: 006847D4
                    • _wcsncpy.LIBCMT ref: 006847FF
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                    • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                    • API String ID: 699586101-1459072770
                    • Opcode ID: 687f5adb69224f0ce51eb883e9b51e788b2178247b18d74868e2307163d5370e
                    • Instruction ID: bd35b4b4457015843bf95e934c8eea7b791f7ff084c06b5893e7575d760ea269
                    • Opcode Fuzzy Hash: 687f5adb69224f0ce51eb883e9b51e788b2178247b18d74868e2307163d5370e
                    • Instruction Fuzzy Hash: B2412A71A04215BAE750B7B49C43EBF776EDF02710F14016EF904E6282EF70EA4197A9
                    Function 006227D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
                    Download Yara Rule
                    APIs
                    • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 006228BC
                    • GetSystemMetrics.USER32(00000007), ref: 006228C4
                    • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 006228EF
                    • GetSystemMetrics.USER32(00000008), ref: 006228F7
                    • GetSystemMetrics.USER32(00000004), ref: 0062291C
                    • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00622939
                    • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00622949
                    • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0062297C
                    • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00622990
                    • GetClientRect.USER32(00000000,000000FF), ref: 006229AE
                    • GetStockObject.GDI32(00000011), ref: 006229CA
                    • SendMessageW.USER32(00000000,00000030,00000000), ref: 006229D5
                      • Part of subcall function 00622344: GetCursorPos.USER32(?), ref: 00622357
                      • Part of subcall function 00622344: ScreenToClient.USER32(006E67B0,?), ref: 00622374
                      • Part of subcall function 00622344: GetAsyncKeyState.USER32(00000001), ref: 00622399
                      • Part of subcall function 00622344: GetAsyncKeyState.USER32(00000002), ref: 006223A7
                    • SetTimer.USER32(00000000,00000000,00000028,00621256), ref: 006229FC
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                    • String ID: AutoIt v3 GUI
                    • API String ID: 1458621304-248962490
                    • Opcode ID: 3f36740df872450691c32e43ec20c1525286d30690dbccfe91f68473da8d5ed9
                    • Instruction ID: 64f9c8706a7f2345c6efa7d1928fa968d3936e255212057e4a208d4007d5a7d0
                    • Opcode Fuzzy Hash: 3f36740df872450691c32e43ec20c1525286d30690dbccfe91f68473da8d5ed9
                    • Instruction Fuzzy Hash: 93B1AF70A0021AEFDB14DFA8DC95BEE7BB6FB18311F104229FA15A6290DB34E841CF51
                    Function 006A4069 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON
                    Download Yara Rule
                    APIs
                    • CharUpperBuffW.USER32(?,?), ref: 006A40F6
                    • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 006A41B6
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: BuffCharMessageSendUpper
                    • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                    • API String ID: 3974292440-719923060
                    • Opcode ID: 75a8bcf63ae57c132d2dc0e0b0fdaca0f730a1e5b4483ffaf77bb33869f6ad88
                    • Instruction ID: a8704863f6fc68362260f4338e404df59ca6e7fae46ce1e2961abb051591d1a1
                    • Opcode Fuzzy Hash: 75a8bcf63ae57c132d2dc0e0b0fdaca0f730a1e5b4483ffaf77bb33869f6ad88
                    • Instruction Fuzzy Hash: 24A1AD306143119BDB54FF20C841AAAB7A7AFC5314F14896CB8969B392DF70ED0ACF55
                    Function 006952F0 Relevance: 27.1, APIs: 18, Instructions: 124COMMON
                    Download Yara Rule
                    APIs
                    • LoadCursorW.USER32(00000000,00007F89), ref: 00695309
                    • LoadCursorW.USER32(00000000,00007F8A), ref: 00695314
                    • LoadCursorW.USER32(00000000,00007F00), ref: 0069531F
                    • LoadCursorW.USER32(00000000,00007F03), ref: 0069532A
                    • LoadCursorW.USER32(00000000,00007F8B), ref: 00695335
                    • LoadCursorW.USER32(00000000,00007F01), ref: 00695340
                    • LoadCursorW.USER32(00000000,00007F81), ref: 0069534B
                    • LoadCursorW.USER32(00000000,00007F88), ref: 00695356
                    • LoadCursorW.USER32(00000000,00007F80), ref: 00695361
                    • LoadCursorW.USER32(00000000,00007F86), ref: 0069536C
                    • LoadCursorW.USER32(00000000,00007F83), ref: 00695377
                    • LoadCursorW.USER32(00000000,00007F85), ref: 00695382
                    • LoadCursorW.USER32(00000000,00007F82), ref: 0069538D
                    • LoadCursorW.USER32(00000000,00007F84), ref: 00695398
                    • LoadCursorW.USER32(00000000,00007F04), ref: 006953A3
                    • LoadCursorW.USER32(00000000,00007F02), ref: 006953AE
                    • GetCursorInfo.USER32(?), ref: 006953BE
                    • GetLastError.KERNEL32(00000001,00000000), ref: 006953E9
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: Cursor$Load$ErrorInfoLast
                    • String ID:
                    • API String ID: 3215588206-0
                    • Opcode ID: f9bdd8ad18b577768036b5c032a848c953e77c16edd151380eace73332dad1c0
                    • Instruction ID: 977bde2adf35a0bbf71d33502c49c70fea0c3e9c1ac79a18a7e115649461ed30
                    • Opcode Fuzzy Hash: f9bdd8ad18b577768036b5c032a848c953e77c16edd151380eace73332dad1c0
                    • Instruction Fuzzy Hash: D9417170E043196ADF509FBA8C4986EFFFDEF51B10F10452FA509E7290DAB8A4018FA1
                    Function 0067AA64 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                    Download Yara Rule
                    APIs
                    • GetClassNameW.USER32(?,?,00000100), ref: 0067AAA5
                    • __swprintf.LIBCMT ref: 0067AB46
                    • _wcscmp.LIBCMT ref: 0067AB59
                    • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0067ABAE
                    • _wcscmp.LIBCMT ref: 0067ABEA
                    • GetClassNameW.USER32(?,?,00000400), ref: 0067AC21
                    • GetDlgCtrlID.USER32(?), ref: 0067AC73
                    • GetWindowRect.USER32(?,?), ref: 0067ACA9
                    • GetParent.USER32(?), ref: 0067ACC7
                    • ScreenToClient.USER32(00000000), ref: 0067ACCE
                    • GetClassNameW.USER32(?,?,00000100), ref: 0067AD48
                    • _wcscmp.LIBCMT ref: 0067AD5C
                    • GetWindowTextW.USER32(?,?,00000400), ref: 0067AD82
                    • _wcscmp.LIBCMT ref: 0067AD96
                      • Part of subcall function 0064386C: _iswctype.LIBCMT ref: 00643874
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                    • String ID: %s%u
                    • API String ID: 3744389584-679674701
                    • Opcode ID: 9fe7370a072fa56f68eb702ca15fa225512b354470730b39aeac6789e978a579
                    • Instruction ID: 5bedc084c75846d7ce45767ab14bf90cbaa4668cd27981669be003e3c3d4e451
                    • Opcode Fuzzy Hash: 9fe7370a072fa56f68eb702ca15fa225512b354470730b39aeac6789e978a579
                    • Instruction Fuzzy Hash: 47A1A171204606AFD729DFA4C884BEEB7AAFF84315F10862DF99D92250D730E945CB92
                    Function 0067B397 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                    Download Yara Rule
                    APIs
                    • GetClassNameW.USER32(00000008,?,00000400), ref: 0067B3DB
                    • _wcscmp.LIBCMT ref: 0067B3EC
                    • GetWindowTextW.USER32(00000001,?,00000400), ref: 0067B414
                    • CharUpperBuffW.USER32(?,00000000), ref: 0067B431
                    • _wcscmp.LIBCMT ref: 0067B44F
                    • _wcsstr.LIBCMT ref: 0067B460
                    • GetClassNameW.USER32(00000018,?,00000400), ref: 0067B498
                    • _wcscmp.LIBCMT ref: 0067B4A8
                    • GetWindowTextW.USER32(00000002,?,00000400), ref: 0067B4CF
                    • GetClassNameW.USER32(00000018,?,00000400), ref: 0067B518
                    • _wcscmp.LIBCMT ref: 0067B528
                    • GetClassNameW.USER32(00000010,?,00000400), ref: 0067B550
                    • GetWindowRect.USER32(00000004,?), ref: 0067B5B9
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                    • String ID: @$ThumbnailClass
                    • API String ID: 1788623398-1539354611
                    • Opcode ID: 111bde0883c9c6d9c78c717644a60ebf289cb03c8e4ee89f8904609dfb3b6973
                    • Instruction ID: f8e4aadbf2fe21abcee52ade861e3325937bfff5de0b75ada1887bd256a6222c
                    • Opcode Fuzzy Hash: 111bde0883c9c6d9c78c717644a60ebf289cb03c8e4ee89f8904609dfb3b6973
                    • Instruction Fuzzy Hash: CF81AE710083059BEB04DF10D885FAA7BEAEF44314F08E56DFD899A296DB30DD49CBA1
                    Function 006AC8EE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfileCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00622612: GetWindowLongW.USER32(?,000000EB), ref: 00622623
                    • DragQueryPoint.SHELL32(?,?), ref: 006AC917
                      • Part of subcall function 006AADF1: ClientToScreen.USER32(?,?), ref: 006AAE1A
                      • Part of subcall function 006AADF1: GetWindowRect.USER32(?,?), ref: 006AAE90
                      • Part of subcall function 006AADF1: PtInRect.USER32(?,?,006AC304), ref: 006AAEA0
                    • SendMessageW.USER32(?,000000B0,?,?), ref: 006AC980
                    • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 006AC98B
                    • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 006AC9AE
                    • _wcscat.LIBCMT ref: 006AC9DE
                    • SendMessageW.USER32(?,000000C2,00000001,?), ref: 006AC9F5
                    • SendMessageW.USER32(?,000000B0,?,?), ref: 006ACA0E
                    • SendMessageW.USER32(?,000000B1,?,?), ref: 006ACA25
                    • SendMessageW.USER32(?,000000B1,?,?), ref: 006ACA47
                    • DragFinish.SHELL32(?), ref: 006ACA4E
                    • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 006ACB41
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                    • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$prn
                    • API String ID: 169749273-2044922903
                    • Opcode ID: 491386e4294ed5044c5fa7699f33ef3758e08a8454490fec1fa41d0b8517194d
                    • Instruction ID: 219e94d1c90a9ea495bb92295c0e714489cbaceacf5ed6ff756f89a9c7689b52
                    • Opcode Fuzzy Hash: 491386e4294ed5044c5fa7699f33ef3758e08a8454490fec1fa41d0b8517194d
                    • Instruction Fuzzy Hash: 15617D71508301AFC711EF64DC85D9BBBEAEF89710F04091EF591962A1DB30AA09CFA6
                    Function 0067B1E0 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: __wcsnicmp
                    • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                    • API String ID: 1038674560-1810252412
                    • Opcode ID: 8561ca81a14c69c73ea6de2b93229ca31ca2ce2c638793c13de68aae2b375b9c
                    • Instruction ID: ecd12c60eef1bda8a01373a4425289f61aa46eb34463b0f735b05da88d70212f
                    • Opcode Fuzzy Hash: 8561ca81a14c69c73ea6de2b93229ca31ca2ce2c638793c13de68aae2b375b9c
                    • Instruction Fuzzy Hash: 2931D030A44215A6DB50FA60DD43FFE77B79F10750F20441EB415B22D2EF61AF04CA69
                    Function 0067C4C1 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON
                    Download Yara Rule
                    APIs
                    • LoadIconW.USER32(00000063), ref: 0067C4D4
                    • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0067C4E6
                    • SetWindowTextW.USER32(?,?), ref: 0067C4FD
                    • GetDlgItem.USER32(?,000003EA), ref: 0067C512
                    • SetWindowTextW.USER32(00000000,?), ref: 0067C518
                    • GetDlgItem.USER32(?,000003E9), ref: 0067C528
                    • SetWindowTextW.USER32(00000000,?), ref: 0067C52E
                    • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 0067C54F
                    • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0067C569
                    • GetWindowRect.USER32(?,?), ref: 0067C572
                    • SetWindowTextW.USER32(?,?), ref: 0067C5DD
                    • GetDesktopWindow.USER32 ref: 0067C5E3
                    • GetWindowRect.USER32(00000000), ref: 0067C5EA
                    • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 0067C636
                    • GetClientRect.USER32(?,?), ref: 0067C643
                    • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 0067C668
                    • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0067C693
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                    • String ID:
                    • API String ID: 3869813825-0
                    • Opcode ID: 05e8bf12655409b8011e89f68fbb643f8e87ba77ec7ebdf2aa50b27114bd3e4b
                    • Instruction ID: 276edf7798572778550f43685826d1fc44f3411f47f9d252ec3cca4cfe617079
                    • Opcode Fuzzy Hash: 05e8bf12655409b8011e89f68fbb643f8e87ba77ec7ebdf2aa50b27114bd3e4b
                    • Instruction Fuzzy Hash: 83515D70900709AFDB20AFA8DD85BAEBBF6FB04715F00552CE686A26A0C775B914CF50
                    Function 006AA428 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 006AA4C8
                    • DestroyWindow.USER32(?,?), ref: 006AA542
                      • Part of subcall function 00627D2C: _memmove.LIBCMT ref: 00627D66
                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 006AA5BC
                    • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 006AA5DE
                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 006AA5F1
                    • DestroyWindow.USER32(00000000), ref: 006AA613
                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00620000,00000000), ref: 006AA64A
                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 006AA663
                    • GetDesktopWindow.USER32 ref: 006AA67C
                    • GetWindowRect.USER32(00000000), ref: 006AA683
                    • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 006AA69B
                    • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 006AA6B3
                      • Part of subcall function 006225DB: GetWindowLongW.USER32(?,000000EB), ref: 006225EC
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                    • String ID: 0$tooltips_class32
                    • API String ID: 1297703922-3619404913
                    • Opcode ID: a69dc611e7786126557ecfb66a2e23e803fbf1edf9d913735ae31d1708c8b084
                    • Instruction ID: 3f416e9550266728f9b804a31b32f915b9deb1475c9574d92818df24f55e3875
                    • Opcode Fuzzy Hash: a69dc611e7786126557ecfb66a2e23e803fbf1edf9d913735ae31d1708c8b084
                    • Instruction Fuzzy Hash: D6716A71140245AFD720EF68CC45FA67BE6EB9A300F08552EF985872A1D771ED02CF66
                    Function 006A4619 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                    Download Yara Rule
                    APIs
                    • CharUpperBuffW.USER32(?,?), ref: 006A46AB
                    • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 006A46F6
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: BuffCharMessageSendUpper
                    • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                    • API String ID: 3974292440-4258414348
                    • Opcode ID: d37c7f9aea0ce5627660119d282b3eacac0b205b63213b66f6cd8be2a590752b
                    • Instruction ID: febaebdf41fa53cdee8db11a4850fe6246a9887cfc866044f4efa8edc3a97538
                    • Opcode Fuzzy Hash: d37c7f9aea0ce5627660119d282b3eacac0b205b63213b66f6cd8be2a590752b
                    • Instruction Fuzzy Hash: 06918C346047118FCB54EF10D851AAABBA3AF85314F04886DF8965B3A2CF71ED4ACF95
                    Function 006ABAB8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
                    Download Yara Rule
                    APIs
                    • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 006ABB6E
                    • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,006A9431), ref: 006ABBCA
                    • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 006ABC03
                    • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 006ABC46
                    • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 006ABC7D
                    • FreeLibrary.KERNEL32(?), ref: 006ABC89
                    • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 006ABC99
                    • DestroyIcon.USER32(?,?,?,?,?,006A9431), ref: 006ABCA8
                    • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 006ABCC5
                    • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 006ABCD1
                      • Part of subcall function 0064313D: __wcsicmp_l.LIBCMT ref: 006431C6
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                    • String ID: .dll$.exe$.icl
                    • API String ID: 1212759294-1154884017
                    • Opcode ID: ccfbf9a3c41e28945a39788906f0965622e5a52af6abc9180fbda5ce446b4299
                    • Instruction ID: f0bc7cb714d145f4899a18f4a142e005b425f926ee88656bab1b888c0cf12166
                    • Opcode Fuzzy Hash: ccfbf9a3c41e28945a39788906f0965622e5a52af6abc9180fbda5ce446b4299
                    • Instruction Fuzzy Hash: 7661EF71900219BAEB14EF64CC41FFA77AAEB09721F105219F816D62D2DB74AD90CFA0
                    Function 0068A0B5 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 156COMMON
                    Download Yara Rule
                    APIs
                    • LoadStringW.USER32(00000066,?,00000FFF,006AFB78), ref: 0068A0FC
                      • Part of subcall function 00627F41: _memmove.LIBCMT ref: 00627F82
                    • LoadStringW.USER32(?,?,00000FFF,?), ref: 0068A11E
                    • __swprintf.LIBCMT ref: 0068A177
                    • __swprintf.LIBCMT ref: 0068A190
                    • _wprintf.LIBCMT ref: 0068A246
                    • _wprintf.LIBCMT ref: 0068A264
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: LoadString__swprintf_wprintf$_memmove
                    • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR$%k
                    • API String ID: 311963372-3215148653
                    • Opcode ID: d158d5d2ab640fe4b4b914480987eb3e95ac32b5a7d9648628e156cf5b4bdc97
                    • Instruction ID: 10d41a3374f5a7411ca524082470b2e49d0b4cf4fc21095c0ef6ef2f05fc5d12
                    • Opcode Fuzzy Hash: d158d5d2ab640fe4b4b914480987eb3e95ac32b5a7d9648628e156cf5b4bdc97
                    • Instruction Fuzzy Hash: EA51BE3180061AAADF65FBE0DD96EEEB77AAF04300F14016AF505721A1EB312F48DF65
                    Function 0068A5BD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00629997: __itow.LIBCMT ref: 006299C2
                      • Part of subcall function 00629997: __swprintf.LIBCMT ref: 00629A0C
                    • CharLowerBuffW.USER32(?,?), ref: 0068A636
                    • GetDriveTypeW.KERNEL32 ref: 0068A683
                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0068A6CB
                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0068A702
                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0068A730
                      • Part of subcall function 00627D2C: _memmove.LIBCMT ref: 00627D66
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                    • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                    • API String ID: 2698844021-4113822522
                    • Opcode ID: 0b8ec0e256568cad14cdf0213987acdfc45220ffae78a79861600b8a3d54b314
                    • Instruction ID: de9833533744d1f12ada710058387fa098871622c47bc2c2298f8c643ddf5b6c
                    • Opcode Fuzzy Hash: 0b8ec0e256568cad14cdf0213987acdfc45220ffae78a79861600b8a3d54b314
                    • Instruction Fuzzy Hash: 745168715087149FD740EF20D881C6AB7E6EF84318F04496DF88657261DB31EE0ACF52
                    Function 0068A45A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                    Download Yara Rule
                    APIs
                    • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0068A47A
                    • __swprintf.LIBCMT ref: 0068A49C
                    • CreateDirectoryW.KERNEL32(?,00000000), ref: 0068A4D9
                    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0068A4FE
                    • _memset.LIBCMT ref: 0068A51D
                    • _wcsncpy.LIBCMT ref: 0068A559
                    • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0068A58E
                    • CloseHandle.KERNEL32(00000000), ref: 0068A599
                    • RemoveDirectoryW.KERNEL32(?), ref: 0068A5A2
                    • CloseHandle.KERNEL32(00000000), ref: 0068A5AC
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                    • String ID: :$\$\??\%s
                    • API String ID: 2733774712-3457252023
                    • Opcode ID: 716660d4f794556e11a5ac36cb4b5e8a83f5d05467e79da0f633fbf5b9df63b6
                    • Instruction ID: 0b7721421badbbbef2e7a7e58daaf4ca9545d61da3137f90cbcd14de7f133206
                    • Opcode Fuzzy Hash: 716660d4f794556e11a5ac36cb4b5e8a83f5d05467e79da0f633fbf5b9df63b6
                    • Instruction Fuzzy Hash: 7D31A0B1500119ABEB20AFE0DC49FEB73BEEF89701F1041B6F908D2160E77097858B66
                    Function 006AC49C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00622612: GetWindowLongW.USER32(?,000000EB), ref: 00622623
                    • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 006AC4EC
                    • GetFocus.USER32 ref: 006AC4FC
                    • GetDlgCtrlID.USER32(00000000), ref: 006AC507
                    • _memset.LIBCMT ref: 006AC632
                    • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 006AC65D
                    • GetMenuItemCount.USER32(?), ref: 006AC67D
                    • GetMenuItemID.USER32(?,00000000), ref: 006AC690
                    • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 006AC6C4
                    • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 006AC70C
                    • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 006AC744
                    • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 006AC779
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                    • String ID: 0
                    • API String ID: 1296962147-4108050209
                    • Opcode ID: 52d953c25a68bffe8bb0749595a8b0a4fa95316eac1caa4242ef681a210ad542
                    • Instruction ID: 0c0ed937a50be83fd3dd53c6e35f82471e5496dba614028444ebb7a6a101d9be
                    • Opcode Fuzzy Hash: 52d953c25a68bffe8bb0749595a8b0a4fa95316eac1caa4242ef681a210ad542
                    • Instruction Fuzzy Hash: 31818E705083119FDB20EF14C984AABBBE6FB9A364F00552DF99597291D730ED05CFA2
                    Function 006783F4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0067874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00678766
                      • Part of subcall function 0067874A: GetLastError.KERNEL32(?,0067822A,?,?,?), ref: 00678770
                      • Part of subcall function 0067874A: GetProcessHeap.KERNEL32(00000008,?,?,0067822A,?,?,?), ref: 0067877F
                      • Part of subcall function 0067874A: HeapAlloc.KERNEL32(00000000,?,0067822A,?,?,?), ref: 00678786
                      • Part of subcall function 0067874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0067879D
                      • Part of subcall function 006787E7: GetProcessHeap.KERNEL32(00000008,00678240,00000000,00000000,?,00678240,?), ref: 006787F3
                      • Part of subcall function 006787E7: HeapAlloc.KERNEL32(00000000,?,00678240,?), ref: 006787FA
                      • Part of subcall function 006787E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00678240,?), ref: 0067880B
                    • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00678458
                    • _memset.LIBCMT ref: 0067846D
                    • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0067848C
                    • GetLengthSid.ADVAPI32(?), ref: 0067849D
                    • GetAce.ADVAPI32(?,00000000,?), ref: 006784DA
                    • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 006784F6
                    • GetLengthSid.ADVAPI32(?), ref: 00678513
                    • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00678522
                    • HeapAlloc.KERNEL32(00000000), ref: 00678529
                    • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0067854A
                    • CopySid.ADVAPI32(00000000), ref: 00678551
                    • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00678582
                    • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 006785A8
                    • SetUserObjectSecurity.USER32(?,00000004,?), ref: 006785BC
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                    • String ID:
                    • API String ID: 3996160137-0
                    • Opcode ID: b5bd96407f32e946e3a01fd03377d214d4fa8e9215bcdb14af72f21f529ec4f2
                    • Instruction ID: 47306bf3de66098c3a21cef6da4607f6be52affe3cee352412fd857396951d3d
                    • Opcode Fuzzy Hash: b5bd96407f32e946e3a01fd03377d214d4fa8e9215bcdb14af72f21f529ec4f2
                    • Instruction Fuzzy Hash: 05611C7194010AAFDF149F94DC49AEEBBBAFF05300F148269F919A7291DB31AE05CF60
                    Function 0069762D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetDC.USER32(00000000), ref: 006976A2
                    • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 006976AE
                    • CreateCompatibleDC.GDI32(?), ref: 006976BA
                    • SelectObject.GDI32(00000000,?), ref: 006976C7
                    • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 0069771B
                    • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00697757
                    • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 0069777B
                    • SelectObject.GDI32(00000006,?), ref: 00697783
                    • DeleteObject.GDI32(?), ref: 0069778C
                    • DeleteDC.GDI32(00000006), ref: 00697793
                    • ReleaseDC.USER32(00000000,?), ref: 0069779E
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                    • String ID: (
                    • API String ID: 2598888154-3887548279
                    • Opcode ID: bf7f8105d5016b5ee08ba8e759618e3716641f4ea485c8772e3fd3fc44aa0403
                    • Instruction ID: acbc1ef13ea1c723d0d14bfd0da5ed752db6ab0574cc73180c77193a8e2ad15e
                    • Opcode Fuzzy Hash: bf7f8105d5016b5ee08ba8e759618e3716641f4ea485c8772e3fd3fc44aa0403
                    • Instruction Fuzzy Hash: 87513975904209EFCB15DFA8CC85EAEBBBAEF49710F14852DF94997210D731A941CF60
                    Function 00626BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00640B9B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00626C6C,?,00008000), ref: 00640BB7
                      • Part of subcall function 006248AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006248A1,?,?,006237C0,?), ref: 006248CE
                    • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00626D0D
                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00626E5A
                      • Part of subcall function 006259CD: _wcscpy.LIBCMT ref: 00625A05
                      • Part of subcall function 0064387D: _iswctype.LIBCMT ref: 00643885
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                    • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                    • API String ID: 537147316-1018226102
                    • Opcode ID: 490e215d77740a3043ff649c68d4386645d9daf6c444449734ab57034d2b1dce
                    • Instruction ID: 8c10ae9f777c8b6893473f25e3671dfa17e88a63f96e062f48b392e46ca6e131
                    • Opcode Fuzzy Hash: 490e215d77740a3043ff649c68d4386645d9daf6c444449734ab57034d2b1dce
                    • Instruction Fuzzy Hash: D302AC311087519FCB64EF24D881AAFBBE6BF89314F04491DF886972A1DB31DA49CF46
                    Function 006245DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 006245F9
                    • GetMenuItemCount.USER32(006E6890), ref: 0065D7CD
                    • GetMenuItemCount.USER32(006E6890), ref: 0065D87D
                    • GetCursorPos.USER32(?), ref: 0065D8C1
                    • SetForegroundWindow.USER32(00000000), ref: 0065D8CA
                    • TrackPopupMenuEx.USER32(006E6890,00000000,?,00000000,00000000,00000000), ref: 0065D8DD
                    • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 0065D8E9
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
                    • String ID:
                    • API String ID: 2751501086-0
                    • Opcode ID: 1a1dc0218f5ef9eb530b3318b973694328ae577e7cb7d4aca202f2d0afc61422
                    • Instruction ID: b3f9c5bf6c66bce16c74dbea6f05a748d87af599c2d9bd2d24404764906c0221
                    • Opcode Fuzzy Hash: 1a1dc0218f5ef9eb530b3318b973694328ae577e7cb7d4aca202f2d0afc61422
                    • Instruction Fuzzy Hash: 86712430601216BFEB309F54DC85FEABF66FF05365F200216F915A62E1CBB16814DB95
                    Function 00698BC0 Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 324fileCOMMON
                    Download Yara Rule
                    APIs
                    • VariantInit.OLEAUT32(?), ref: 00698BEC
                    • CoInitialize.OLE32(00000000), ref: 00698C19
                    • CoUninitialize.OLE32 ref: 00698C23
                    • GetRunningObjectTable.OLE32(00000000,?), ref: 00698D23
                    • SetErrorMode.KERNEL32(00000001,00000029), ref: 00698E50
                    • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,006B2C0C), ref: 00698E84
                    • CoGetObject.OLE32(?,00000000,006B2C0C,?), ref: 00698EA7
                    • SetErrorMode.KERNEL32(00000000), ref: 00698EBA
                    • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00698F3A
                    • VariantClear.OLEAUT32(?), ref: 00698F4A
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                    • String ID: ,,k
                    • API String ID: 2395222682-759674344
                    • Opcode ID: 62a06a80a1af14582ec1d371ae8ba0ab6997a6db636c894fd2ac5adc45ff7e0f
                    • Instruction ID: 837eb80d5f06adf6b9933c36bf8e68c14353ddce52952e365600033b3116ac30
                    • Opcode Fuzzy Hash: 62a06a80a1af14582ec1d371ae8ba0ab6997a6db636c894fd2ac5adc45ff7e0f
                    • Instruction Fuzzy Hash: C2C125B1208305AFDB40EF64C88496BB7EAFF8A348F10495DF5899B251DB31ED05CB52
                    Function 006A10A5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                    Download Yara Rule
                    APIs
                    • CharUpperBuffW.USER32(?,?,?,?,?,?,?,006A0038,?,?), ref: 006A10BC
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: BuffCharUpper
                    • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                    • API String ID: 3964851224-909552448
                    • Opcode ID: 31c136870cef92f3451111bb00fbf5a3ddec53cf1a777d08153bbcca7fcfe0bb
                    • Instruction ID: cf50ee6a7867a4248aee5b821e461abf5cf865a1c80eed0f7004c8df43148881
                    • Opcode Fuzzy Hash: 31c136870cef92f3451111bb00fbf5a3ddec53cf1a777d08153bbcca7fcfe0bb
                    • Instruction Fuzzy Hash: 3541483090026ACBDF10EF90DC91AEA3727AF13340F104469EDA15B396DB31AE5ACF64
                    Function 00685569 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00627D2C: _memmove.LIBCMT ref: 00627D66
                      • Part of subcall function 00627A84: _memmove.LIBCMT ref: 00627B0D
                    • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 006855D2
                    • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 006855E8
                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 006855F9
                    • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0068560B
                    • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0068561C
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: SendString$_memmove
                    • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                    • API String ID: 2279737902-1007645807
                    • Opcode ID: 90956c409bb6ad46b349afec09e8f249d7a99cfddfd6ca70b972ec4236841894
                    • Instruction ID: c08d31c728c7aae8b1f5b64edfb0015d787b67873dcbf6b6947158a243363fee
                    • Opcode Fuzzy Hash: 90956c409bb6ad46b349afec09e8f249d7a99cfddfd6ca70b972ec4236841894
                    • Instruction Fuzzy Hash: DB11E23099456979D720B6A1DC4ACFF7B7FEF91B00F41052AB401E21D1EE601D45CAB2
                    Function 006848F3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                    • String ID: 0.0.0.0
                    • API String ID: 208665112-3771769585
                    • Opcode ID: 1d547eeb9c4af95b0cfad298bdc52adc8c6652d24ea26bd4b6f863eec79801ff
                    • Instruction ID: 817315f2d4feaebba87ce5c6d52f213d4400069fa2b16f8b07fadd364dc8550b
                    • Opcode Fuzzy Hash: 1d547eeb9c4af95b0cfad298bdc52adc8c6652d24ea26bd4b6f863eec79801ff
                    • Instruction Fuzzy Hash: 07110531904116ABCB70FB64EC06EDB77BE9F02710F01027AF40996151EF749A81CB66
                    Function 00685217 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                    Download Yara Rule
                    APIs
                    • timeGetTime.WINMM ref: 0068521C
                      • Part of subcall function 00640719: timeGetTime.WINMM(?,7707B400,00630FF9), ref: 0064071D
                    • Sleep.KERNEL32(0000000A), ref: 00685248
                    • EnumThreadWindows.USER32(?,Function_000651CA,00000000), ref: 0068526C
                    • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0068528E
                    • SetActiveWindow.USER32 ref: 006852AD
                    • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 006852BB
                    • SendMessageW.USER32(00000010,00000000,00000000), ref: 006852DA
                    • Sleep.KERNEL32(000000FA), ref: 006852E5
                    • IsWindow.USER32 ref: 006852F1
                    • EndDialog.USER32(00000000), ref: 00685302
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                    • String ID: BUTTON
                    • API String ID: 1194449130-3405671355
                    • Opcode ID: fa0afd035e82b90a01558ecfb323452aa02453dad061a08d9297551a6cb2e15f
                    • Instruction ID: bda176ce0c2c4ef39b29f114548f167164f99335bd3b68ebcb8c195a539b2f2c
                    • Opcode Fuzzy Hash: fa0afd035e82b90a01558ecfb323452aa02453dad061a08d9297551a6cb2e15f
                    • Instruction Fuzzy Hash: 63218470204B44AFE7007FA0EDC9A753BABEB56396F043529F10285271DF61AD458F62
                    Function 0068D7F8 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00629997: __itow.LIBCMT ref: 006299C2
                      • Part of subcall function 00629997: __swprintf.LIBCMT ref: 00629A0C
                    • CoInitialize.OLE32(00000000), ref: 0068D855
                    • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0068D8E8
                    • SHGetDesktopFolder.SHELL32(?), ref: 0068D8FC
                    • CoCreateInstance.OLE32(006B2D7C,00000000,00000001,006DA89C,?), ref: 0068D948
                    • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0068D9B7
                    • CoTaskMemFree.OLE32(?,?), ref: 0068DA0F
                    • _memset.LIBCMT ref: 0068DA4C
                    • SHBrowseForFolderW.SHELL32(?), ref: 0068DA88
                    • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0068DAAB
                    • CoTaskMemFree.OLE32(00000000), ref: 0068DAB2
                    • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 0068DAE9
                    • CoUninitialize.OLE32(00000001,00000000), ref: 0068DAEB
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                    • String ID:
                    • API String ID: 1246142700-0
                    • Opcode ID: b725c36b539bf89b60bf5c9f94039072571a8b38bcb2cdc1d9030e995350ab55
                    • Instruction ID: 52e1397a115c29d4dd6a79f32cd0452255133919e3252f532afa17e9d736d611
                    • Opcode Fuzzy Hash: b725c36b539bf89b60bf5c9f94039072571a8b38bcb2cdc1d9030e995350ab55
                    • Instruction Fuzzy Hash: 29B1FA75A00119AFDB44EFA4C884DAEBBFAEF49314F148569F809EB251DB30AD41CF64
                    Function 0068052C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                    Download Yara Rule
                    APIs
                    • GetKeyboardState.USER32(?), ref: 006805A7
                    • SetKeyboardState.USER32(?), ref: 00680612
                    • GetAsyncKeyState.USER32(000000A0), ref: 00680632
                    • GetKeyState.USER32(000000A0), ref: 00680649
                    • GetAsyncKeyState.USER32(000000A1), ref: 00680678
                    • GetKeyState.USER32(000000A1), ref: 00680689
                    • GetAsyncKeyState.USER32(00000011), ref: 006806B5
                    • GetKeyState.USER32(00000011), ref: 006806C3
                    • GetAsyncKeyState.USER32(00000012), ref: 006806EC
                    • GetKeyState.USER32(00000012), ref: 006806FA
                    • GetAsyncKeyState.USER32(0000005B), ref: 00680723
                    • GetKeyState.USER32(0000005B), ref: 00680731
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: State$Async$Keyboard
                    • String ID:
                    • API String ID: 541375521-0
                    • Opcode ID: 3cb871cbbe6c2011070fd17f8bd263958b1ab48960c5a49f03cc37800a6d28d7
                    • Instruction ID: acbc9aa18d30084960543314f15a7f7f870752063331dcf3b56d91a4d80efb0d
                    • Opcode Fuzzy Hash: 3cb871cbbe6c2011070fd17f8bd263958b1ab48960c5a49f03cc37800a6d28d7
                    • Instruction Fuzzy Hash: 16512E70A0478419FB74FBB085557EABFB69F02340F084B9DD5C25A2C2D654AB8CCF66
                    Function 0067C72A Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                    Download Yara Rule
                    APIs
                    • GetDlgItem.USER32(?,00000001), ref: 0067C746
                    • GetWindowRect.USER32(00000000,?), ref: 0067C758
                    • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0067C7B6
                    • GetDlgItem.USER32(?,00000002), ref: 0067C7C1
                    • GetWindowRect.USER32(00000000,?), ref: 0067C7D3
                    • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0067C827
                    • GetDlgItem.USER32(?,000003E9), ref: 0067C835
                    • GetWindowRect.USER32(00000000,?), ref: 0067C846
                    • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0067C889
                    • GetDlgItem.USER32(?,000003EA), ref: 0067C897
                    • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0067C8B4
                    • InvalidateRect.USER32(?,00000000,00000001), ref: 0067C8C1
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: Window$ItemMoveRect$Invalidate
                    • String ID:
                    • API String ID: 3096461208-0
                    • Opcode ID: 327f7aed521c79fa04d3ee8c8460044237c6ef537b2122fe9d81a409252e6934
                    • Instruction ID: 77ff5c52580631bcc440107842ed08e56e8e49e741daa4e3b711d1783c858c13
                    • Opcode Fuzzy Hash: 327f7aed521c79fa04d3ee8c8460044237c6ef537b2122fe9d81a409252e6934
                    • Instruction Fuzzy Hash: 64514371B00205AFDB18DFA9DD95AAEBBB6EB89310F14812DF51AD7290D770AD40CB50
                    Function 0062201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00621B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00622036,?,00000000,?,?,?,?,006216CB,00000000,?), ref: 00621B9A
                    • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 006220D3
                    • KillTimer.USER32(-00000001,?,?,?,?,006216CB,00000000,?,?,00621AE2,?,?), ref: 0062216E
                    • DestroyAcceleratorTable.USER32(00000000), ref: 0065BEF6
                    • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,006216CB,00000000,?,?,00621AE2,?,?), ref: 0065BF27
                    • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,006216CB,00000000,?,?,00621AE2,?,?), ref: 0065BF3E
                    • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,006216CB,00000000,?,?,00621AE2,?,?), ref: 0065BF5A
                    • DeleteObject.GDI32(00000000), ref: 0065BF6C
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                    • String ID:
                    • API String ID: 641708696-0
                    • Opcode ID: 481596c54a14de722e3122a30671dd1365cc60e43ffd60954ea1fb808521aec9
                    • Instruction ID: fa91d6223c61a66cfba790ea2a61f96bc3a644b55f6c3b528712729ae26019ae
                    • Opcode Fuzzy Hash: 481596c54a14de722e3122a30671dd1365cc60e43ffd60954ea1fb808521aec9
                    • Instruction Fuzzy Hash: E4618E31100B62EFCB35AF14ED98B6AB7F3FB51312F10652CE9824A660C771A895DF91
                    Function 006221A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 006225DB: GetWindowLongW.USER32(?,000000EB), ref: 006225EC
                    • GetSysColor.USER32(0000000F), ref: 006221D3
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: ColorLongWindow
                    • String ID:
                    • API String ID: 259745315-0
                    • Opcode ID: 49bf167dd7ddd5ebf515dd3017abc48472d04863c2e6dc1395b3066b1b7a84db
                    • Instruction ID: 87b76028228e84de4c480eb0228e2b9c79b542de9b3b54992cb39d7ad9692867
                    • Opcode Fuzzy Hash: 49bf167dd7ddd5ebf515dd3017abc48472d04863c2e6dc1395b3066b1b7a84db
                    • Instruction Fuzzy Hash: 8F41A131001A51EEDB255F68EC98BB93B67EB06331F144365FD659A2E2C7328D42DF22
                    Function 0068AB12 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                    Download Yara Rule
                    APIs
                    • CharLowerBuffW.USER32(?,?,006AF910), ref: 0068AB76
                    • GetDriveTypeW.KERNEL32(00000061,006DA620,00000061), ref: 0068AC40
                    • _wcscpy.LIBCMT ref: 0068AC6A
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: BuffCharDriveLowerType_wcscpy
                    • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                    • API String ID: 2820617543-1000479233
                    • Opcode ID: d432c5bb4abd377af22e08f7a5a7222095631c3b6cd4b512cf44085ac709a8bb
                    • Instruction ID: 807f813daefea903b2ef00283d9697fe314b7e6f658628fca47777f4d128845d
                    • Opcode Fuzzy Hash: d432c5bb4abd377af22e08f7a5a7222095631c3b6cd4b512cf44085ac709a8bb
                    • Instruction Fuzzy Hash: AD51B0305083119BD750FF94D891EAAB7A7EF84300F14492EF986972A2DB31DD0ACB53
                    Function 006AC27C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 149windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00622612: GetWindowLongW.USER32(?,000000EB), ref: 00622623
                      • Part of subcall function 00622344: GetCursorPos.USER32(?), ref: 00622357
                      • Part of subcall function 00622344: ScreenToClient.USER32(006E67B0,?), ref: 00622374
                      • Part of subcall function 00622344: GetAsyncKeyState.USER32(00000001), ref: 00622399
                      • Part of subcall function 00622344: GetAsyncKeyState.USER32(00000002), ref: 006223A7
                    • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 006AC2E4
                    • ImageList_EndDrag.COMCTL32 ref: 006AC2EA
                    • ReleaseCapture.USER32 ref: 006AC2F0
                    • SetWindowTextW.USER32(?,00000000), ref: 006AC39A
                    • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 006AC3AD
                    • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 006AC48F
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                    • String ID: @GUI_DRAGFILE$@GUI_DROPID$prn$prn
                    • API String ID: 1924731296-1112027532
                    • Opcode ID: b5bf9100a89c9e1245a4c266551880407d7f544e05892d602ed75a7c21fd647e
                    • Instruction ID: 25b932ad10b0b7294cf6fe650742a79590f4134801bfe0bdd952afeebec85b3d
                    • Opcode Fuzzy Hash: b5bf9100a89c9e1245a4c266551880407d7f544e05892d602ed75a7c21fd647e
                    • Instruction Fuzzy Hash: 1F51AB70204304AFDB10EF24DC96FAA7BE6EB99310F00452DF5918B2E1CB70A948DF66
                    Function 00629997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: __i64tow__itow__swprintf
                    • String ID: %.15g$0x%p$False$True
                    • API String ID: 421087845-2263619337
                    • Opcode ID: 795d51482c0cdee344c5b7d5e8c06061fba63d414b665e613a0f68419db7828b
                    • Instruction ID: 03334493aeaaf74a88d8e5dc76f0963eb600693aec3fe9d5ad9daa934fdbf616
                    • Opcode Fuzzy Hash: 795d51482c0cdee344c5b7d5e8c06061fba63d414b665e613a0f68419db7828b
                    • Instruction Fuzzy Hash: 70412671904A15AFDB24EB38E842E7673EBEF48310F24446FE949D7381EA319846CB11
                    Function 006A73C1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 006A73D9
                    • CreateMenu.USER32 ref: 006A73F4
                    • SetMenu.USER32(?,00000000), ref: 006A7403
                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 006A7490
                    • IsMenu.USER32(?), ref: 006A74A6
                    • CreatePopupMenu.USER32 ref: 006A74B0
                    • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 006A74DD
                    • DrawMenuBar.USER32 ref: 006A74E5
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                    • String ID: 0$F
                    • API String ID: 176399719-3044882817
                    • Opcode ID: 1b06e005db065580d59cb5fd81d3f342b4e55b5f732ade61620cdaaca6a47dc1
                    • Instruction ID: 0e6fdfae757e37fc32ec1fa535b9e02d20b3b1cc37dddf25bc426a8cecba0266
                    • Opcode Fuzzy Hash: 1b06e005db065580d59cb5fd81d3f342b4e55b5f732ade61620cdaaca6a47dc1
                    • Instruction Fuzzy Hash: D7412274A00209EFDB20EFA4D984A9ABBFAFF5A340F144428E95597360D731AD10CF60
                    Function 006A772A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                    Download Yara Rule
                    APIs
                    • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 006A77CD
                    • CreateCompatibleDC.GDI32(00000000), ref: 006A77D4
                    • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 006A77E7
                    • SelectObject.GDI32(00000000,00000000), ref: 006A77EF
                    • GetPixel.GDI32(00000000,00000000,00000000), ref: 006A77FA
                    • DeleteDC.GDI32(00000000), ref: 006A7803
                    • GetWindowLongW.USER32(?,000000EC), ref: 006A780D
                    • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 006A7821
                    • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 006A782D
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                    • String ID: static
                    • API String ID: 2559357485-2160076837
                    • Opcode ID: f87e8e44a030b5b8381b7106f2e95a3438b1e757cdd368e1fc7c811094bc1fee
                    • Instruction ID: 6df8800d0d8e67f3ece4a44764a97a4f5d738d3d7796a6c7be8b447524a3b560
                    • Opcode Fuzzy Hash: f87e8e44a030b5b8381b7106f2e95a3438b1e757cdd368e1fc7c811094bc1fee
                    • Instruction Fuzzy Hash: D9316A32105215ABDF11AFA4DC09FDB3B6AEF0A321F111224FA55A61A0C775EC21DFA5
                    Function 00647040 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 0064707B
                      • Part of subcall function 00648D68: __getptd_noexit.LIBCMT ref: 00648D68
                    • __gmtime64_s.LIBCMT ref: 00647114
                    • __gmtime64_s.LIBCMT ref: 0064714A
                    • __gmtime64_s.LIBCMT ref: 00647167
                    • __allrem.LIBCMT ref: 006471BD
                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006471D9
                    • __allrem.LIBCMT ref: 006471F0
                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0064720E
                    • __allrem.LIBCMT ref: 00647225
                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00647243
                    • __invoke_watson.LIBCMT ref: 006472B4
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                    • String ID:
                    • API String ID: 384356119-0
                    • Opcode ID: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
                    • Instruction ID: ea4b9f906cfef822598968d03410cf81a4b1e6d513d7f793be4e5f4a03023a14
                    • Opcode Fuzzy Hash: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
                    • Instruction Fuzzy Hash: 977128B1A04717ABD7149E79CC41B9BB3AAAF10764F14423EF814E7381E770EB448794
                    Function 00682A16 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 00682A31
                    • GetMenuItemInfoW.USER32(006E6890,000000FF,00000000,00000030), ref: 00682A92
                    • SetMenuItemInfoW.USER32(006E6890,00000004,00000000,00000030), ref: 00682AC8
                    • Sleep.KERNEL32(000001F4), ref: 00682ADA
                    • GetMenuItemCount.USER32(?), ref: 00682B1E
                    • GetMenuItemID.USER32(?,00000000), ref: 00682B3A
                    • GetMenuItemID.USER32(?,-00000001), ref: 00682B64
                    • GetMenuItemID.USER32(?,?), ref: 00682BA9
                    • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00682BEF
                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00682C03
                    • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00682C24
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                    • String ID:
                    • API String ID: 4176008265-0
                    • Opcode ID: b6f1f06656b568e85566c97f76b979158991df671111d7c7361f54f9284f4d83
                    • Instruction ID: bf85070a72e671ca34496d3c7dc30640240ccf88183d067760a546211853756c
                    • Opcode Fuzzy Hash: b6f1f06656b568e85566c97f76b979158991df671111d7c7361f54f9284f4d83
                    • Instruction Fuzzy Hash: 3461B0B090124AAFDB21EFA4C8A8DFE7BBAFF11308F140659F84197251D731AD46DB21
                    Function 006A7192 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 006A7214
                    • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 006A7217
                    • GetWindowLongW.USER32(?,000000F0), ref: 006A723B
                    • _memset.LIBCMT ref: 006A724C
                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 006A725E
                    • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 006A72D6
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: MessageSend$LongWindow_memset
                    • String ID:
                    • API String ID: 830647256-0
                    • Opcode ID: 33ab92a2cfd4e7d18ec690bac069db42d38c85e282120792ac9d5e851966978f
                    • Instruction ID: 052f31dba630f21f2260b092cd2482f843c573bac29fc43fdf0740af2aa56635
                    • Opcode Fuzzy Hash: 33ab92a2cfd4e7d18ec690bac069db42d38c85e282120792ac9d5e851966978f
                    • Instruction Fuzzy Hash: 8D616C71900248AFDB10EFA4CC81EEE77FAAB0A710F144159FA15AB3A1D770AD45DF64
                    Function 0067710E Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                    Download Yara Rule
                    APIs
                    • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00677135
                    • SafeArrayAllocData.OLEAUT32(?), ref: 0067718E
                    • VariantInit.OLEAUT32(?), ref: 006771A0
                    • SafeArrayAccessData.OLEAUT32(?,?), ref: 006771C0
                    • VariantCopy.OLEAUT32(?,?), ref: 00677213
                    • SafeArrayUnaccessData.OLEAUT32(?), ref: 00677227
                    • VariantClear.OLEAUT32(?), ref: 0067723C
                    • SafeArrayDestroyData.OLEAUT32(?), ref: 00677249
                    • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00677252
                    • VariantClear.OLEAUT32(?), ref: 00677264
                    • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0067726F
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                    • String ID:
                    • API String ID: 2706829360-0
                    • Opcode ID: 87f618a1154c17d70b3d864c0f6127e7f3517f96095b5e20b7321fcb6fad43e5
                    • Instruction ID: bce6d2c45ee2cd9d97e074d8366a3dfecc9480d73ef2c874d28d6d4174d79b0c
                    • Opcode Fuzzy Hash: 87f618a1154c17d70b3d864c0f6127e7f3517f96095b5e20b7321fcb6fad43e5
                    • Instruction Fuzzy Hash: A0414235A042199FCB00EFA4D8449AEBBFAFF48354F00C069F955E7262DB30AA45CF91
                    Function 006986D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00629997: __itow.LIBCMT ref: 006299C2
                      • Part of subcall function 00629997: __swprintf.LIBCMT ref: 00629A0C
                    • CoInitialize.OLE32 ref: 00698718
                    • CoUninitialize.OLE32 ref: 00698723
                    • CoCreateInstance.OLE32(?,00000000,00000017,006B2BEC,?), ref: 00698783
                    • IIDFromString.OLE32(?,?), ref: 006987F6
                    • VariantInit.OLEAUT32(?), ref: 00698890
                    • VariantClear.OLEAUT32(?), ref: 006988F1
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                    • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                    • API String ID: 834269672-1287834457
                    • Opcode ID: 095887ab2d122eb04cb855df743834f5fa68994a7a69cce7266d62a742e2b9f1
                    • Instruction ID: 1f79698e57bd013acc81306edb6ce38c8e890a99572c72f37f8a7bc148653a39
                    • Opcode Fuzzy Hash: 095887ab2d122eb04cb855df743834f5fa68994a7a69cce7266d62a742e2b9f1
                    • Instruction Fuzzy Hash: BC61E1706087119FDB10DF64C944B6EB7EAAF8A714F10481DF8859B791CB30ED44CBA6
                    Function 00695A45 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                    Download Yara Rule
                    APIs
                    • WSAStartup.WSOCK32(00000101,?), ref: 00695AA6
                    • inet_addr.WSOCK32(?,?,?), ref: 00695AEB
                    • gethostbyname.WSOCK32(?), ref: 00695AF7
                    • IcmpCreateFile.IPHLPAPI ref: 00695B05
                    • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00695B75
                    • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00695B8B
                    • IcmpCloseHandle.IPHLPAPI(00000000), ref: 00695C00
                    • WSACleanup.WSOCK32 ref: 00695C06
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                    • String ID: Ping
                    • API String ID: 1028309954-2246546115
                    • Opcode ID: a143338b720bcc2c92bf6c5354fbcb21fd0fa3eaed72aba91b48931d5f02fc61
                    • Instruction ID: 8b743bffe6ef708dc5b8d88d3d11e4d4d7ad6695955d00f460fd34d8ce1ae4ca
                    • Opcode Fuzzy Hash: a143338b720bcc2c92bf6c5354fbcb21fd0fa3eaed72aba91b48931d5f02fc61
                    • Instruction Fuzzy Hash: 3F519E31604B109FDB21AF24DC55B6AB7EAEF48310F04892AF956DB2A1DB70EC01CF56
                    Function 0068B72E Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                    Download Yara Rule
                    APIs
                    • SetErrorMode.KERNEL32(00000001), ref: 0068B73B
                    • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0068B7B1
                    • GetLastError.KERNEL32 ref: 0068B7BB
                    • SetErrorMode.KERNEL32(00000000,READY), ref: 0068B828
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: Error$Mode$DiskFreeLastSpace
                    • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                    • API String ID: 4194297153-14809454
                    • Opcode ID: 0fc4fc2688605bf60fa37e9d4a4db5a09b67504ee1c7203ec7b347e982e85f6f
                    • Instruction ID: 9f2d78a97057807122563fec88190a8a6ed491dfb008080f176f256bea6e8317
                    • Opcode Fuzzy Hash: 0fc4fc2688605bf60fa37e9d4a4db5a09b67504ee1c7203ec7b347e982e85f6f
                    • Instruction Fuzzy Hash: C6319235A002059FDB10FFA4D885AFE7BBAEF85700F14912AF902D7391DB71A946CB51
                    Function 00679471 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00627F41: _memmove.LIBCMT ref: 00627F82
                      • Part of subcall function 0067B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0067B0E7
                    • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 006794F6
                    • GetDlgCtrlID.USER32 ref: 00679501
                    • GetParent.USER32 ref: 0067951D
                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 00679520
                    • GetDlgCtrlID.USER32(?), ref: 00679529
                    • GetParent.USER32(?), ref: 00679545
                    • SendMessageW.USER32(00000000,?,?,00000111), ref: 00679548
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: MessageSend$CtrlParent$ClassName_memmove
                    • String ID: ComboBox$ListBox
                    • API String ID: 1536045017-1403004172
                    • Opcode ID: 6846701133e487b2494a9949ae8be3d1c1a294fb954565fcb5aaa080869551bd
                    • Instruction ID: 80a7e4a4e5fbfdd12a46673b792b4076928cce70dfe73fa57a433b3a572fcb35
                    • Opcode Fuzzy Hash: 6846701133e487b2494a9949ae8be3d1c1a294fb954565fcb5aaa080869551bd
                    • Instruction Fuzzy Hash: AB21F170D00204BBDF00ABA4CC85EFEBBB7EF4A300F105129B922972A2DB755919DF60
                    Function 0067955C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00627F41: _memmove.LIBCMT ref: 00627F82
                      • Part of subcall function 0067B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0067B0E7
                    • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 006795DF
                    • GetDlgCtrlID.USER32 ref: 006795EA
                    • GetParent.USER32 ref: 00679606
                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 00679609
                    • GetDlgCtrlID.USER32(?), ref: 00679612
                    • GetParent.USER32(?), ref: 0067962E
                    • SendMessageW.USER32(00000000,?,?,00000111), ref: 00679631
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: MessageSend$CtrlParent$ClassName_memmove
                    • String ID: ComboBox$ListBox
                    • API String ID: 1536045017-1403004172
                    • Opcode ID: 34d33f6b13bd1b16d41edbf5b022f34e95994438e81b8756ae4a4a56d27e1dff
                    • Instruction ID: 0ec001b2e0fbbe1493884ca4349e792461cf91efd14cc5ef2099a88647cf761d
                    • Opcode Fuzzy Hash: 34d33f6b13bd1b16d41edbf5b022f34e95994438e81b8756ae4a4a56d27e1dff
                    • Instruction Fuzzy Hash: 9A21B374900204BBDF01ABB4CC85EFEBBBAEF49300F105159B911972A1DB759919DF70
                    Function 00679645 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetParent.USER32 ref: 00679651
                    • GetClassNameW.USER32(00000000,?,00000100), ref: 00679666
                    • _wcscmp.LIBCMT ref: 00679678
                    • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 006796F3
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: ClassMessageNameParentSend_wcscmp
                    • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                    • API String ID: 1704125052-3381328864
                    • Opcode ID: c5dbd8fecdbc2e2096567145bd9c7dbabcc999ef8ff6f22add374c9450412f0b
                    • Instruction ID: c3858fd16061e3e49467704adccb02fa397233c74827e1b13b26ee1dbbcaef01
                    • Opcode Fuzzy Hash: c5dbd8fecdbc2e2096567145bd9c7dbabcc999ef8ff6f22add374c9450412f0b
                    • Instruction Fuzzy Hash: 3A112976648317BAFB052620EC07DE677DFDB05364F20422BFA04E56D1FEA269114ABC
                    Function 00684189 Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON
                    Download Yara Rule
                    APIs
                    • __swprintf.LIBCMT ref: 0068419D
                    • __swprintf.LIBCMT ref: 006841AA
                      • Part of subcall function 006438D8: __woutput_l.LIBCMT ref: 00643931
                    • FindResourceW.KERNEL32(?,?,0000000E), ref: 006841D4
                    • LoadResource.KERNEL32(?,00000000), ref: 006841E0
                    • LockResource.KERNEL32(00000000), ref: 006841ED
                    • FindResourceW.KERNEL32(?,?,00000003), ref: 0068420D
                    • LoadResource.KERNEL32(?,00000000), ref: 0068421F
                    • SizeofResource.KERNEL32(?,00000000), ref: 0068422E
                    • LockResource.KERNEL32(?), ref: 0068423A
                    • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 0068429B
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                    • String ID:
                    • API String ID: 1433390588-0
                    • Opcode ID: 98579bb70e89a1b17d17a1bedf597b2c7e3cc4ddc41b0cd8a17f4f5efb1bc064
                    • Instruction ID: 91c852b48c5f8c4393cff7034de4b97a3bd0cac2f3443490049c5ee78f35c4f9
                    • Opcode Fuzzy Hash: 98579bb70e89a1b17d17a1bedf597b2c7e3cc4ddc41b0cd8a17f4f5efb1bc064
                    • Instruction Fuzzy Hash: 9031927160921BAFDB11AFA0DC58EBF7BAEEF05301F004625F905D6250EB30DA519BA1
                    Function 006816DE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
                    Download Yara Rule
                    APIs
                    • GetCurrentThreadId.KERNEL32 ref: 00681700
                    • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00680778,?,00000001), ref: 00681714
                    • GetWindowThreadProcessId.USER32(00000000), ref: 0068171B
                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00680778,?,00000001), ref: 0068172A
                    • GetWindowThreadProcessId.USER32(?,00000000), ref: 0068173C
                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00680778,?,00000001), ref: 00681755
                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00680778,?,00000001), ref: 00681767
                    • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00680778,?,00000001), ref: 006817AC
                    • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00680778,?,00000001), ref: 006817C1
                    • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00680778,?,00000001), ref: 006817CC
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                    • String ID:
                    • API String ID: 2156557900-0
                    • Opcode ID: 7bea1ecee5a43a616cd04a253fd362dff8e5303163aa88c67593ca9da48e704e
                    • Instruction ID: 9bbfa581dc8510d7067eb6b9b1207f0970c7c0e8d1403938de7ec6e98f741b11
                    • Opcode Fuzzy Hash: 7bea1ecee5a43a616cd04a253fd362dff8e5303163aa88c67593ca9da48e704e
                    • Instruction Fuzzy Hash: 88318E75604304ABEB21AF54DC84FA97BAFAB56711F105129F904CE3A0E7B4AD428F61
                    Function 00699428 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 263COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: Variant$ClearInit$_memset
                    • String ID: ,,k$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                    • API String ID: 2862541840-852925445
                    • Opcode ID: c0b0da1254002221fcf2a5cdb9dcef844537ea948af6a2bc2c4b7fb632ba9db6
                    • Instruction ID: 8e23e1ed2da3c1c2d7ee780241ba821b1f5b27891ff87988df73c375c838abb2
                    • Opcode Fuzzy Hash: c0b0da1254002221fcf2a5cdb9dcef844537ea948af6a2bc2c4b7fb632ba9db6
                    • Instruction Fuzzy Hash: 15917B71A00215ABDF24DFA9C844FAEBBBAEF85714F10815EF515AB280D7709945CFB0
                    Function 0067A693 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                    Download Yara Rule
                    APIs
                    • EnumChildWindows.USER32(?,0067AA64), ref: 0067A9A2
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: ChildEnumWindows
                    • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                    • API String ID: 3555792229-1603158881
                    • Opcode ID: db7779344547295569532599b5ebbb591926dd687aaa9e0265b24d3cc86a606b
                    • Instruction ID: fb354399eede450cba41dfbc520e3d94e91001f1272a052746de2f8f07088e5a
                    • Opcode Fuzzy Hash: db7779344547295569532599b5ebbb591926dd687aaa9e0265b24d3cc86a606b
                    • Instruction Fuzzy Hash: F2918430A006169ADB58DFA0C481BEDFB77BF44314F10C11DE99EA7251DB30A95ACBA5
                    Function 00622E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                    Download Yara Rule
                    APIs
                    • SetWindowLongW.USER32(?,000000EB), ref: 00622EAE
                      • Part of subcall function 00621DB3: GetClientRect.USER32(?,?), ref: 00621DDC
                      • Part of subcall function 00621DB3: GetWindowRect.USER32(?,?), ref: 00621E1D
                      • Part of subcall function 00621DB3: ScreenToClient.USER32(?,?), ref: 00621E45
                    • GetDC.USER32 ref: 0065CF82
                    • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0065CF95
                    • SelectObject.GDI32(00000000,00000000), ref: 0065CFA3
                    • SelectObject.GDI32(00000000,00000000), ref: 0065CFB8
                    • ReleaseDC.USER32(?,00000000), ref: 0065CFC0
                    • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0065D04B
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                    • String ID: U
                    • API String ID: 4009187628-3372436214
                    • Opcode ID: bb89c8b308aa3dae84a2f6ac6bd49b95867f21db56d319f743b5bde2f9c515a1
                    • Instruction ID: 4d7dfcb68492a96a15dfcf67b1f1d0ca7bd4889c393411019a0b685ab4231bcf
                    • Opcode Fuzzy Hash: bb89c8b308aa3dae84a2f6ac6bd49b95867f21db56d319f743b5bde2f9c515a1
                    • Instruction Fuzzy Hash: DB71D030400205EFCF219F64D890AEA3BB7FF49361F14426AFD955A2A6C7319C46EF61
                    Function 00698F5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                    Download Yara Rule
                    APIs
                    • GetModuleFileNameW.KERNEL32(?,?,00000104,?,006AF910), ref: 0069903D
                    • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,006AF910), ref: 00699071
                    • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 006991EB
                    • SysFreeString.OLEAUT32(?), ref: 00699215
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: Free$FileLibraryModuleNamePathQueryStringType
                    • String ID:
                    • API String ID: 560350794-0
                    • Opcode ID: fe7a46a8510800fade27a7562fc7be525b932cd35e38870500923183aa92226f
                    • Instruction ID: 0c4eedb5af5f779c846c621beaa573ae3a7c6ea5fceaba858bac0afbe2a44a6e
                    • Opcode Fuzzy Hash: fe7a46a8510800fade27a7562fc7be525b932cd35e38870500923183aa92226f
                    • Instruction Fuzzy Hash: 78F1F971A00119EFDF14DF98C888EEEB7BABF49315F108059F915AB251DB31AE46CB60
                    Function 0069F9A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 0069F9C9
                    • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0069FB5C
                    • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0069FB80
                    • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0069FBC0
                    • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0069FBE2
                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0069FD5E
                    • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 0069FD90
                    • CloseHandle.KERNEL32(?), ref: 0069FDBF
                    • CloseHandle.KERNEL32(?), ref: 0069FE36
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                    • String ID:
                    • API String ID: 4090791747-0
                    • Opcode ID: 6a1e44a5e56bfac4650e78fff6b6b5d17f433c8c805187e3aa4b4aad2c563460
                    • Instruction ID: 21ff445af1221dbbb69cae1d9252d024de0036505016ef2fb734982ae16f9328
                    • Opcode Fuzzy Hash: 6a1e44a5e56bfac4650e78fff6b6b5d17f433c8c805187e3aa4b4aad2c563460
                    • Instruction Fuzzy Hash: 58E1C131604301DFCB54EF24C891A6ABBE6AF85314F15896DF8998B3A2CB31EC45CF56
                    Function 00684F63 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 006848AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,006838D3,?), ref: 006848C7
                      • Part of subcall function 006848AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,006838D3,?), ref: 006848E0
                      • Part of subcall function 00684CD3: GetFileAttributesW.KERNEL32(?,00683947), ref: 00684CD4
                    • lstrcmpiW.KERNEL32(?,?), ref: 00684FE2
                    • _wcscmp.LIBCMT ref: 00684FFC
                    • MoveFileW.KERNEL32(?,?), ref: 00685017
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                    • String ID:
                    • API String ID: 793581249-0
                    • Opcode ID: 79e75f79e71a356de27cee7dab01b6ae05d9ff7052a2c999b42a6ffff92fe8f7
                    • Instruction ID: 2df1b5b50637a9d0042202d8333cb93c7aecdfc1c891ea62d1da39456429ca3e
                    • Opcode Fuzzy Hash: 79e75f79e71a356de27cee7dab01b6ae05d9ff7052a2c999b42a6ffff92fe8f7
                    • Instruction Fuzzy Hash: FD5177B20087859BC764EB90D8819DFB3DDAF85340F500A2EB285D3151EF74A58C8B6A
                    Function 006A88B4 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                    Download Yara Rule
                    APIs
                    • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 006A896E
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: InvalidateRect
                    • String ID:
                    • API String ID: 634782764-0
                    • Opcode ID: fcd8d24d2055d326613bcb5332c0e897395d26d96edcf40d588eb6e05df19170
                    • Instruction ID: 22bf4ade960ceb50c4ea94859a9a8d15fb7f97891a9283fedefbf3ca09d2e825
                    • Opcode Fuzzy Hash: fcd8d24d2055d326613bcb5332c0e897395d26d96edcf40d588eb6e05df19170
                    • Instruction Fuzzy Hash: 9C518330600218BFDF20BF68DC85BAA7BA7BB06350F504116F615E72A1DF75AD909F51
                    Function 00622B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                    Download Yara Rule
                    APIs
                    • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0065C547
                    • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0065C569
                    • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0065C581
                    • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0065C59F
                    • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0065C5C0
                    • DestroyIcon.USER32(00000000), ref: 0065C5CF
                    • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0065C5EC
                    • DestroyIcon.USER32(?), ref: 0065C5FB
                      • Part of subcall function 006AA71E: DeleteObject.GDI32(00000000), ref: 006AA757
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                    • String ID:
                    • API String ID: 2819616528-0
                    • Opcode ID: 152ea1db82684a8844247ca3a7f920727e1430d9caba121424dcbd31bc1b80e9
                    • Instruction ID: cab76635ca5ee4dab313f4af0403add69b17721b1d0863eac284a3fecfbedbd1
                    • Opcode Fuzzy Hash: 152ea1db82684a8844247ca3a7f920727e1430d9caba121424dcbd31bc1b80e9
                    • Instruction Fuzzy Hash: B9517A7460070AAFDB20DF64DC95FAA37B6EB59362F104528F902972A0DB70ED91DF60
                    Function 00679B50 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0067AE57: GetWindowThreadProcessId.USER32(?,00000000), ref: 0067AE77
                      • Part of subcall function 0067AE57: GetCurrentThreadId.KERNEL32 ref: 0067AE7E
                      • Part of subcall function 0067AE57: AttachThreadInput.USER32(00000000,?,00679B65,?,00000001), ref: 0067AE85
                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 00679B70
                    • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00679B8D
                    • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00679B90
                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 00679B99
                    • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00679BB7
                    • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00679BBA
                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 00679BC3
                    • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00679BDA
                    • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00679BDD
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                    • String ID:
                    • API String ID: 2014098862-0
                    • Opcode ID: 0a57d4dde1eea92ab340773487e36353bfe16086ae4c2227529620186b2dcf86
                    • Instruction ID: 87b9ddc09569acc75d311263d5a73ac4fb4807be3d76d07381f233e80eb34163
                    • Opcode Fuzzy Hash: 0a57d4dde1eea92ab340773487e36353bfe16086ae4c2227529620186b2dcf86
                    • Instruction Fuzzy Hash: 6911E171550218BEF7106FA0DC89F6A3B2EEB4DB51F201429F248AB0A0C9F26C51DEA5
                    Function 00678E03 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcessHeap.KERNEL32(00000008,0000000C), ref: 00678E0C
                    • HeapAlloc.KERNEL32(00000000), ref: 00678E13
                    • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 00678E28
                    • GetCurrentProcess.KERNEL32(?,00000000), ref: 00678E30
                    • DuplicateHandle.KERNEL32(00000000), ref: 00678E33
                    • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002), ref: 00678E43
                    • GetCurrentProcess.KERNEL32(?,00000000), ref: 00678E4B
                    • DuplicateHandle.KERNEL32(00000000), ref: 00678E4E
                    • CreateThread.KERNEL32(00000000,00000000,00678E74,00000000,00000000,00000000), ref: 00678E68
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                    • String ID:
                    • API String ID: 1957940570-0
                    • Opcode ID: 45ccc1db573119201415f9316fd4562c38a3cc34ba169bd0d1490add78a8a153
                    • Instruction ID: 9f99f46660c671eb4257675cb3bb88e45e32aae5e6579e3b381acd928a90b1c2
                    • Opcode Fuzzy Hash: 45ccc1db573119201415f9316fd4562c38a3cc34ba169bd0d1490add78a8a153
                    • Instruction Fuzzy Hash: 8601A8B5240308FFE760ABA5DC4DF6B3BADEB89711F015421FA05DB1A1DA70AC008F21
                    Function 00699A72 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00677652: CLSIDFromProgID.COMBASE(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0067758C,80070057,?,?,?,0067799D), ref: 0067766F
                      • Part of subcall function 00677652: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0067758C,80070057,?,?), ref: 0067768A
                      • Part of subcall function 00677652: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0067758C,80070057,?,?), ref: 00677698
                      • Part of subcall function 00677652: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0067758C,80070057,?), ref: 006776A8
                    • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00699B1B
                    • _memset.LIBCMT ref: 00699B28
                    • _memset.LIBCMT ref: 00699C6B
                    • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00699C97
                    • CoTaskMemFree.OLE32(?), ref: 00699CA2
                    Strings
                    • NULL Pointer assignment, xrefs: 00699CF0
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                    • String ID: NULL Pointer assignment
                    • API String ID: 1300414916-2785691316
                    • Opcode ID: e5dbbeecb22ecf91adc3a2fd582aaa82bc6fa3dec9b6b49eb6a86744aa6a5167
                    • Instruction ID: aee90de3766d9805305769ba121f9acd199edd1276abe7739fabcfd7d377550a
                    • Opcode Fuzzy Hash: e5dbbeecb22ecf91adc3a2fd582aaa82bc6fa3dec9b6b49eb6a86744aa6a5167
                    • Instruction Fuzzy Hash: 5B913A71D00229EBDF20DFA4DC85EDEBBBAAF08710F20415AF419A7281DB315A45CFA0
                    Function 006A6FEF Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 006A7093
                    • SendMessageW.USER32(?,00001036,00000000,?), ref: 006A70A7
                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 006A70C1
                    • _wcscat.LIBCMT ref: 006A711C
                    • SendMessageW.USER32(?,00001057,00000000,?), ref: 006A7133
                    • SendMessageW.USER32(?,00001061,?,0000000F), ref: 006A7161
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: MessageSend$Window_wcscat
                    • String ID: SysListView32
                    • API String ID: 307300125-78025650
                    • Opcode ID: 89ae059016c17098f388cd0d431c9f015ea758945707b28f54a6593b40c334ff
                    • Instruction ID: 02e3b2c52613bcdaf32cfc8d5e7e4a96c8f5d227da3f62ffad4fa83595808241
                    • Opcode Fuzzy Hash: 89ae059016c17098f388cd0d431c9f015ea758945707b28f54a6593b40c334ff
                    • Instruction Fuzzy Hash: 6941A371A04308AFDB21AFA4CC85BEE77EAEF09350F10046AF545E7292D7719D848F64
                    Function 0069EC47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00683E91: CreateToolhelp32Snapshot.KERNEL32 ref: 00683EB6
                      • Part of subcall function 00683E91: Process32FirstW.KERNEL32(00000000,?), ref: 00683EC4
                      • Part of subcall function 00683E91: CloseHandle.KERNEL32(00000000), ref: 00683F8E
                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0069ECB8
                    • GetLastError.KERNEL32 ref: 0069ECCB
                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0069ECFA
                    • TerminateProcess.KERNEL32(00000000,00000000), ref: 0069ED77
                    • GetLastError.KERNEL32(00000000), ref: 0069ED82
                    • CloseHandle.KERNEL32(00000000), ref: 0069EDB7
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                    • String ID: SeDebugPrivilege
                    • API String ID: 2533919879-2896544425
                    • Opcode ID: 6b81ad77954a657e24e9e2a55965c250d29b12636ee3c7db9121ff5c70363c08
                    • Instruction ID: a49b60d5067380c1f3473542ba0da328523c8fc9a9ed4bc4a403aa645e7c193d
                    • Opcode Fuzzy Hash: 6b81ad77954a657e24e9e2a55965c250d29b12636ee3c7db9121ff5c70363c08
                    • Instruction Fuzzy Hash: 3241AC706002109FDB14EF24C895F6DB7A6AF81714F08841DF8469B7C2DB76A808CF9A
                    Function 00683226 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                    Download Yara Rule
                    APIs
                    • LoadIconW.USER32(00000000,00007F03), ref: 006832C5
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: IconLoad
                    • String ID: blank$info$question$stop$warning
                    • API String ID: 2457776203-404129466
                    • Opcode ID: 1680286a682e0179ee8149f6db1f4ce927c1dabce04c3016ee3504b7b30018fa
                    • Instruction ID: afac9c1fb49a93d1ee90b0d123718ee51a9bf364f8b9bcef28555908b61332a6
                    • Opcode Fuzzy Hash: 1680286a682e0179ee8149f6db1f4ce927c1dabce04c3016ee3504b7b30018fa
                    • Instruction Fuzzy Hash: 5D112B3160C3667AA7017B95DC62CAAB39EDF19B70F10016AF500A63C2E6659B4147A5
                    Function 00684534 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0068454E
                    • LoadStringW.USER32(00000000), ref: 00684555
                    • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0068456B
                    • LoadStringW.USER32(00000000), ref: 00684572
                    • _wprintf.LIBCMT ref: 00684598
                    • MessageBoxW.USER32(00000000,?,?,00011010), ref: 006845B6
                    Strings
                    • %s (%d) : ==> %s: %s %s, xrefs: 00684593
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: HandleLoadModuleString$Message_wprintf
                    • String ID: %s (%d) : ==> %s: %s %s
                    • API String ID: 3648134473-3128320259
                    • Opcode ID: c54428bf0827912c42d80da9fd5feb2323a59749f0cb6c96d94469e78f0a906b
                    • Instruction ID: b128e091240459d60f7ad0f87406def8cf42b8cc819a56914aa2e7ea6b8b3f67
                    • Opcode Fuzzy Hash: c54428bf0827912c42d80da9fd5feb2323a59749f0cb6c96d94469e78f0a906b
                    • Instruction Fuzzy Hash: CB0144F2900208BFE750B7D09D89EEB776DDB09301F0015A5B745D2151EA746E854F76
                    Function 006AD74C Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00622612: GetWindowLongW.USER32(?,000000EB), ref: 00622623
                    • GetSystemMetrics.USER32(0000000F), ref: 006AD78A
                    • GetSystemMetrics.USER32(0000000F), ref: 006AD7AA
                    • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 006AD9E5
                    • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 006ADA03
                    • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 006ADA24
                    • ShowWindow.USER32(00000003,00000000), ref: 006ADA43
                    • InvalidateRect.USER32(?,00000000,00000001), ref: 006ADA68
                    • DefDlgProcW.USER32(?,00000005,?,?), ref: 006ADA8B
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                    • String ID:
                    • API String ID: 1211466189-0
                    • Opcode ID: 6aed15676538e0c9ad1bbc23b683f782e9444e7e0bc6bd3671572f1def2c3a43
                    • Instruction ID: 2d65a19d7646fcf831b2145dbf2220794515e8825d7d28fd818331544a047f58
                    • Opcode Fuzzy Hash: 6aed15676538e0c9ad1bbc23b683f782e9444e7e0bc6bd3671572f1def2c3a43
                    • Instruction Fuzzy Hash: 1FB17A71600215EBDF14DF68C9857EE7BB2BF06701F088069ED4A9A695DB34AD50CFA0
                    Function 00622A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                    Download Yara Rule
                    APIs
                    • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0065C417,00000004,00000000,00000000,00000000), ref: 00622ACF
                    • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0065C417,00000004,00000000,00000000,00000000,000000FF), ref: 00622B17
                    • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0065C417,00000004,00000000,00000000,00000000), ref: 0065C46A
                    • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0065C417,00000004,00000000,00000000,00000000), ref: 0065C4D6
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: ShowWindow
                    • String ID:
                    • API String ID: 1268545403-0
                    • Opcode ID: db2b311f9a385a60e5e534c16dd57ad7f2358cfec8660cd81b6d2adcab487d3e
                    • Instruction ID: 3bca231b8f1c8351753d530b2e362db76deb08f1e7bd7a49be25bb7e686ef8ac
                    • Opcode Fuzzy Hash: db2b311f9a385a60e5e534c16dd57ad7f2358cfec8660cd81b6d2adcab487d3e
                    • Instruction Fuzzy Hash: C7410830204B91BEC7359B28ECB8BBB7BD3AB46315F18842DE44746A61C675A886DF11
                    Function 00687368 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                    Download Yara Rule
                    APIs
                    • InterlockedExchange.KERNEL32(?,000001F5), ref: 0068737F
                      • Part of subcall function 00640FF6: std::exception::exception.LIBCMT ref: 0064102C
                      • Part of subcall function 00640FF6: __CxxThrowException@8.LIBCMT ref: 00641041
                    • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 006873B6
                    • EnterCriticalSection.KERNEL32(?), ref: 006873D2
                    • _memmove.LIBCMT ref: 00687420
                    • _memmove.LIBCMT ref: 0068743D
                    • LeaveCriticalSection.KERNEL32(?), ref: 0068744C
                    • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00687461
                    • InterlockedExchange.KERNEL32(?,000001F6), ref: 00687480
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                    • String ID:
                    • API String ID: 256516436-0
                    • Opcode ID: 7caacb6d23c52260ea0f21a4e6a2077810b57633635f47391646d9494ebadd5b
                    • Instruction ID: 706533e8c2eba4b9602c0509e715a429955a844d7c7478d724c004ae960b7b3a
                    • Opcode Fuzzy Hash: 7caacb6d23c52260ea0f21a4e6a2077810b57633635f47391646d9494ebadd5b
                    • Instruction Fuzzy Hash: 4831C131900205EBDF50EFA4DC85AAE7BBAEF45700B1441B9FD049B246DB30DE54CBA5
                    Function 006A6442 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                    Download Yara Rule
                    APIs
                    • DeleteObject.GDI32(00000000), ref: 006A645A
                    • GetDC.USER32(00000000), ref: 006A6462
                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 006A646D
                    • ReleaseDC.USER32(00000000,00000000), ref: 006A6479
                    • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 006A64B5
                    • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 006A64C6
                    • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,006A9299,?,?,000000FF,00000000,?,000000FF,?), ref: 006A6500
                    • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 006A6520
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                    • String ID:
                    • API String ID: 3864802216-0
                    • Opcode ID: 30ea4303404f82c335be4d1ae3659dbcee6bd8aebd802efc7d9cc023fa08d7b5
                    • Instruction ID: a34fdfaa0f3b735fe4195ad0f02a2ce801f6232f6ecd989b00610d2aa196633a
                    • Opcode Fuzzy Hash: 30ea4303404f82c335be4d1ae3659dbcee6bd8aebd802efc7d9cc023fa08d7b5
                    • Instruction Fuzzy Hash: BA319F72200210BFEB109F50CC4AFEB3FAAEF0A765F085065FE089A291C675AC41CB75
                    Function 0067C072 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: _memcmp
                    • String ID:
                    • API String ID: 2931989736-0
                    • Opcode ID: 759f86f7b186b152ec9303b3726f755bfdf45929267d9d6414aef18e036cd2bf
                    • Instruction ID: 81e805c44590ab9fc7a3528fdf6eb11ef9b52787998cde88d7eecff66e0e5e23
                    • Opcode Fuzzy Hash: 759f86f7b186b152ec9303b3726f755bfdf45929267d9d6414aef18e036cd2bf
                    • Instruction Fuzzy Hash: 8321C5A1600206B7D750A6209C52FFB279FAF113B4B45802CFD0D9A383F752DD5182E9
                    Function 0068ED8E Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00629997: __itow.LIBCMT ref: 006299C2
                      • Part of subcall function 00629997: __swprintf.LIBCMT ref: 00629A0C
                      • Part of subcall function 0063FEC6: _wcscpy.LIBCMT ref: 0063FEE9
                    • _wcstok.LIBCMT ref: 0068EEFF
                    • _wcscpy.LIBCMT ref: 0068EF8E
                    • _memset.LIBCMT ref: 0068EFC1
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                    • String ID: X
                    • API String ID: 774024439-3081909835
                    • Opcode ID: a8b6f36ac438ea0c27de895f2e80cdef3cd297b6aeff697a0f76cf9b65a61c85
                    • Instruction ID: 7d921fa63fe8ce4a81eaaa7c1b518c5ec1153500dbe7a228be9eb57bc7023725
                    • Opcode Fuzzy Hash: a8b6f36ac438ea0c27de895f2e80cdef3cd297b6aeff697a0f76cf9b65a61c85
                    • Instruction Fuzzy Hash: 01C19F316087119FC764EF24D885A9AB7E2BF84310F00496DF8999B3A2DB30EC45CF96
                    Function 00696E17 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON
                    Download Yara Rule
                    APIs
                    • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00696F14
                    • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00696F35
                    • WSAGetLastError.WSOCK32(00000000), ref: 00696F48
                    • htons.WSOCK32(?,?,?,00000000,?), ref: 00696FFE
                    • inet_ntoa.WSOCK32(?), ref: 00696FBB
                      • Part of subcall function 0067AE14: _strlen.LIBCMT ref: 0067AE1E
                      • Part of subcall function 0067AE14: _memmove.LIBCMT ref: 0067AE40
                    • _strlen.LIBCMT ref: 00697058
                    • _memmove.LIBCMT ref: 006970C1
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
                    • String ID:
                    • API String ID: 3619996494-0
                    • Opcode ID: bf6ccb032ed20becacb696f2b00a7b66aa4ba8b5fc9dd49b3622ce1ffdf9de5a
                    • Instruction ID: f7e08e671270452a573456e3f2e436e8d1fe4b2f950d6f2f99aef697e8c02214
                    • Opcode Fuzzy Hash: bf6ccb032ed20becacb696f2b00a7b66aa4ba8b5fc9dd49b3622ce1ffdf9de5a
                    • Instruction Fuzzy Hash: C481E171508710AFDB50EF24DC82E6BB3EFAF84714F10891DF5559B292DA70AD01CBA6
                    Function 00621424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 6522929d4e736f389d12bbb6d793fd1e45759a9ea296ead09cbc5e4408236ef3
                    • Instruction ID: 5305887deaa3a9cb8b9509d5ad074c3055eee0cd9ec9ea14881c2c94386bc8ab
                    • Opcode Fuzzy Hash: 6522929d4e736f389d12bbb6d793fd1e45759a9ea296ead09cbc5e4408236ef3
                    • Instruction Fuzzy Hash: ED71AD30904519EFCB04DF98DC49AFEBBBAFF86310F108159F915AA251C734AA52CFA5
                    Function 006AB60B Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                    Download Yara Rule
                    APIs
                    • IsWindow.USER32(010073D0), ref: 006AB6A5
                    • IsWindowEnabled.USER32(010073D0), ref: 006AB6B1
                    • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 006AB795
                    • SendMessageW.USER32(010073D0,000000B0,?,?), ref: 006AB7CC
                    • IsDlgButtonChecked.USER32(?,?), ref: 006AB809
                    • GetWindowLongW.USER32(010073D0,000000EC), ref: 006AB82B
                    • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 006AB843
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                    • String ID:
                    • API String ID: 4072528602-0
                    • Opcode ID: e84a163ea0de084822a8c150a5c6ad7bf9ff39b9e99c0dcd6463f235e6faf154
                    • Instruction ID: 6833a94f1dd6905702c8cee84e3c8772c467e796e0002b646a1eafccb0c7a675
                    • Opcode Fuzzy Hash: e84a163ea0de084822a8c150a5c6ad7bf9ff39b9e99c0dcd6463f235e6faf154
                    • Instruction Fuzzy Hash: 2D718A34600204AFDB24AFA4C8A4FEA7BABFB5B340F146069F945973A2C771AD51CF50
                    Function 0069F732 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 0069F75C
                    • _memset.LIBCMT ref: 0069F825
                    • ShellExecuteExW.SHELL32(?), ref: 0069F86A
                      • Part of subcall function 00629997: __itow.LIBCMT ref: 006299C2
                      • Part of subcall function 00629997: __swprintf.LIBCMT ref: 00629A0C
                      • Part of subcall function 0063FEC6: _wcscpy.LIBCMT ref: 0063FEE9
                    • GetProcessId.KERNEL32(00000000), ref: 0069F8E1
                    • CloseHandle.KERNEL32(00000000), ref: 0069F910
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                    • String ID: @
                    • API String ID: 3522835683-2766056989
                    • Opcode ID: 65673be07bdfb0ed32e5a08d7fc494f2978f905235038dde64193f0f1ac5be95
                    • Instruction ID: 89ac10ad6c94b03fd164544779698eeb5407c530cf8f789e3eb09561c10de9ca
                    • Opcode Fuzzy Hash: 65673be07bdfb0ed32e5a08d7fc494f2978f905235038dde64193f0f1ac5be95
                    • Instruction Fuzzy Hash: 7E619974A006299FCF04EF94D5819AEBBB6FF48310F15846DE846AB751CB30AD40CF94
                    Function 0068145D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetParent.USER32(?), ref: 0068149C
                    • GetKeyboardState.USER32(?), ref: 006814B1
                    • SetKeyboardState.USER32(?), ref: 00681512
                    • PostMessageW.USER32(?,00000101,00000010,?), ref: 00681540
                    • PostMessageW.USER32(?,00000101,00000011,?), ref: 0068155F
                    • PostMessageW.USER32(?,00000101,00000012,?), ref: 006815A5
                    • PostMessageW.USER32(?,00000101,0000005B,?), ref: 006815C8
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: MessagePost$KeyboardState$Parent
                    • String ID:
                    • API String ID: 87235514-0
                    • Opcode ID: cd032e79f00a207564341547131409bdbe979224b271a7e0eba7d305efee16ce
                    • Instruction ID: 88b7cdc531b63f99c2e67246befa9dd3913141859bd73959e0b16a219f26ad53
                    • Opcode Fuzzy Hash: cd032e79f00a207564341547131409bdbe979224b271a7e0eba7d305efee16ce
                    • Instruction Fuzzy Hash: A651F0A0A042D53EFB3263648C45BFA7EAF5B47304F08868DE1D59A9C2D294ACC6D761
                    Function 00681276 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetParent.USER32(00000000), ref: 006812B5
                    • GetKeyboardState.USER32(?), ref: 006812CA
                    • SetKeyboardState.USER32(?), ref: 0068132B
                    • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00681357
                    • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00681374
                    • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 006813B8
                    • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 006813D9
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: MessagePost$KeyboardState$Parent
                    • String ID:
                    • API String ID: 87235514-0
                    • Opcode ID: 7444df41fcb8fadcbd0756b928533e0dc6748e998c934902f1481f01fc4ae5b6
                    • Instruction ID: 8393fa6b28ecf57f4b870ed3f581259d272455d97f401cbcd40608aa9a0b606e
                    • Opcode Fuzzy Hash: 7444df41fcb8fadcbd0756b928533e0dc6748e998c934902f1481f01fc4ae5b6
                    • Instruction Fuzzy Hash: 8C51F3A09046D53EFB32A7248C55BBABFAF5B07300F08868DE1D49E9C2D395AC86D751
                    Function 0068589F Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: _wcsncpy$LocalTime
                    • String ID:
                    • API String ID: 2945705084-0
                    • Opcode ID: efc83b6fc46739871e646436b6b26dc2832e4ade0c9741e1f2d096f6302d48c7
                    • Instruction ID: ce8991f193e0070bf4e639a9c2335f6d994e0849d78b4415a4247e2022642103
                    • Opcode Fuzzy Hash: efc83b6fc46739871e646436b6b26dc2832e4ade0c9741e1f2d096f6302d48c7
                    • Instruction Fuzzy Hash: 76418465C2052876CB90FBB5C886ACF73AAAF05310F60855AF519E3221FB34E715C7AD
                    Function 006838AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 006848AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,006838D3,?), ref: 006848C7
                      • Part of subcall function 006848AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,006838D3,?), ref: 006848E0
                    • lstrcmpiW.KERNEL32(?,?), ref: 006838F3
                    • _wcscmp.LIBCMT ref: 0068390F
                    • MoveFileW.KERNEL32(?,?), ref: 00683927
                    • _wcscat.LIBCMT ref: 0068396F
                    • SHFileOperationW.SHELL32(?), ref: 006839DB
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                    • String ID: \*.*
                    • API String ID: 1377345388-1173974218
                    • Opcode ID: d54b41cea8c3ff0bf7bb1be1f402fcbc61715a028651676acbf1ad71ac2ae14a
                    • Instruction ID: 06123211bd8c9b3bfbd60706f1a3cb76c24c9c213f586fa325d63421dddfba2e
                    • Opcode Fuzzy Hash: d54b41cea8c3ff0bf7bb1be1f402fcbc61715a028651676acbf1ad71ac2ae14a
                    • Instruction Fuzzy Hash: 034180B140C3459ACB91FF64C481AEFB7EDAF89740F401A2EF48AC3251EA74D648CB56
                    Function 006A7500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 006A7519
                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 006A75C0
                    • IsMenu.USER32(?), ref: 006A75D8
                    • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 006A7620
                    • DrawMenuBar.USER32 ref: 006A7633
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: Menu$Item$DrawInfoInsert_memset
                    • String ID: 0
                    • API String ID: 3866635326-4108050209
                    • Opcode ID: 345672836e4ad3d1acd077a36892f0e0b1617fa0093ffeb5f4262e6416f5ed76
                    • Instruction ID: 8959b15fa9472278e0c270be0c3777f4559bdb73d897f5d4667075fcd872d63b
                    • Opcode Fuzzy Hash: 345672836e4ad3d1acd077a36892f0e0b1617fa0093ffeb5f4262e6416f5ed76
                    • Instruction Fuzzy Hash: 01411575A04609AFDB20EF94D884ADABBFAFB0A350F049129F9559B350D730ED51CFA0
                    Function 006A122D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 006A125C
                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 006A1286
                    • FreeLibrary.KERNEL32(00000000), ref: 006A133D
                      • Part of subcall function 006A122D: RegCloseKey.ADVAPI32(?), ref: 006A12A3
                      • Part of subcall function 006A122D: FreeLibrary.KERNEL32(?), ref: 006A12F5
                      • Part of subcall function 006A122D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 006A1318
                    • RegDeleteKeyW.ADVAPI32(?,?), ref: 006A12E0
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: EnumFreeLibrary$CloseDeleteOpen
                    • String ID:
                    • API String ID: 395352322-0
                    • Opcode ID: d66857ed24df0b4a4089c939feb826e65e59431f862569dcaeb26f10655cadc1
                    • Instruction ID: 8edbabb430940d1b818e585f1da7b585a548c26e3c7825d28fd0fa1047635faa
                    • Opcode Fuzzy Hash: d66857ed24df0b4a4089c939feb826e65e59431f862569dcaeb26f10655cadc1
                    • Instruction Fuzzy Hash: 41311C71901109BFDB14AFD0DC89AFEB7BDEF0A300F0001AAE501E6251DA74AF859EA5
                    Function 006A653C Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 006A655B
                    • GetWindowLongW.USER32(010073D0,000000F0), ref: 006A658E
                    • GetWindowLongW.USER32(010073D0,000000F0), ref: 006A65C3
                    • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 006A65F5
                    • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 006A661F
                    • GetWindowLongW.USER32(00000000,000000F0), ref: 006A6630
                    • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 006A664A
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: LongWindow$MessageSend
                    • String ID:
                    • API String ID: 2178440468-0
                    • Opcode ID: 2e5e6d12374f4c93581d8b6f264a8ec067330731d391ad1039b23e0925f349d0
                    • Instruction ID: dcea8dc9ddda82a0b2fbd12923027b93c8b4ad01454c0e13dee733224df40388
                    • Opcode Fuzzy Hash: 2e5e6d12374f4c93581d8b6f264a8ec067330731d391ad1039b23e0925f349d0
                    • Instruction Fuzzy Hash: A331F330A44250AFDB21EF58DC89F9537E2FB5A750F1921A8F5118F2B6CB61AC40DF62
                    Function 00696486 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 006980A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 006980CB
                    • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 006964D9
                    • WSAGetLastError.WSOCK32(00000000), ref: 006964E8
                    • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00696521
                    • connect.WSOCK32(00000000,?,00000010), ref: 0069652A
                    • WSAGetLastError.WSOCK32 ref: 00696534
                    • closesocket.WSOCK32(00000000), ref: 0069655D
                    • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00696576
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                    • String ID:
                    • API String ID: 910771015-0
                    • Opcode ID: 3d835ef24499890bd057cbb2c3533d18d3c0b9186c5ecf144feab519c84d7913
                    • Instruction ID: 3aa5c502655c5177a4fdc0b52c05696bcde45333f435ed4b679f951177beca2e
                    • Opcode Fuzzy Hash: 3d835ef24499890bd057cbb2c3533d18d3c0b9186c5ecf144feab519c84d7913
                    • Instruction Fuzzy Hash: 69318131600218AFDF10AF64DC85BBE7BBEEB45724F048069F90997291DB74AD45CF62
                    Function 0067E0B5 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
                    Download Yara Rule
                    APIs
                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0067E0FA
                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0067E120
                    • SysAllocString.OLEAUT32(00000000), ref: 0067E123
                    • SysAllocString.OLEAUT32 ref: 0067E144
                    • SysFreeString.OLEAUT32 ref: 0067E14D
                    • StringFromGUID2.OLE32(?,?,00000028), ref: 0067E167
                    • SysAllocString.OLEAUT32(?), ref: 0067E175
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                    • String ID:
                    • API String ID: 3761583154-0
                    • Opcode ID: bbaa8a812385ccfe7aa5aab61815eff1cf1095ea12ad86ac6f1e02a6b024da11
                    • Instruction ID: 7f627a2bbd774ad760668de65dcd86ba6077292e475e15dc055800b352e62a02
                    • Opcode Fuzzy Hash: bbaa8a812385ccfe7aa5aab61815eff1cf1095ea12ad86ac6f1e02a6b024da11
                    • Instruction Fuzzy Hash: B9217135604108AFDB10AFB8DC89CAB77EEEB0D760B50C175F919CB261DA71EC858B64
                    Function 0067FB6E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: __wcsnicmp
                    • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                    • API String ID: 1038674560-2734436370
                    • Opcode ID: c9eff66d792069d10daee313ab4a7be9c5f7ac7546f7ef03a86a2a23e0a52ac6
                    • Instruction ID: 0d9e312de0b29a9eba49d5b49f57bebcf554683f62ffa7510109281bcf348e17
                    • Opcode Fuzzy Hash: c9eff66d792069d10daee313ab4a7be9c5f7ac7546f7ef03a86a2a23e0a52ac6
                    • Instruction Fuzzy Hash: 5F213772104565E6D331E734DC22EE773DBEF61740F14C439F88986281EB51A9D2D299
                    Function 006A783C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00621D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00621D73
                      • Part of subcall function 00621D35: GetStockObject.GDI32(00000011), ref: 00621D87
                      • Part of subcall function 00621D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00621D91
                    • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 006A78A1
                    • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 006A78AE
                    • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 006A78B9
                    • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 006A78C8
                    • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 006A78D4
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: MessageSend$CreateObjectStockWindow
                    • String ID: Msctls_Progress32
                    • API String ID: 1025951953-3636473452
                    • Opcode ID: 9e25dada237ffbd0c7aa9ab17b5a1c8f2c272753a5eb8673772a2760a6ded2ca
                    • Instruction ID: db0e83b9409401c4026df9cf49635e3b3227478e61427cc27019eb65c8208baf
                    • Opcode Fuzzy Hash: 9e25dada237ffbd0c7aa9ab17b5a1c8f2c272753a5eb8673772a2760a6ded2ca
                    • Instruction Fuzzy Hash: 6C1190B2510219BFEF159F60CC85EE77F6EEF097A8F015125BA04A6190C772AC21DFA4
                    Function 006441C9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00644292,?), ref: 006441E3
                    • GetProcAddress.KERNEL32(00000000), ref: 006441EA
                    • EncodePointer.KERNEL32(00000000), ref: 006441F6
                    • DecodePointer.KERNEL32(00000001,00644292,?), ref: 00644213
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                    • String ID: RoInitialize$combase.dll
                    • API String ID: 3489934621-340411864
                    • Opcode ID: 1454817ae456687d1c79af4bc3c35c625d8f96d1184b12dbe1f70ecd506275f3
                    • Instruction ID: 7039b0d520b0cbd0b1fc51b7c5ca2e7faee75508792ed64dead99c0bcdc49e74
                    • Opcode Fuzzy Hash: 1454817ae456687d1c79af4bc3c35c625d8f96d1184b12dbe1f70ecd506275f3
                    • Instruction Fuzzy Hash: 27E01AB0A90341AEEF207BF0EC89BA53AE7BB62703F106824F511D91A0DFB554D59F01
                    Function 0064429E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,006441B8), ref: 006442B8
                    • GetProcAddress.KERNEL32(00000000), ref: 006442BF
                    • EncodePointer.KERNEL32(00000000), ref: 006442CA
                    • DecodePointer.KERNEL32(006441B8), ref: 006442E5
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                    • String ID: RoUninitialize$combase.dll
                    • API String ID: 3489934621-2819208100
                    • Opcode ID: 6f5ca48d667b281159d43157b09f39274737c48c4b88bff152e42aa3cf1fc390
                    • Instruction ID: a55ced1fb48784c8906d0150d364aaf6e275f12a8a46773170e08b40f6bc02fe
                    • Opcode Fuzzy Hash: 6f5ca48d667b281159d43157b09f39274737c48c4b88bff152e42aa3cf1fc390
                    • Instruction Fuzzy Hash: 97E0B6B8691341AFEF10ABB1EC8DB963AA7BB25742F106428F001E95A0CFB45684DF15
                    Function 0068675A Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: _memmove$__itow__swprintf
                    • String ID:
                    • API String ID: 3253778849-0
                    • Opcode ID: 80b5b34108944b4165bc1cf5c6d501e0a968af88b2aa23ea6038a87017b1d6f0
                    • Instruction ID: d0b1cb9785fa474571f9191ee5aa3de8d32b6a94bd51737f39667715d59c9254
                    • Opcode Fuzzy Hash: 80b5b34108944b4165bc1cf5c6d501e0a968af88b2aa23ea6038a87017b1d6f0
                    • Instruction Fuzzy Hash: 0461BE30500A6A9BDF51FF20DC82EFE37A6AF45708F04461DF95A5B292DB309D85CBA4
                    Function 006A046F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00627F41: _memmove.LIBCMT ref: 00627F82
                      • Part of subcall function 006A10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,006A0038,?,?), ref: 006A10BC
                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 006A0548
                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 006A0588
                    • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 006A05AB
                    • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 006A05D4
                    • RegCloseKey.ADVAPI32(?,?,00000000), ref: 006A0617
                    • RegCloseKey.ADVAPI32(00000000), ref: 006A0624
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                    • String ID:
                    • API String ID: 4046560759-0
                    • Opcode ID: d550f88e4aa40c3a9228bd97b6c50e033fd00a363a7846383afa22b9656b1e75
                    • Instruction ID: a76d197c19b7c8126afd276d1849dee6fbd612bb126e516e19e2d0a0530ba497
                    • Opcode Fuzzy Hash: d550f88e4aa40c3a9228bd97b6c50e033fd00a363a7846383afa22b9656b1e75
                    • Instruction Fuzzy Hash: 3C515831508200AFDB54EF64D885E6BBBEAFF8A314F04891DF585872A1DB31E905CF56
                    Function 006A5A20 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetMenu.USER32(?), ref: 006A5A82
                    • GetMenuItemCount.USER32(00000000), ref: 006A5AB9
                    • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 006A5AE1
                    • GetMenuItemID.USER32(?,?), ref: 006A5B50
                    • GetSubMenu.USER32(?,?), ref: 006A5B5E
                    • PostMessageW.USER32(?,00000111,?,00000000), ref: 006A5BAF
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: Menu$Item$CountMessagePostString
                    • String ID:
                    • API String ID: 650687236-0
                    • Opcode ID: dc34017e28a17ccc352eb166df9ffab2746b623d8f6fa730b8e10681554be53e
                    • Instruction ID: 9befe1ac38df43ebb7429f8fbe987a2971527de6e307af6497e4dd68a9693761
                    • Opcode Fuzzy Hash: dc34017e28a17ccc352eb166df9ffab2746b623d8f6fa730b8e10681554be53e
                    • Instruction Fuzzy Hash: F8518F31E00A25EFCB11EFA4C855AAEB7B6EF49310F104469F906B7351CB70AE418F95
                    Function 0067F3DD Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                    Download Yara Rule
                    APIs
                    • VariantInit.OLEAUT32(?), ref: 0067F3F7
                    • VariantClear.OLEAUT32(00000013), ref: 0067F469
                    • VariantClear.OLEAUT32(00000000), ref: 0067F4C4
                    • _memmove.LIBCMT ref: 0067F4EE
                    • VariantClear.OLEAUT32(?), ref: 0067F53B
                    • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0067F569
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: Variant$Clear$ChangeInitType_memmove
                    • String ID:
                    • API String ID: 1101466143-0
                    • Opcode ID: 5da805b5fd1734d74b65eae3ed7a2e43f72fcf7ddfe3b1662edc14a629fa9785
                    • Instruction ID: 4105179251578f21e1261ec39122c2e0e5c36a08f2814a323fdfc3b13cda906f
                    • Opcode Fuzzy Hash: 5da805b5fd1734d74b65eae3ed7a2e43f72fcf7ddfe3b1662edc14a629fa9785
                    • Instruction Fuzzy Hash: 205146B5A00209AFDB10DF68D880EAAB7F9FF4D354B158569E959DB301D730E912CFA0
                    Function 006826F9 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 00682747
                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00682792
                    • IsMenu.USER32(00000000), ref: 006827B2
                    • CreatePopupMenu.USER32 ref: 006827E6
                    • GetMenuItemCount.USER32(000000FF), ref: 00682844
                    • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00682875
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                    • String ID:
                    • API String ID: 3311875123-0
                    • Opcode ID: 436edc868300fcffcbc328d12de4ec282420a528c7b703c5f126b01b9babbee5
                    • Instruction ID: ca139d1a715e353de4df4d953e8eefeae44dd6c35ee3cefb4136350abe79ab58
                    • Opcode Fuzzy Hash: 436edc868300fcffcbc328d12de4ec282420a528c7b703c5f126b01b9babbee5
                    • Instruction Fuzzy Hash: 115190B0A00207EFDF24EF68D898AEEBBF6EF45314F104369E8119B291D7709949CB51
                    Function 00621765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00622612: GetWindowLongW.USER32(?,000000EB), ref: 00622623
                    • BeginPaint.USER32(?,?,?,?,?,?), ref: 0062179A
                    • GetWindowRect.USER32(?,?), ref: 006217FE
                    • ScreenToClient.USER32(?,?), ref: 0062181B
                    • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0062182C
                    • EndPaint.USER32(?,?), ref: 00621876
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: PaintWindow$BeginClientLongRectScreenViewport
                    • String ID:
                    • API String ID: 1827037458-0
                    • Opcode ID: 2630706b3fccf40054639406fa44a0eb0d70952b2703a4b3360f8b9e64ea8edd
                    • Instruction ID: 9e4c26dbb09f0cceb43837e82e3caa6ed4796f84982cbdd8b93fc8afbfa3b67a
                    • Opcode Fuzzy Hash: 2630706b3fccf40054639406fa44a0eb0d70952b2703a4b3360f8b9e64ea8edd
                    • Instruction Fuzzy Hash: 3541B070104751AFC710DF24DCC4BBB7BEAEB66764F140668F9948A2A1C731A845DF62
                    Function 006AB958 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                    Download Yara Rule
                    APIs
                    • ShowWindow.USER32(006E67B0,00000000,010073D0,?,?,006E67B0,?,006AB862,?,?), ref: 006AB9CC
                    • EnableWindow.USER32(00000000,00000000), ref: 006AB9F0
                    • ShowWindow.USER32(006E67B0,00000000,010073D0,?,?,006E67B0,?,006AB862,?,?), ref: 006ABA50
                    • ShowWindow.USER32(00000000,00000004,?,006AB862,?,?), ref: 006ABA62
                    • EnableWindow.USER32(00000000,00000001), ref: 006ABA86
                    • SendMessageW.USER32(?,0000130C,?,00000000), ref: 006ABAA9
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: Window$Show$Enable$MessageSend
                    • String ID:
                    • API String ID: 642888154-0
                    • Opcode ID: efc2247b30c1d91939385ea52aff2f30b0340ab16a482a9fcade70e69ff390f5
                    • Instruction ID: 48d64dd62509912cdb98ea7e7db43f74ce8ae806fae6c8b2fd3954c2ae5c2b5b
                    • Opcode Fuzzy Hash: efc2247b30c1d91939385ea52aff2f30b0340ab16a482a9fcade70e69ff390f5
                    • Instruction Fuzzy Hash: E8412931600241AFDB22EF64D499BD57BA2EF07310F1852A9FA488F6A3C731AC45CF51
                    Function 006973B1 Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                    Download Yara Rule
                    APIs
                    • GetForegroundWindow.USER32(?,?,?,?,?,?,00695134,?,?,00000000,00000001), ref: 006973BF
                      • Part of subcall function 00693C94: GetWindowRect.USER32(?,?), ref: 00693CA7
                    • GetDesktopWindow.USER32 ref: 006973E9
                    • GetWindowRect.USER32(00000000), ref: 006973F0
                    • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00697422
                      • Part of subcall function 006854E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0068555E
                    • GetCursorPos.USER32(?), ref: 0069744E
                    • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 006974AC
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                    • String ID:
                    • API String ID: 4137160315-0
                    • Opcode ID: c8f41aab90215168100cb55d1587d673b22c5c4c8b06c86ade078cf49e74e7b1
                    • Instruction ID: 53147c97dcea37d4b6b59015fbf46866d1aad8ef809a3bb1e66a471a6ff16a3f
                    • Opcode Fuzzy Hash: c8f41aab90215168100cb55d1587d673b22c5c4c8b06c86ade078cf49e74e7b1
                    • Instruction Fuzzy Hash: F331E672508305ABDB24EF54D849F9BBBEEFF89714F000919F58997192DB30E908CB92
                    Function 00678D5B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 006785F1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00678608
                      • Part of subcall function 006785F1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00678612
                      • Part of subcall function 006785F1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00678621
                      • Part of subcall function 006785F1: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00678628
                      • Part of subcall function 006785F1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0067863E
                    • GetLengthSid.ADVAPI32(?,00000000,00678977), ref: 00678DAC
                    • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00678DB8
                    • HeapAlloc.KERNEL32(00000000), ref: 00678DBF
                    • CopySid.ADVAPI32(00000000,00000000,?), ref: 00678DD8
                    • GetProcessHeap.KERNEL32(00000000,00000000,00678977), ref: 00678DEC
                    • HeapFree.KERNEL32(00000000), ref: 00678DF3
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                    • String ID:
                    • API String ID: 3008561057-0
                    • Opcode ID: d07bd2e23d296dc2c15d0f4796e4a6916e41fc4a79bdad3dff747873567bab8f
                    • Instruction ID: 5dfde0989437ca48ce94fac7e451186b15a177d592f844c0314cd589fcb9f583
                    • Opcode Fuzzy Hash: d07bd2e23d296dc2c15d0f4796e4a6916e41fc4a79bdad3dff747873567bab8f
                    • Instruction Fuzzy Hash: 6E119A31640605EFDB20ABA4CC0DBAEBBAAEF56315F108029E84997250CB32AD00CF60
                    Function 00678AF8 Relevance: 9.1, APIs: 6, Instructions: 61processCOMMON
                    Download Yara Rule
                    APIs
                    • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00678B2A
                    • OpenProcessToken.ADVAPI32(00000000), ref: 00678B31
                    • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00678B40
                    • CloseHandle.KERNEL32(00000004), ref: 00678B4B
                    • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00678B7A
                    • DestroyEnvironmentBlock.USERENV(00000000), ref: 00678B8E
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                    • String ID:
                    • API String ID: 1413079979-0
                    • Opcode ID: ad13f4b5564dd95544b3607cbee1004d8cc8be6de87fbb14238492b6f5574a7c
                    • Instruction ID: 69619a7dffacd9e864989974a9c967a5230fdc1f71ef552759643270f8b27431
                    • Opcode Fuzzy Hash: ad13f4b5564dd95544b3607cbee1004d8cc8be6de87fbb14238492b6f5574a7c
                    • Instruction Fuzzy Hash: C9114C72541209EFDF019FE4ED48EEE7BAAEF09704F045165FA04A2160C7719D60EB61
                    Function 006AC19A Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 006212F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0062134D
                      • Part of subcall function 006212F3: SelectObject.GDI32(?,00000000), ref: 0062135C
                      • Part of subcall function 006212F3: BeginPath.GDI32(?), ref: 00621373
                      • Part of subcall function 006212F3: SelectObject.GDI32(?,00000000), ref: 0062139C
                    • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 006AC1C4
                    • LineTo.GDI32(00000000,00000003,?), ref: 006AC1D8
                    • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 006AC1E6
                    • LineTo.GDI32(00000000,00000000,?), ref: 006AC1F6
                    • EndPath.GDI32(00000000), ref: 006AC206
                    • StrokePath.GDI32(00000000), ref: 006AC216
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                    • String ID:
                    • API String ID: 43455801-0
                    • Opcode ID: c8a9fdc50ab8270637c83e239b5c83a9a881e33b03e2081ea71c3f90c28e981b
                    • Instruction ID: 3739ac017f7fd7ce914bf2f595b666ec74b810902d427d1d3bd2ccc902bb2185
                    • Opcode Fuzzy Hash: c8a9fdc50ab8270637c83e239b5c83a9a881e33b03e2081ea71c3f90c28e981b
                    • Instruction Fuzzy Hash: B0110C7640014CBFDB11AF94DC88FDA7FAEEB05394F048021B9194A161C771AE55DFA0
                    Function 006403A2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                    Download Yara Rule
                    APIs
                    • MapVirtualKeyW.USER32(0000005B,00000000), ref: 006403D3
                    • MapVirtualKeyW.USER32(00000010,00000000), ref: 006403DB
                    • MapVirtualKeyW.USER32(000000A0,00000000), ref: 006403E6
                    • MapVirtualKeyW.USER32(000000A1,00000000), ref: 006403F1
                    • MapVirtualKeyW.USER32(00000011,00000000), ref: 006403F9
                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00640401
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: Virtual
                    • String ID:
                    • API String ID: 4278518827-0
                    • Opcode ID: d7d16e1cfe0facd87f7546e9b105cad5cc9d3cc573c800b72ee1b4386cfa2dcb
                    • Instruction ID: 9b170cead01816f48775bddff2091ed510237b8129ec6e92bc15075a8bf64a23
                    • Opcode Fuzzy Hash: d7d16e1cfe0facd87f7546e9b105cad5cc9d3cc573c800b72ee1b4386cfa2dcb
                    • Instruction Fuzzy Hash: 15016CB09017597DE3009F5A8C85B52FFA8FF19354F00411BA15C47941C7F5A864CFE5
                    Function 0068568B Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                    Download Yara Rule
                    APIs
                    • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0068569B
                    • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 006856B1
                    • GetWindowThreadProcessId.USER32(?,?), ref: 006856C0
                    • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 006856CF
                    • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 006856D9
                    • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 006856E0
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                    • String ID:
                    • API String ID: 839392675-0
                    • Opcode ID: 939fd405aa3fe686849e6b71365c9f2e7d73dc10746b32b84c31d1626cd400bb
                    • Instruction ID: f631f163280f8d2c734c56ea97b9753449508b149387fd9a7856c081d06a850b
                    • Opcode Fuzzy Hash: 939fd405aa3fe686849e6b71365c9f2e7d73dc10746b32b84c31d1626cd400bb
                    • Instruction Fuzzy Hash: 22F01D32241158BBE7216BE2DC0DEEB7A7DEBC7B11F001169FA05D10609AA12A018AB6
                    Function 006874D2 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • InterlockedExchange.KERNEL32(?,?), ref: 006874E5
                    • EnterCriticalSection.KERNEL32(?,?,00631044,?,?), ref: 006874F6
                    • TerminateThread.KERNEL32(00000000,000001F6,?,00631044,?,?), ref: 00687503
                    • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00631044,?,?), ref: 00687510
                      • Part of subcall function 00686ED7: CloseHandle.KERNEL32(00000000,?,0068751D,?,00631044,?,?), ref: 00686EE1
                    • InterlockedExchange.KERNEL32(?,000001F6), ref: 00687523
                    • LeaveCriticalSection.KERNEL32(?,?,00631044,?,?), ref: 0068752A
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                    • String ID:
                    • API String ID: 3495660284-0
                    • Opcode ID: 82efacc6de67814584512cc27de4b84f8d9db9da01fe4d8b1d5eefa2f78200c7
                    • Instruction ID: c9d1e2b8f7b8b6c373021606b5c7d1d6d404052c17e4a3011edf10725a1718c2
                    • Opcode Fuzzy Hash: 82efacc6de67814584512cc27de4b84f8d9db9da01fe4d8b1d5eefa2f78200c7
                    • Instruction Fuzzy Hash: 03F05E3A144612EBDB613BE4FC8CAEB772BEF46302B101631F202910B0DB756A01CF52
                    Function 00678E74 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                    Download Yara Rule
                    APIs
                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00678E7F
                    • UnloadUserProfile.USERENV(?,?), ref: 00678E8B
                    • CloseHandle.KERNEL32(?), ref: 00678E94
                    • CloseHandle.KERNEL32(?), ref: 00678E9C
                    • GetProcessHeap.KERNEL32(00000000,?), ref: 00678EA5
                    • HeapFree.KERNEL32(00000000), ref: 00678EAC
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                    • String ID:
                    • API String ID: 146765662-0
                    • Opcode ID: c05b8c43f7f1217fb6d225d4daa9ea8026ff6902dc885d6fe52d05196a9ade90
                    • Instruction ID: ff11aa5dace3475f7f71ecd2301c3ce310222860071742df050faab2bb6fd243
                    • Opcode Fuzzy Hash: c05b8c43f7f1217fb6d225d4daa9ea8026ff6902dc885d6fe52d05196a9ade90
                    • Instruction Fuzzy Hash: 9AE05276104505FFDB012FE5EC0C95ABB6AFB8A762B509631F21981470CB32A861DF92
                    Function 00677A78 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 231COMMON
                    Download Yara Rule
                    APIs
                    • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,006B2C7C,?), ref: 00677C32
                    • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,006B2C7C,?), ref: 00677C4A
                    • CLSIDFromProgID.OLE32(?,?,00000000,006AFB80,000000FF,?,00000000,00000800,00000000,?,006B2C7C,?), ref: 00677C6F
                    • _memcmp.LIBCMT ref: 00677C90
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: FromProg$FreeTask_memcmp
                    • String ID: ,,k
                    • API String ID: 314563124-759674344
                    • Opcode ID: d77515225067ab3c52f43757aeddc53e5d0efd74c4cecf0dfb3fc4d38b0ffee5
                    • Instruction ID: e70d52fef702a94f8f56b98616a8165eac6db28a23e8f57dfa8294394ef005cf
                    • Opcode Fuzzy Hash: d77515225067ab3c52f43757aeddc53e5d0efd74c4cecf0dfb3fc4d38b0ffee5
                    • Instruction Fuzzy Hash: 59811B75A00109EFCB04DF94C984DEEB7BAFF89715F208198E516AB250DB71AE06CB61
                    Function 00698902 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                    Download Yara Rule
                    APIs
                    • VariantInit.OLEAUT32(?), ref: 00698928
                    • CharUpperBuffW.USER32(?,?), ref: 00698A37
                    • VariantClear.OLEAUT32(?), ref: 00698BAF
                      • Part of subcall function 00687804: VariantInit.OLEAUT32(00000000), ref: 00687844
                      • Part of subcall function 00687804: VariantCopy.OLEAUT32(00000000,?), ref: 0068784D
                      • Part of subcall function 00687804: VariantClear.OLEAUT32(00000000), ref: 00687859
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: Variant$ClearInit$BuffCharCopyUpper
                    • String ID: AUTOIT.ERROR$Incorrect Parameter format
                    • API String ID: 4237274167-1221869570
                    • Opcode ID: 258fe5001dc047599712e2ae8f93cfab7a496bb33c811992dc5bac25463838f2
                    • Instruction ID: d600c82bf67cd1c5c47d5b6d45f3a0d91eff7e1a93ffd7f42431f7f4ce1c755b
                    • Opcode Fuzzy Hash: 258fe5001dc047599712e2ae8f93cfab7a496bb33c811992dc5bac25463838f2
                    • Instruction Fuzzy Hash: AC9180716087019FCB50DF28C48195ABBEAEFC9314F14896EF89A8B361DB31E945CB52
                    Function 00682F86 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0063FEC6: _wcscpy.LIBCMT ref: 0063FEE9
                    • _memset.LIBCMT ref: 00683077
                    • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 006830A6
                    • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00683159
                    • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00683187
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: ItemMenu$Info$Default_memset_wcscpy
                    • String ID: 0
                    • API String ID: 4152858687-4108050209
                    • Opcode ID: 37002de37247e0aa4b8a101de521d6fe8d437b3d8a57032ee61e5ea672540724
                    • Instruction ID: 275e7ac173122368abaa191a1262557114efd0591c4c7f8b5341fa7d21a1fb40
                    • Opcode Fuzzy Hash: 37002de37247e0aa4b8a101de521d6fe8d437b3d8a57032ee61e5ea672540724
                    • Instruction Fuzzy Hash: B951EF316083209AD765BF28C849AABBBE6AF55F50F040B2DF8C5D7390DB70CA448B56
                    Function 00682C42 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 00682CAF
                    • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00682CCB
                    • DeleteMenu.USER32(?,00000007,00000000), ref: 00682D11
                    • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,006E6890,00000000), ref: 00682D5A
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: Menu$Delete$InfoItem_memset
                    • String ID: 0
                    • API String ID: 1173514356-4108050209
                    • Opcode ID: 6981966ae49cb01b37e546307ea74b85ad297bd88c3c96a40fb4e1fd10b49234
                    • Instruction ID: 2c9cc931f827a3fd3ff9dde97e76860d50aee89981416e68d370b7cb5d54480d
                    • Opcode Fuzzy Hash: 6981966ae49cb01b37e546307ea74b85ad297bd88c3c96a40fb4e1fd10b49234
                    • Instruction Fuzzy Hash: D941A0702053029FD720EF24C855B5ABBEAFF85320F144A1DF965973A1D770E905CBA6
                    Function 0069DAB9 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                    Download Yara Rule
                    APIs
                    • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0069DAD9
                      • Part of subcall function 006279AB: _memmove.LIBCMT ref: 006279F9
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: BuffCharLower_memmove
                    • String ID: cdecl$none$stdcall$winapi
                    • API String ID: 3425801089-567219261
                    • Opcode ID: 990bf2341585312a59368a96f3c3c1b29ccceefc875e6317aa8bf8258f8407cd
                    • Instruction ID: cab9ba2f61e32651b49d59a3f1057e48428daaeceaf90f336370f0acfef7cec1
                    • Opcode Fuzzy Hash: 990bf2341585312a59368a96f3c3c1b29ccceefc875e6317aa8bf8258f8407cd
                    • Instruction Fuzzy Hash: 9531967190061AAFCF10EF94CC819EEB7BAFF05310B10862EE86597BD5DB71A905CB94
                    Function 00679372 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00627F41: _memmove.LIBCMT ref: 00627F82
                      • Part of subcall function 0067B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0067B0E7
                    • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 006793F6
                    • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00679409
                    • SendMessageW.USER32(?,00000189,?,00000000), ref: 00679439
                      • Part of subcall function 00627D2C: _memmove.LIBCMT ref: 00627D66
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: MessageSend$_memmove$ClassName
                    • String ID: ComboBox$ListBox
                    • API String ID: 365058703-1403004172
                    • Opcode ID: ac448fff1de8eea9c7ccff44891c48fd2381ca3c30cc6b2d5c0688e84fca0cfd
                    • Instruction ID: fbaa21454e52dc2292e5ac371c1b0f2042d53ccb3b5e097b581cf930571bd008
                    • Opcode Fuzzy Hash: ac448fff1de8eea9c7ccff44891c48fd2381ca3c30cc6b2d5c0688e84fca0cfd
                    • Instruction Fuzzy Hash: A9210471900104BADB14ABB4DC86CFFB7BBDF06320B14812DF929972E1DB340D4ADA20
                    Function 00691B21 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON
                    Download Yara Rule
                    APIs
                    • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00691B40
                    • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00691B66
                    • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00691B96
                    • InternetCloseHandle.WININET(00000000), ref: 00691BDD
                      • Part of subcall function 00692777: GetLastError.KERNEL32(?,?,00691B0B,00000000,00000000,00000001), ref: 0069278C
                      • Part of subcall function 00692777: SetEvent.KERNEL32(?,?,00691B0B,00000000,00000000,00000001), ref: 006927A1
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                    • String ID:
                    • API String ID: 3113390036-3916222277
                    • Opcode ID: d764a1a0a1009bc89af790590f7f52918db10d96da0caeec730e7d7b2e4d2d53
                    • Instruction ID: c26ebccf7657998e01f52c9fbcdd6c706c31ca1b94b9ea87eef02384228187b8
                    • Opcode Fuzzy Hash: d764a1a0a1009bc89af790590f7f52918db10d96da0caeec730e7d7b2e4d2d53
                    • Instruction Fuzzy Hash: EE21C2B1500209BFEF119F64DCC5EBF76EFEB4A744F20012EF405AA640EA309D059B65
                    Function 006A6656 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00621D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00621D73
                      • Part of subcall function 00621D35: GetStockObject.GDI32(00000011), ref: 00621D87
                      • Part of subcall function 00621D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00621D91
                    • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 006A66D0
                    • LoadLibraryW.KERNEL32(?), ref: 006A66D7
                    • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 006A66EC
                    • DestroyWindow.USER32(?), ref: 006A66F4
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                    • String ID: SysAnimate32
                    • API String ID: 4146253029-1011021900
                    • Opcode ID: 4b6dda74b612bf2fff4f9e7c6e7b58cd25226d3997f3b4a74a3182ba35ea6022
                    • Instruction ID: 5464bc62420d5c10ea08b73615e9c79bc2430ed5e04db141823dde7a557a54dc
                    • Opcode Fuzzy Hash: 4b6dda74b612bf2fff4f9e7c6e7b58cd25226d3997f3b4a74a3182ba35ea6022
                    • Instruction Fuzzy Hash: 5621C271100205ABEF106F64DC80EFB77AFEF1A368F182629F91092290D771DC419F61
                    Function 0068703E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                    Download Yara Rule
                    APIs
                    • GetStdHandle.KERNEL32(0000000C), ref: 0068705E
                    • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00687091
                    • GetStdHandle.KERNEL32(0000000C), ref: 006870A3
                    • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 006870DD
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: CreateHandle$FilePipe
                    • String ID: nul
                    • API String ID: 4209266947-2873401336
                    • Opcode ID: 5ea3471754d2c3f13ea9fc24173e20b2cb51ad9ae8de254b161b7d4655a1174b
                    • Instruction ID: a9960267f215ef975d221352b6082c5a055abe3d5693e783f3489ed087a1d7a4
                    • Opcode Fuzzy Hash: 5ea3471754d2c3f13ea9fc24173e20b2cb51ad9ae8de254b161b7d4655a1174b
                    • Instruction Fuzzy Hash: 2B217FB4504209ABDB20AF68D805A9A77FAAF95720F304719F9A0D72D0D771E940CB61
                    Function 0068710C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                    Download Yara Rule
                    APIs
                    • GetStdHandle.KERNEL32(000000F6), ref: 0068712B
                    • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0068715D
                    • GetStdHandle.KERNEL32(000000F6), ref: 0068716E
                    • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 006871A8
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: CreateHandle$FilePipe
                    • String ID: nul
                    • API String ID: 4209266947-2873401336
                    • Opcode ID: 441a145b94c93b3457ad1b4aaae9d8ba7099299a5135af87eb8ff1ceb88fc552
                    • Instruction ID: cdc5e49e2fd8e65a27f0c38612cc51eda70f81f3213fcb0d75dd6467cedb05ae
                    • Opcode Fuzzy Hash: 441a145b94c93b3457ad1b4aaae9d8ba7099299a5135af87eb8ff1ceb88fc552
                    • Instruction Fuzzy Hash: 8B2190756082059BDB20AF689C08A9AB7EAAF55724F340719F9E0D73D0D770E941CB51
                    Function 0068AEAB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                    Download Yara Rule
                    APIs
                    • SetErrorMode.KERNEL32(00000001), ref: 0068AEBF
                    • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0068AF13
                    • __swprintf.LIBCMT ref: 0068AF2C
                    • SetErrorMode.KERNEL32(00000000,00000001,00000000,006AF910), ref: 0068AF6A
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: ErrorMode$InformationVolume__swprintf
                    • String ID: %lu
                    • API String ID: 3164766367-685833217
                    • Opcode ID: 7a0a3d29e8a652a2399a8cdf49a7f4600c690a1248e5ad137dc565eeed20027b
                    • Instruction ID: 3aaed30ec3a0c252880393a0b56ab33d6999a4b0fa712bff5db96a741c2f0e08
                    • Opcode Fuzzy Hash: 7a0a3d29e8a652a2399a8cdf49a7f4600c690a1248e5ad137dc565eeed20027b
                    • Instruction Fuzzy Hash: AC217434A00109AFDB50EF94D985DAE77B9EF89704B104069F909DB351DB31EE45CF25
                    Function 0067A52F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00627D2C: _memmove.LIBCMT ref: 00627D66
                      • Part of subcall function 0067A37C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0067A399
                      • Part of subcall function 0067A37C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0067A3AC
                      • Part of subcall function 0067A37C: GetCurrentThreadId.KERNEL32 ref: 0067A3B3
                      • Part of subcall function 0067A37C: AttachThreadInput.USER32(00000000), ref: 0067A3BA
                    • GetFocus.USER32 ref: 0067A554
                      • Part of subcall function 0067A3C5: GetParent.USER32(?), ref: 0067A3D3
                    • GetClassNameW.USER32(?,?,00000100), ref: 0067A59D
                    • EnumChildWindows.USER32(?,0067A615), ref: 0067A5C5
                    • __swprintf.LIBCMT ref: 0067A5DF
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
                    • String ID: %s%d
                    • API String ID: 1941087503-1110647743
                    • Opcode ID: e8e69906e939dea8319d1fa561912997d15318bf14892a8ecf983988c10e0706
                    • Instruction ID: e2f3c72db81a4328d7ac43d6946adb5e931db5631a24029049573e0c5e645139
                    • Opcode Fuzzy Hash: e8e69906e939dea8319d1fa561912997d15318bf14892a8ecf983988c10e0706
                    • Instruction Fuzzy Hash: AE11B471600208BBDF507FA4EC85FEE777E9F89710F048079B90CAA192CA7059458B7A
                    Function 00682017 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
                    Download Yara Rule
                    APIs
                    • CharUpperBuffW.USER32(?,?), ref: 00682048
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: BuffCharUpper
                    • String ID: APPEND$EXISTS$KEYS$REMOVE
                    • API String ID: 3964851224-769500911
                    • Opcode ID: 2d4cffe051fafae30cc830d667bd381ea2f9aa453c148aeecf8ac949ad707c88
                    • Instruction ID: dca717edb713ab4506fe47ac858a8e518c8e7da4cf423d4ccda3efa32f1a836f
                    • Opcode Fuzzy Hash: 2d4cffe051fafae30cc830d667bd381ea2f9aa453c148aeecf8ac949ad707c88
                    • Instruction Fuzzy Hash: 6A115B30D0411A8FCF40EFA4D9518EEB7B6FF16304F10856DD855A7352EB32691ACB51
                    Function 0069EE69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                    Download Yara Rule
                    APIs
                    • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0069EF1B
                    • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0069EF4B
                    • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0069F07E
                    • CloseHandle.KERNEL32(?), ref: 0069F0FF
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: Process$CloseCountersHandleInfoMemoryOpen
                    • String ID:
                    • API String ID: 2364364464-0
                    • Opcode ID: 3f17af1d768a1972aeba47c2bf3e55a6cafb86ff041d424ccb4c2bd234abe71d
                    • Instruction ID: 4a4a8c3ba2244899357247eec115bb76601ea9cacf152779f7b5ecf66855a75f
                    • Opcode Fuzzy Hash: 3f17af1d768a1972aeba47c2bf3e55a6cafb86ff041d424ccb4c2bd234abe71d
                    • Instruction Fuzzy Hash: 528182716007109FDB60EF24DC46B6AB7EAAF88720F04881DF595DB792DB71AC408F96
                    Function 006A02C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00627F41: _memmove.LIBCMT ref: 00627F82
                      • Part of subcall function 006A10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,006A0038,?,?), ref: 006A10BC
                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 006A0388
                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 006A03C7
                    • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 006A040E
                    • RegCloseKey.ADVAPI32(?,?), ref: 006A043A
                    • RegCloseKey.ADVAPI32(00000000), ref: 006A0447
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                    • String ID:
                    • API String ID: 3440857362-0
                    • Opcode ID: ef47a1cfd2194b170de4d30bd76ad7a4c591f4239a7ae622c41f1d47fdc0a273
                    • Instruction ID: a872cf3b05d6b7f8343387ee97df18f22361ac392e296c22721ba8ef54419bb3
                    • Opcode Fuzzy Hash: ef47a1cfd2194b170de4d30bd76ad7a4c591f4239a7ae622c41f1d47fdc0a273
                    • Instruction Fuzzy Hash: A0515A31208205AFDB44EF64D891E6EB7EAFF89304F04892DB596872A1DB31ED05CF56
                    Function 0068E7DC Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                    Download Yara Rule
                    APIs
                    • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0068E88A
                    • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0068E8B3
                    • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0068E8F2
                      • Part of subcall function 00629997: __itow.LIBCMT ref: 006299C2
                      • Part of subcall function 00629997: __swprintf.LIBCMT ref: 00629A0C
                    • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0068E917
                    • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0068E91F
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                    • String ID:
                    • API String ID: 1389676194-0
                    • Opcode ID: e6f196dccae45aadaff3b75b027a11017d536359b656dd2da8c38b3e7f54997c
                    • Instruction ID: 25bac0eaf7ec536341f1ed57462a97c592b1890d4204025aadaed9058e72c98b
                    • Opcode Fuzzy Hash: e6f196dccae45aadaff3b75b027a11017d536359b656dd2da8c38b3e7f54997c
                    • Instruction Fuzzy Hash: A4513B35A00615DFDF40EFA4C981AADBBF6EF49310B148099E849AB361CB32ED41CF65
                    Function 006AA2C5 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: e68bc1ea14f6828fc7a0f447c47e8f3d66a1783155e707fdb0f8035e97df55fc
                    • Instruction ID: c8afc316ec46127bd50aa5e024e850bd0022fdeed9a0282346ccc7acd6fc7b19
                    • Opcode Fuzzy Hash: e68bc1ea14f6828fc7a0f447c47e8f3d66a1783155e707fdb0f8035e97df55fc
                    • Instruction Fuzzy Hash: 25419035900214ABDB20FFA8CC44BE9BBA6EB0B310F144166F955E72A1D770AD41DE62
                    Function 00622344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                    Download Yara Rule
                    APIs
                    • GetCursorPos.USER32(?), ref: 00622357
                    • ScreenToClient.USER32(006E67B0,?), ref: 00622374
                    • GetAsyncKeyState.USER32(00000001), ref: 00622399
                    • GetAsyncKeyState.USER32(00000002), ref: 006223A7
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: AsyncState$ClientCursorScreen
                    • String ID:
                    • API String ID: 4210589936-0
                    • Opcode ID: cd31f26e537a76b26d29caac153ca8ee787263e6785caa9d9e33160172e0eef2
                    • Instruction ID: a05ddd6b653a08bdffcc4e4248d921856556f77863c85b3830cc4849066b6a3c
                    • Opcode Fuzzy Hash: cd31f26e537a76b26d29caac153ca8ee787263e6785caa9d9e33160172e0eef2
                    • Instruction Fuzzy Hash: D2416F31504626FFDF159FA4D844AE9BBB6FB05321F204319F82496290C7746E54DF91
                    Function 00676920 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
                    Download Yara Rule
                    APIs
                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0067695D
                    • TranslateAcceleratorW.USER32(?,?,?), ref: 006769A9
                    • TranslateMessage.USER32(?), ref: 006769D2
                    • DispatchMessageW.USER32(?), ref: 006769DC
                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 006769EB
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: Message$PeekTranslate$AcceleratorDispatch
                    • String ID:
                    • API String ID: 2108273632-0
                    • Opcode ID: 8504a22ee739316315f26cc0d3ee219433765f743d294645a792ba4e1c1b8e17
                    • Instruction ID: 7393674eacf7a7e607e99a0d97652d1fe5b9a8f8692e371da10e6be699b1345d
                    • Opcode Fuzzy Hash: 8504a22ee739316315f26cc0d3ee219433765f743d294645a792ba4e1c1b8e17
                    • Instruction Fuzzy Hash: 7831F831900B47AEDB20CF74CC84FF67BAFAB12340F109169F529C62A1E7749885DB90
                    Function 00678F01 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                    Download Yara Rule
                    APIs
                    • GetWindowRect.USER32(?,?), ref: 00678F12
                    • PostMessageW.USER32(?,00000201,00000001), ref: 00678FBC
                    • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00678FC4
                    • PostMessageW.USER32(?,00000202,00000000), ref: 00678FD2
                    • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00678FDA
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: MessagePostSleep$RectWindow
                    • String ID:
                    • API String ID: 3382505437-0
                    • Opcode ID: 17a293e38fd30ac223c6a6362da36a2aa3a8e96900f1689e4a1fdd364143848a
                    • Instruction ID: 53e12700a4ac5298fc03abd0981ca69d44a289dfc1246e4859ba8e4f0b4ab220
                    • Opcode Fuzzy Hash: 17a293e38fd30ac223c6a6362da36a2aa3a8e96900f1689e4a1fdd364143848a
                    • Instruction Fuzzy Hash: 0A31CD71500219EFDB10CFA8D94CADE7BB6EB05315F108229F928E72D0CBB49D10CB91
                    Function 0067B6AF Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                    Download Yara Rule
                    APIs
                    • IsWindowVisible.USER32(?), ref: 0067B6C7
                    • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0067B6E4
                    • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0067B71C
                    • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0067B742
                    • _wcsstr.LIBCMT ref: 0067B74C
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                    • String ID:
                    • API String ID: 3902887630-0
                    • Opcode ID: 009547cbefde323f784d98cf05bc33c3f4b505ace30c8cfe0b198d7400d9026b
                    • Instruction ID: aa1d5f57fd5ad26174877ef3452cd7700b49ef20929b68bb0dd5986c4131e0a8
                    • Opcode Fuzzy Hash: 009547cbefde323f784d98cf05bc33c3f4b505ace30c8cfe0b198d7400d9026b
                    • Instruction Fuzzy Hash: CB21D731204244BAEB295B799C49F7B7B9ADF4A720F10903DFD09CA2A1EF61DC4197A1
                    Function 006AB405 Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00622612: GetWindowLongW.USER32(?,000000EB), ref: 00622623
                    • GetWindowLongW.USER32(?,000000F0), ref: 006AB44C
                    • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 006AB471
                    • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 006AB489
                    • GetSystemMetrics.USER32(00000004), ref: 006AB4B2
                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00691184,00000000), ref: 006AB4D0
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: Window$Long$MetricsSystem
                    • String ID:
                    • API String ID: 2294984445-0
                    • Opcode ID: c4e110bd0230e06be9b42587b44f5847c15eb29c0459a0a497cf26ae5a88f01d
                    • Instruction ID: 839b4904dffebc5f5da06424363184f51719e4f2926487b7a648526592ddd349
                    • Opcode Fuzzy Hash: c4e110bd0230e06be9b42587b44f5847c15eb29c0459a0a497cf26ae5a88f01d
                    • Instruction Fuzzy Hash: 80218231910265AFCB10AF78DC44AA63BE6EB1A720F105728F925C62E7E7309C11DF50
                    Function 006797E9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00679802
                      • Part of subcall function 00627D2C: _memmove.LIBCMT ref: 00627D66
                    • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00679834
                    • __itow.LIBCMT ref: 0067984C
                    • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00679874
                    • __itow.LIBCMT ref: 00679885
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: MessageSend$__itow$_memmove
                    • String ID:
                    • API String ID: 2983881199-0
                    • Opcode ID: 6a0c282b6725c54164dfba97ddaf3b03c81b5db587a54de729d9a56f064d6ae8
                    • Instruction ID: 5af47d1574233f60b92119ea1b40d11c65e4b335d4c5e56cf3517f548df0780e
                    • Opcode Fuzzy Hash: 6a0c282b6725c54164dfba97ddaf3b03c81b5db587a54de729d9a56f064d6ae8
                    • Instruction Fuzzy Hash: EC21B831600214ABDB10AB659C86EEE7BFADF4A710F084429F90897351D6709D418BE6
                    Function 006212F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                    Download Yara Rule
                    APIs
                    • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0062134D
                    • SelectObject.GDI32(?,00000000), ref: 0062135C
                    • BeginPath.GDI32(?), ref: 00621373
                    • SelectObject.GDI32(?,00000000), ref: 0062139C
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: ObjectSelect$BeginCreatePath
                    • String ID:
                    • API String ID: 3225163088-0
                    • Opcode ID: c4a3d6ac9b80cd59b702eb96233a1b43c8448d055739128947067fa63b035eb3
                    • Instruction ID: fdd5fc9133ab3a86141efaad8b3931c2b6f0e7e6b006e9883f421d16f7098aa5
                    • Opcode Fuzzy Hash: c4a3d6ac9b80cd59b702eb96233a1b43c8448d055739128947067fa63b035eb3
                    • Instruction Fuzzy Hash: DE219270914754EFDB10DF65EC447AE3BBBFB223A1F145225F8109A2A0D371A895CFA1
                    Function 0067C161 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: _memcmp
                    • String ID:
                    • API String ID: 2931989736-0
                    • Opcode ID: 9f03bee70e9744d0f445d08dd6ef3562c72f35333905c8cc43e072d7c024e06a
                    • Instruction ID: 829c46f05f72cce28126b14ac829471c6d45085b433251fdf3a34ca9e6945484
                    • Opcode Fuzzy Hash: 9f03bee70e9744d0f445d08dd6ef3562c72f35333905c8cc43e072d7c024e06a
                    • Instruction Fuzzy Hash: 1E0192A16041067BE604A6209C52EEB67DF9B223B4B85813DFD089A383FB50DE5183A4
                    Function 00684D35 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                    Download Yara Rule
                    APIs
                    • GetCurrentThreadId.KERNEL32 ref: 00684D5C
                    • __beginthreadex.LIBCMT ref: 00684D7A
                    • MessageBoxW.USER32(?,?,?,?), ref: 00684D8F
                    • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00684DA5
                    • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00684DAC
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                    • String ID:
                    • API String ID: 3824534824-0
                    • Opcode ID: 733efb23067e2cd772aff96af623a510f0eed786cf46d956f206bf31718b013a
                    • Instruction ID: c70a85762ae1226e229930eb0c1e979c43ae8b79ec178dee6f9536f36424d369
                    • Opcode Fuzzy Hash: 733efb23067e2cd772aff96af623a510f0eed786cf46d956f206bf31718b013a
                    • Instruction Fuzzy Hash: 36110872904245BFCB01ABA8DC44ADA7FAEEB45320F144365F914D7351DA719D048BA1
                    Function 0067874A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                    Download Yara Rule
                    APIs
                    • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00678766
                    • GetLastError.KERNEL32(?,0067822A,?,?,?), ref: 00678770
                    • GetProcessHeap.KERNEL32(00000008,?,?,0067822A,?,?,?), ref: 0067877F
                    • HeapAlloc.KERNEL32(00000000,?,0067822A,?,?,?), ref: 00678786
                    • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0067879D
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                    • String ID:
                    • API String ID: 842720411-0
                    • Opcode ID: 31808fea3b78362568ac7b059de5521957c93b88936778102e073ebb0362e9bc
                    • Instruction ID: 9223df865bccf2f27ef51b5fb088b9cedad43861f10bd797c0576a5293c748c6
                    • Opcode Fuzzy Hash: 31808fea3b78362568ac7b059de5521957c93b88936778102e073ebb0362e9bc
                    • Instruction Fuzzy Hash: 34014F71240204EFDB245FAADC4CDAB7B6EEF863557204429F84AC3260DA31DC00CEA1
                    Function 006854E6 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                    Download Yara Rule
                    APIs
                    • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00685502
                    • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00685510
                    • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00685518
                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00685522
                    • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0068555E
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: PerformanceQuery$CounterSleep$Frequency
                    • String ID:
                    • API String ID: 2833360925-0
                    • Opcode ID: 530b6509b0628d62e5734b6fe2e8eee0644dc76fdea662f5e7e929626095bbcb
                    • Instruction ID: 54303e06c4f88ab7d6b53bbc80bd29787b044e94ef5b5ba25f83cf827786c10d
                    • Opcode Fuzzy Hash: 530b6509b0628d62e5734b6fe2e8eee0644dc76fdea662f5e7e929626095bbcb
                    • Instruction Fuzzy Hash: 82012135D00A1DDBCF00FFE5E8495EDBB7AFB09711F400596E942B2240DB305A55CBA2
                    Function 006785F1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                    Download Yara Rule
                    APIs
                    • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00678608
                    • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00678612
                    • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00678621
                    • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00678628
                    • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0067863E
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: HeapInformationToken$AllocErrorLastProcess
                    • String ID:
                    • API String ID: 44706859-0
                    • Opcode ID: 0a4d714d98111095989e475b630a1c351074ec31852dc77e19cf99b9786094bf
                    • Instruction ID: cb7b283c840fff3b7739493594f3b34f3fb27e72fbfa2dd1ac6048c9e80a6241
                    • Opcode Fuzzy Hash: 0a4d714d98111095989e475b630a1c351074ec31852dc77e19cf99b9786094bf
                    • Instruction Fuzzy Hash: A1F04F31241204BFEB101FE5DC9DEAB3BAEEF8A755B004425F94DC7250CBA1AD41DE61
                    Function 00678652 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                    Download Yara Rule
                    APIs
                    • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00678669
                    • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00678673
                    • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00678682
                    • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00678689
                    • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0067869F
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: HeapInformationToken$AllocErrorLastProcess
                    • String ID:
                    • API String ID: 44706859-0
                    • Opcode ID: 1311948796382c99daebec635f2b2eb278ceea4c7b9aa43289895e135ca3f999
                    • Instruction ID: bf37762ba86a9b73aafe8b80663c3330a6bbacadf7ae8accc2b7393cc113ce0b
                    • Opcode Fuzzy Hash: 1311948796382c99daebec635f2b2eb278ceea4c7b9aa43289895e135ca3f999
                    • Instruction Fuzzy Hash: CAF04471240214BFDB112FA5DC8CEA73BAEEF46755B100025F549C7250DB61AD41DE62
                    Function 0067C6A6 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                    Download Yara Rule
                    APIs
                    • GetDlgItem.USER32(?,000003E9), ref: 0067C6BA
                    • GetWindowTextW.USER32(00000000,?,00000100), ref: 0067C6D1
                    • MessageBeep.USER32(00000000), ref: 0067C6E9
                    • KillTimer.USER32(?,0000040A), ref: 0067C705
                    • EndDialog.USER32(?,00000001), ref: 0067C71F
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: BeepDialogItemKillMessageTextTimerWindow
                    • String ID:
                    • API String ID: 3741023627-0
                    • Opcode ID: 897c9abfd1412139dab84a25ba7e2e95cec7801f60fba90523687c7e9bb284e3
                    • Instruction ID: c3225701957b4ae5ba0a837fddc39bdf99e8aa93fa5ffa7b86eab8756ad20a16
                    • Opcode Fuzzy Hash: 897c9abfd1412139dab84a25ba7e2e95cec7801f60fba90523687c7e9bb284e3
                    • Instruction Fuzzy Hash: F401A230400704ABEB24AF60EC8EF9677BAFF01701F00566DF586A14E1DBE0A9548F91
                    Function 006213B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                    Download Yara Rule
                    APIs
                    • EndPath.GDI32(?), ref: 006213BF
                    • StrokeAndFillPath.GDI32(?,?,0065BAD8,00000000,?), ref: 006213DB
                    • SelectObject.GDI32(?,00000000), ref: 006213EE
                    • DeleteObject.GDI32 ref: 00621401
                    • StrokePath.GDI32(?), ref: 0062141C
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: Path$ObjectStroke$DeleteFillSelect
                    • String ID:
                    • API String ID: 2625713937-0
                    • Opcode ID: 27470ae03fe91ab82aadab38dc203df77460206c513cf32db7594e2e94a01fe6
                    • Instruction ID: b76607bef88cd3aefcf17c1a17adb11b3d54bce4284ee6c0d70eb92c9aab70e0
                    • Opcode Fuzzy Hash: 27470ae03fe91ab82aadab38dc203df77460206c513cf32db7594e2e94a01fe6
                    • Instruction Fuzzy Hash: F2F01D30024748DBDB156F56EC4C7593BA7AB22366F04A224F4694C1F1C73159A5DF21
                    Function 0068C602 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                    Download Yara Rule
                    APIs
                    • CoInitialize.OLE32(00000000), ref: 0068C69D
                    • CoCreateInstance.OLE32(006B2D6C,00000000,00000001,006B2BDC,?), ref: 0068C6B5
                      • Part of subcall function 00627F41: _memmove.LIBCMT ref: 00627F82
                    • CoUninitialize.OLE32 ref: 0068C922
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: CreateInitializeInstanceUninitialize_memmove
                    • String ID: .lnk
                    • API String ID: 2683427295-24824748
                    • Opcode ID: b3c33f0373f35854e28cac1a25063086c776eedd58dd3e5c5fec87c636f9f6c3
                    • Instruction ID: 6f6b0dd40eb5e89157f376693f4e436f258a4e986420fd01a76c7b2771fe7cb6
                    • Opcode Fuzzy Hash: b3c33f0373f35854e28cac1a25063086c776eedd58dd3e5c5fec87c636f9f6c3
                    • Instruction Fuzzy Hash: F9A16A71108715AFD740EF54D892EABB7E9EF94304F00491CF196971A2EB70EA09CF66
                    Function 00632E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00640FF6: std::exception::exception.LIBCMT ref: 0064102C
                      • Part of subcall function 00640FF6: __CxxThrowException@8.LIBCMT ref: 00641041
                      • Part of subcall function 00627F41: _memmove.LIBCMT ref: 00627F82
                      • Part of subcall function 00627BB1: _memmove.LIBCMT ref: 00627C0B
                    • __swprintf.LIBCMT ref: 0063302D
                    Strings
                    • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00632EC6
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                    • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                    • API String ID: 1943609520-557222456
                    • Opcode ID: 84388e39643f6d6f7f5be9cbb0932490b836b3682ee5074778861e354be92485
                    • Instruction ID: 104a6c344b3462095c67a848db9af60b83255ab775f9b50b59df329d21a4646c
                    • Opcode Fuzzy Hash: 84388e39643f6d6f7f5be9cbb0932490b836b3682ee5074778861e354be92485
                    • Instruction Fuzzy Hash: F1918D71108721AFC768EF24E885CAFB7A6EF85750F00491DF4429B2A1DB30EE44CB96
                    Function 0067B7B6 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON
                    Download Yara Rule
                    APIs
                    • OleSetContainedObject.OLE32(?,00000001), ref: 0067B981
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: ContainedObject
                    • String ID: AutoIt3GUI$Container$%k
                    • API String ID: 3565006973-671182982
                    • Opcode ID: 76e752559fac0315096649b9463d0e300cd24bdd61d60582414230b9f4a9625e
                    • Instruction ID: f59cb6cfc6a86f009ab36f9c9eac74112fab3feddd0ff1e96d15f2f7c9d5bcfc
                    • Opcode Fuzzy Hash: 76e752559fac0315096649b9463d0e300cd24bdd61d60582414230b9f4a9625e
                    • Instruction Fuzzy Hash: 86913A706006019FDB64DF64C884BAABBFAFF49710F14956EE949CB791DB70E841CB60
                    Function 0064524D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                    Download Yara Rule
                    APIs
                    • __startOneArgErrorHandling.LIBCMT ref: 006452DD
                      • Part of subcall function 00650340: __87except.LIBCMT ref: 0065037B
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: ErrorHandling__87except__start
                    • String ID: pow
                    • API String ID: 2905807303-2276729525
                    • Opcode ID: 6fc491e90d28f24ac1c6242890a7d3244ceb60f9e9d5f39dc9902ae81b18bb7a
                    • Instruction ID: c40364e4cc3a80d9dffdb64bffca4338110927bbb9192b5343c0ad6742971439
                    • Opcode Fuzzy Hash: 6fc491e90d28f24ac1c6242890a7d3244ceb60f9e9d5f39dc9902ae81b18bb7a
                    • Instruction Fuzzy Hash: 15515A61A0D602C7EB126B24C9413FE2BD39B40751F20895DE896863E7EF74CDDC9A46
                    Function 0064023B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID:
                    • String ID: #$+
                    • API String ID: 0-2552117581
                    • Opcode ID: 57b6780227f3cdd532fbdaca9a56abf60a80b56d0b18fe4aabf0efacda039930
                    • Instruction ID: 92e34a07a04d948e9136ea495a5ec54abdd34ee5ed12c07391d8f66c76519484
                    • Opcode Fuzzy Hash: 57b6780227f3cdd532fbdaca9a56abf60a80b56d0b18fe4aabf0efacda039930
                    • Instruction Fuzzy Hash: 40515735504656DFDF25DF28C488AFA7BA6EF1A310F148099FC969B3A0D7B09C42CB64
                    Function 00633297 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: _memmove$_free
                    • String ID: Oac
                    • API String ID: 2620147621-752515563
                    • Opcode ID: a26c18e1ebe0f5bb54a8ee6d7f1d1447d00d1955cf83a6dd493e276b3483f67e
                    • Instruction ID: 8aa7564288e0c0e382cc11168094ceb5d0d100e3d52b27914e0f3c18f7cf1649
                    • Opcode Fuzzy Hash: a26c18e1ebe0f5bb54a8ee6d7f1d1447d00d1955cf83a6dd493e276b3483f67e
                    • Instruction Fuzzy Hash: C5515A71A083519FDB64CF28C891B6BBBE6BF85314F04492DE989C7351DB31EA41CB92
                    Function 006362F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: _memset$_memmove
                    • String ID: ERCP
                    • API String ID: 2532777613-1384759551
                    • Opcode ID: 981d4e2e997f1b81b6f954fc3e80f10b5c81d8d9af810993e1444560540156a1
                    • Instruction ID: 5d54b0ce08c3aef74b617b636084185bdc84df39b5b7617738d3074f257da368
                    • Opcode Fuzzy Hash: 981d4e2e997f1b81b6f954fc3e80f10b5c81d8d9af810993e1444560540156a1
                    • Instruction Fuzzy Hash: C1519E71900319EBDB24CF65C881BEABBF6EF04714F20C56EE64ACA341E7719585CB84
                    Function 006A7648 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 006A76D0
                    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 006A76E4
                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 006A7708
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: MessageSend$Window
                    • String ID: SysMonthCal32
                    • API String ID: 2326795674-1439706946
                    • Opcode ID: 42223f82a27a3128eb1bb228dafae16afde976230236f35fef155ca7d3dfb134
                    • Instruction ID: d875d1d18da2c57982a42b1054777f9ec921948c30e52f73483793fd5c9a435d
                    • Opcode Fuzzy Hash: 42223f82a27a3128eb1bb228dafae16afde976230236f35fef155ca7d3dfb134
                    • Instruction Fuzzy Hash: 4521D332500218BBDF11DF94CC42FEA3B6AEF49714F111214FE156B1D0D6B1AC518FA0
                    Function 006A6F1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 006A6FAA
                    • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 006A6FBA
                    • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 006A6FDF
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: MessageSend$MoveWindow
                    • String ID: Listbox
                    • API String ID: 3315199576-2633736733
                    • Opcode ID: 9f96ffb5b596894394bd26627b6e49efa1bdcbca3e08733232b93170026e3a64
                    • Instruction ID: 733c3dfcd5635093ef3c241447764abd7b329acfda0fb5e519e8a397dcb9886f
                    • Opcode Fuzzy Hash: 9f96ffb5b596894394bd26627b6e49efa1bdcbca3e08733232b93170026e3a64
                    • Instruction Fuzzy Hash: A6216232610118BFDF11AF54EC85EFB37ABEF8A764F158128F9159B290C671AC518FA0
                    Function 006A797D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 006A79E1
                    • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 006A79F6
                    • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 006A7A03
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: MessageSend
                    • String ID: msctls_trackbar32
                    • API String ID: 3850602802-1010561917
                    • Opcode ID: bdd89fcad17f50b2c064134b3bb4845567a711e2f9594da2241bb69602e14130
                    • Instruction ID: cd83a99445b81b35309e63678f836804cee8c1c2ce5c001f8bcf6fee52ad991c
                    • Opcode Fuzzy Hash: bdd89fcad17f50b2c064134b3bb4845567a711e2f9594da2241bb69602e14130
                    • Instruction Fuzzy Hash: 2511C132244208BAEF10AF64CC05FEB77AAEF8A764F020529FA41A6191D271A811CF60
                    Function 00624C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryA.KERNEL32(kernel32.dll,?,00624C2E), ref: 00624CA3
                    • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00624CB5
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: AddressLibraryLoadProc
                    • String ID: GetNativeSystemInfo$kernel32.dll
                    • API String ID: 2574300362-192647395
                    • Opcode ID: 507309feb58cc85d65f1614859f6098a098d94e013c9649f78789e26ace82255
                    • Instruction ID: 036a1a6e7a8d5df0a7509f2037b53fca6b7fe573698dbba228911cdd578dacb9
                    • Opcode Fuzzy Hash: 507309feb58cc85d65f1614859f6098a098d94e013c9649f78789e26ace82255
                    • Instruction Fuzzy Hash: 0ED01270610723CFD7206FB5DA58646B6E7AF06751B118839D886D6250DA70DC80CE61
                    Function 00624D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryA.KERNEL32(kernel32.dll,?,00624D2E,?,00624F4F,?,006E62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00624D6F
                    • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00624D81
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: AddressLibraryLoadProc
                    • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                    • API String ID: 2574300362-3689287502
                    • Opcode ID: 759da8abdfcca06438a02f04b2822610b8e62fc8ff8c67beed15debae626de3a
                    • Instruction ID: 9c3e0df2402d4bf54f13a1c9689b30989ebbef1943ba93f56c1f7a442b177091
                    • Opcode Fuzzy Hash: 759da8abdfcca06438a02f04b2822610b8e62fc8ff8c67beed15debae626de3a
                    • Instruction Fuzzy Hash: D1D01270510723CFD7206F71D84865676EAAF16391B11DC3AD486D6350EA70D880CE61
                    Function 00624D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryA.KERNEL32(kernel32.dll,?,00624CE1,?), ref: 00624DA2
                    • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00624DB4
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: AddressLibraryLoadProc
                    • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                    • API String ID: 2574300362-1355242751
                    • Opcode ID: 5762a3b56abe619b611d1cf063ee8d384e1c201dddb6427ab20a58d00f9fcc24
                    • Instruction ID: 967aca19f3765d82ec1037469b22d1828f81fc4e7c96a11cafb3c229f92fad34
                    • Opcode Fuzzy Hash: 5762a3b56abe619b611d1cf063ee8d384e1c201dddb6427ab20a58d00f9fcc24
                    • Instruction Fuzzy Hash: 5ED01271550723CFD7306F71D84868676E6AF06355B11CC3AD8C5D6250EB70D880CE61
                    Function 006A1072 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryA.KERNEL32(advapi32.dll,?,006A12C1), ref: 006A1080
                    • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 006A1092
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: AddressLibraryLoadProc
                    • String ID: RegDeleteKeyExW$advapi32.dll
                    • API String ID: 2574300362-4033151799
                    • Opcode ID: d9a4bff79280023152304a6b17cd4c069f5093bb8e3a183e6068a5119176a6c5
                    • Instruction ID: b864369abc370ff02e4f45efd2cf951612ea78f0af0d9a55437250754e29dd7a
                    • Opcode Fuzzy Hash: d9a4bff79280023152304a6b17cd4c069f5093bb8e3a183e6068a5119176a6c5
                    • Instruction Fuzzy Hash: 06D0EC31910712CFD7206B75D96856A76E6AF06351B129C2AA4C5DA250DB70D8808A51
                    Function 006993F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryA.KERNEL32(kernel32.dll,00000001,00699009,?,006AF910), ref: 00699403
                    • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00699415
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: AddressLibraryLoadProc
                    • String ID: GetModuleHandleExW$kernel32.dll
                    • API String ID: 2574300362-199464113
                    • Opcode ID: a1dda171b4b13f891372c024076208e7b9bc569f238d5ee85fefdbb12fafa37b
                    • Instruction ID: 477feada0314e17f04c34af51768cc23373a6528397fbffcba720f51605d2761
                    • Opcode Fuzzy Hash: a1dda171b4b13f891372c024076208e7b9bc569f238d5ee85fefdbb12fafa37b
                    • Instruction Fuzzy Hash: A5D01234514713CFDB306FB5D94854676EBAF26751B11C83ED485D6A50D670D880CB61
                    Function 00661B3E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: LocalTime__swprintf
                    • String ID: %.3d$WIN_XPe
                    • API String ID: 2070861257-2409531811
                    • Opcode ID: 26128cce35bd17bc56c1367ed955ef08aacb0d8a18932b0d0b899d75a952558d
                    • Instruction ID: aa7a2594e731fc3aacab195335ea842bf31335514be0cbb072eebc472ed03a73
                    • Opcode Fuzzy Hash: 26128cce35bd17bc56c1367ed955ef08aacb0d8a18932b0d0b899d75a952558d
                    • Instruction Fuzzy Hash: 39D01271C0411CEACB449BE0DC449F9737FAB0A311F180593B50295000F2349B86DF25
                    Function 0069E33E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                    Download Yara Rule
                    APIs
                    • CharLowerBuffW.USER32(?,?), ref: 0069E3D2
                    • CharLowerBuffW.USER32(?,?), ref: 0069E415
                      • Part of subcall function 0069DAB9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0069DAD9
                    • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0069E615
                    • _memmove.LIBCMT ref: 0069E628
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: BuffCharLower$AllocVirtual_memmove
                    • String ID:
                    • API String ID: 3659485706-0
                    • Opcode ID: 9c4f349c33452f45cfb7ec55bb3468bc27b2560a03b9f19687f07c7681673c26
                    • Instruction ID: b097295a26e853b58eaa8e1e9530256ff7866e5045f9f69dfed93818e03a6060
                    • Opcode Fuzzy Hash: 9c4f349c33452f45cfb7ec55bb3468bc27b2560a03b9f19687f07c7681673c26
                    • Instruction Fuzzy Hash: 78C18E71A083118FCB54DF28C48095ABBE6FF88714F14896EF8999B751D732E946CF82
                    Function 00676DF3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: Variant$AllocClearCopyInitString
                    • String ID:
                    • API String ID: 2808897238-0
                    • Opcode ID: 55a550ee72ad9e91450a0ce4002ae09e2bcd614d087fb2d9e76df0b346938d91
                    • Instruction ID: 6c216d8c7302e9e6fb39d5248d276d6b4cdce77eef8e167b3a5053edef2657f5
                    • Opcode Fuzzy Hash: 55a550ee72ad9e91450a0ce4002ae09e2bcd614d087fb2d9e76df0b346938d91
                    • Instruction Fuzzy Hash: DD51C8706087019ADB70AF75D891A6EB3E7AF49310F20D81FF59ECB292DB749880DB15
                    Function 006897E5 Relevance: 6.2, APIs: 4, Instructions: 155COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00625045: _fseek.LIBCMT ref: 0062505D
                      • Part of subcall function 006899BE: _wcscmp.LIBCMT ref: 00689AAE
                      • Part of subcall function 006899BE: _wcscmp.LIBCMT ref: 00689AC1
                    • _free.LIBCMT ref: 0068992C
                    • _free.LIBCMT ref: 00689933
                    • _free.LIBCMT ref: 0068999E
                      • Part of subcall function 00642F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00649C64), ref: 00642FA9
                      • Part of subcall function 00642F95: GetLastError.KERNEL32(00000000,?,00649C64), ref: 00642FBB
                    • _free.LIBCMT ref: 006899A6
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                    • String ID:
                    • API String ID: 1552873950-0
                    • Opcode ID: 5c495b0b21d28be1d374838fa88e788ff3099b5f50b4cf91438e6cc607167dd1
                    • Instruction ID: 765537ab0cf664cc5d5216c4460ec2c39e57f3b39ee49d33162431be9f5a6a0c
                    • Opcode Fuzzy Hash: 5c495b0b21d28be1d374838fa88e788ff3099b5f50b4cf91438e6cc607167dd1
                    • Instruction Fuzzy Hash: D95172B1D04619AFDF649F64DC41AAEBBBAEF48300F1405AEF209A7241DB315E90CF58
                    Function 006A9A63 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
                    Download Yara Rule
                    APIs
                    • GetWindowRect.USER32(0100FA70,?), ref: 006A9AD2
                    • ScreenToClient.USER32(00000002,00000002), ref: 006A9B05
                    • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 006A9B72
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: Window$ClientMoveRectScreen
                    • String ID:
                    • API String ID: 3880355969-0
                    • Opcode ID: 2ecd416cb72034e2b1e6f580af8d5b5ff62bab3619cb8fdf2198fc4bb06e27f5
                    • Instruction ID: d4aedc0e8d8409c035a863306756ec34341bd4c57dedfd9860edf1de5d945436
                    • Opcode Fuzzy Hash: 2ecd416cb72034e2b1e6f580af8d5b5ff62bab3619cb8fdf2198fc4bb06e27f5
                    • Instruction Fuzzy Hash: D351FB34A00649AFCF14EF58D8819EE7BB7EB56360F248559F9159B3A0D730AD41CFA0
                    Function 00696CBD Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
                    Download Yara Rule
                    APIs
                    • socket.WSOCK32(00000002,00000002,00000011), ref: 00696CE4
                    • WSAGetLastError.WSOCK32(00000000), ref: 00696CF4
                      • Part of subcall function 00629997: __itow.LIBCMT ref: 006299C2
                      • Part of subcall function 00629997: __swprintf.LIBCMT ref: 00629A0C
                    • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00696D58
                    • WSAGetLastError.WSOCK32(00000000), ref: 00696D64
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: ErrorLast$__itow__swprintfsocket
                    • String ID:
                    • API String ID: 2214342067-0
                    • Opcode ID: 932d3564bb92f67bcc4f3bf8532b15661b28e9d2d4695d7bc24a93d23d0f0a7a
                    • Instruction ID: d2fa416fb39036a206056c8c06a84a8055f3ba63618914f0f1acac02efc4d38d
                    • Opcode Fuzzy Hash: 932d3564bb92f67bcc4f3bf8532b15661b28e9d2d4695d7bc24a93d23d0f0a7a
                    • Instruction Fuzzy Hash: 1841A574740710AFEB60AF24EC86F7A77EA9F48B10F44841CFA599B2D2DA719C018F55
                    Function 0069672D Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                    Download Yara Rule
                    APIs
                    • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,006AF910), ref: 006967BA
                    • _strlen.LIBCMT ref: 006967EC
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: _strlen
                    • String ID:
                    • API String ID: 4218353326-0
                    • Opcode ID: 28d8a0cb35cbf1191ae29702c76c916af060636b653132a2bf8bb39d51bdf267
                    • Instruction ID: 14488602eb2f9ee2a6c9fe15077bfa8b9e50176bf8ee17f6adc9331c50e62795
                    • Opcode Fuzzy Hash: 28d8a0cb35cbf1191ae29702c76c916af060636b653132a2bf8bb39d51bdf267
                    • Instruction Fuzzy Hash: 6341B531A00614ABCF54EBA4DDC5EBEB3AFAF44314F148169F81A9B291DB30AD01CB65
                    Function 0068BA5F Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
                    Download Yara Rule
                    APIs
                    • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0068BB09
                    • GetLastError.KERNEL32(?,00000000), ref: 0068BB2F
                    • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0068BB54
                    • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0068BB80
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: CreateHardLink$DeleteErrorFileLast
                    • String ID:
                    • API String ID: 3321077145-0
                    • Opcode ID: 712f6fe2acf00d363a065d1a805c62dc246ca27ff4ea6aa61df6e9123ec18309
                    • Instruction ID: 82f08568a7c939f296be7ff8d4d7fdf459354ad35d19ed819ae3e499ff46f093
                    • Opcode Fuzzy Hash: 712f6fe2acf00d363a065d1a805c62dc246ca27ff4ea6aa61df6e9123ec18309
                    • Instruction Fuzzy Hash: 63412B35600A20DFDB10EF15D585A59BBE2EF89320F09C488E84A9B762CB31FD41CFA5
                    Function 006A8AC0 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                    Download Yara Rule
                    APIs
                    • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 006A8B4D
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: InvalidateRect
                    • String ID:
                    • API String ID: 634782764-0
                    • Opcode ID: 5ace80a9a586b18c99fc8ef3996eb1af19776d56a959b1d42a9cf3dd506abf2b
                    • Instruction ID: ede7c012b079e4358d14ba940e5e57a31a875e0e462de7e7e392a3bdd703ddd5
                    • Opcode Fuzzy Hash: 5ace80a9a586b18c99fc8ef3996eb1af19776d56a959b1d42a9cf3dd506abf2b
                    • Instruction Fuzzy Hash: D031ADB4600214BEEB24BE58CC85BE937A7EB17310F244916FA51D73A1DF30AD408F61
                    Function 006AADF1 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                    Download Yara Rule
                    APIs
                    • ClientToScreen.USER32(?,?), ref: 006AAE1A
                    • GetWindowRect.USER32(?,?), ref: 006AAE90
                    • PtInRect.USER32(?,?,006AC304), ref: 006AAEA0
                    • MessageBeep.USER32(00000000), ref: 006AAF11
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: Rect$BeepClientMessageScreenWindow
                    • String ID:
                    • API String ID: 1352109105-0
                    • Opcode ID: 4be7d7e8288940f754526821b563de76ea5234be82112842c01b81acad368f4d
                    • Instruction ID: dffb5a15512ae02fd936a39f52f12c17c123b8460b93c8a096f0e840d10e7649
                    • Opcode Fuzzy Hash: 4be7d7e8288940f754526821b563de76ea5234be82112842c01b81acad368f4d
                    • Instruction Fuzzy Hash: 3A418070600215DFCB11EF98C884AA9BBF7FB8A340F1481AAE4148B351D731AC02DF62
                    Function 00680FE6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                    Download Yara Rule
                    APIs
                    • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00681037
                    • SetKeyboardState.USER32(00000080,?,00000001), ref: 00681053
                    • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 006810B9
                    • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 0068110B
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: KeyboardState$InputMessagePostSend
                    • String ID:
                    • API String ID: 432972143-0
                    • Opcode ID: d35ef69e6d9b873211720b2d399e57e51e95bc0ed4139fd0f01043d5ea0837eb
                    • Instruction ID: 1c03d8ea19fc99cba6dd95861883cc15e0ee8bf8566133d83b5a49857ea6a80a
                    • Opcode Fuzzy Hash: d35ef69e6d9b873211720b2d399e57e51e95bc0ed4139fd0f01043d5ea0837eb
                    • Instruction Fuzzy Hash: 93315E30E40688AEFF30AB658C05BF9BBAFAF47310F04431AE5845A2D1CB7549C79765
                    Function 00681121 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                    Download Yara Rule
                    APIs
                    • GetKeyboardState.USER32(?,7707C0D0,?,00008000), ref: 00681176
                    • SetKeyboardState.USER32(00000080,?,00008000), ref: 00681192
                    • PostMessageW.USER32(00000000,00000101,00000000), ref: 006811F1
                    • SendInput.USER32(00000001,?,0000001C,7707C0D0,?,00008000), ref: 00681243
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: KeyboardState$InputMessagePostSend
                    • String ID:
                    • API String ID: 432972143-0
                    • Opcode ID: 82280112bbcd50b9b61a3cdfc4e0c505c7f54c82ddb0a02b42ab5f679a62c1ae
                    • Instruction ID: 92faf007fa7fc917c839955b6d6f57f39ee8fce2469739da2b6aeaa019f4ab6f
                    • Opcode Fuzzy Hash: 82280112bbcd50b9b61a3cdfc4e0c505c7f54c82ddb0a02b42ab5f679a62c1ae
                    • Instruction Fuzzy Hash: C3314870D402089AFF30ABA58C187FA7BAFAB4B310F04431EE5D09A6D1C3755A868751
                    Function 00656415 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0065644B
                    • __isleadbyte_l.LIBCMT ref: 00656479
                    • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 006564A7
                    • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 006564DD
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                    • String ID:
                    • API String ID: 3058430110-0
                    • Opcode ID: 87f3898fd5a902eddace41062cbf5f1e29fa7defa3d3275de0ef06de65df38c2
                    • Instruction ID: fb0761a4bb430b6307bf01819bfea225728339cec3aededf24c1913b8fcf876e
                    • Opcode Fuzzy Hash: 87f3898fd5a902eddace41062cbf5f1e29fa7defa3d3275de0ef06de65df38c2
                    • Instruction Fuzzy Hash: 8C31D031600246AFDB218F74C844BAA7BE7FF41312F558129FC54872A0E731EC99DB90
                    Function 006A5175 Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                    Download Yara Rule
                    APIs
                    • GetForegroundWindow.USER32 ref: 006A5189
                      • Part of subcall function 0068387D: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00683897
                      • Part of subcall function 0068387D: GetCurrentThreadId.KERNEL32 ref: 0068389E
                      • Part of subcall function 0068387D: AttachThreadInput.USER32(00000000,?,006852A7), ref: 006838A5
                    • GetCaretPos.USER32(?), ref: 006A519A
                    • ClientToScreen.USER32(00000000,?), ref: 006A51D5
                    • GetForegroundWindow.USER32 ref: 006A51DB
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                    • String ID:
                    • API String ID: 2759813231-0
                    • Opcode ID: 069aab16567c087a0a53b46120172a4e8c90a7fa8168075ef9e0b9879b2df045
                    • Instruction ID: 7f4b307768031b5562030ac1a3bcafa29e158da21400b116b8ce4b9a732f0710
                    • Opcode Fuzzy Hash: 069aab16567c087a0a53b46120172a4e8c90a7fa8168075ef9e0b9879b2df045
                    • Instruction Fuzzy Hash: CA314C71D00218AFCB40EFA5D8859EFB7FAEF98300F10406AE405E7201EA75AE01CFA4
                    Function 006AC788 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00622612: GetWindowLongW.USER32(?,000000EB), ref: 00622623
                    • GetCursorPos.USER32(?), ref: 006AC7C2
                    • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0065BBFB,?,?,?,?,?), ref: 006AC7D7
                    • GetCursorPos.USER32(?), ref: 006AC824
                    • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0065BBFB,?,?,?), ref: 006AC85E
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: Cursor$LongMenuPopupProcTrackWindow
                    • String ID:
                    • API String ID: 2864067406-0
                    • Opcode ID: 27dbed04f96ac29366413c853c9e084061cb33e6f42c5f9e34551fdd18fc4f9a
                    • Instruction ID: 0146f77baef73142ca382f0ff72ae4fa91ac148408e21a489bd1d737cf2153c3
                    • Opcode Fuzzy Hash: 27dbed04f96ac29366413c853c9e084061cb33e6f42c5f9e34551fdd18fc4f9a
                    • Instruction Fuzzy Hash: 84317335500118AFCB15DF58C898EEA7FBBFB4A720F044069F9058B261D7359D51DF60
                    Function 00640BD0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                    Download Yara Rule
                    APIs
                    • __setmode.LIBCMT ref: 00640BF2
                      • Part of subcall function 00625B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00687B20,?,?,00000000), ref: 00625B8C
                      • Part of subcall function 00625B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00687B20,?,?,00000000,?,?), ref: 00625BB0
                    • _fprintf.LIBCMT ref: 00640C29
                    • OutputDebugStringW.KERNEL32(?), ref: 00676331
                      • Part of subcall function 00644CDA: _flsall.LIBCMT ref: 00644CF3
                    • __setmode.LIBCMT ref: 00640C5E
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                    • String ID:
                    • API String ID: 521402451-0
                    • Opcode ID: 54c08c2c2704a24f1a6343ba353ab67e16cddc92d22aed27ae06ec50fb912533
                    • Instruction ID: 864caf31ed017a411041d2e8d84255fa1243e1c6f270b5b4f1f604e2a57b724c
                    • Opcode Fuzzy Hash: 54c08c2c2704a24f1a6343ba353ab67e16cddc92d22aed27ae06ec50fb912533
                    • Instruction Fuzzy Hash: 73113632A04614BEEB44B3B4AC83AFE7B6B9F41320F14411EF20457192DE315D8297A9
                    Function 00678B9E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00678652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00678669
                      • Part of subcall function 00678652: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00678673
                      • Part of subcall function 00678652: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00678682
                      • Part of subcall function 00678652: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00678689
                      • Part of subcall function 00678652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0067869F
                    • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00678BEB
                    • _memcmp.LIBCMT ref: 00678C0E
                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00678C44
                    • HeapFree.KERNEL32(00000000), ref: 00678C4B
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                    • String ID:
                    • API String ID: 1592001646-0
                    • Opcode ID: 4ebf5dc70de62a0e60365196ef555fc1c246b0ac8ecbfd4c0ea01ade1e1daa93
                    • Instruction ID: a17f5b103341faca6717fb756171c59c48e2a760143937bb50b3bba4bc2c481c
                    • Opcode Fuzzy Hash: 4ebf5dc70de62a0e60365196ef555fc1c246b0ac8ecbfd4c0ea01ade1e1daa93
                    • Instruction Fuzzy Hash: D1219071E81208EFDB10DFA4C949BEEB7BAEF44354F158099E458A7240DB31AE46CF61
                    Function 00691A5B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                    Download Yara Rule
                    APIs
                    • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00691A97
                      • Part of subcall function 00691B21: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00691B40
                      • Part of subcall function 00691B21: InternetCloseHandle.WININET(00000000), ref: 00691BDD
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: Internet$CloseConnectHandleOpen
                    • String ID:
                    • API String ID: 1463438336-0
                    • Opcode ID: a2e8b67f0ac1252791dd254a04fe36224603c993fe1627e133e63c66c56381e3
                    • Instruction ID: 5822ac217d6c1971665624877c0f31be43c916fdc219ef5a962f1419bcaf4593
                    • Opcode Fuzzy Hash: a2e8b67f0ac1252791dd254a04fe36224603c993fe1627e133e63c66c56381e3
                    • Instruction Fuzzy Hash: EA21A435200606BFDF119FA0DC01FBAB7AFFF46701F20401AF9119AA55E771E8119B94
                    Function 0067E1AF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0067F5AD: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,0067E1C4,?,?,?,0067EFB7,00000000,000000EF,00000119,?,?), ref: 0067F5BC
                      • Part of subcall function 0067F5AD: lstrcpyW.KERNEL32(00000000,?,?,0067E1C4,?,?,?,0067EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 0067F5E2
                      • Part of subcall function 0067F5AD: lstrcmpiW.KERNEL32(00000000,?,0067E1C4,?,?,?,0067EFB7,00000000,000000EF,00000119,?,?), ref: 0067F613
                    • lstrlenW.KERNEL32(?,00000002,?,?,?,?,0067EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 0067E1DD
                    • lstrcpyW.KERNEL32(00000000,?,?,0067EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 0067E203
                    • lstrcmpiW.KERNEL32(00000002,cdecl,?,0067EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 0067E237
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: lstrcmpilstrcpylstrlen
                    • String ID: cdecl
                    • API String ID: 4031866154-3896280584
                    • Opcode ID: 36eb03f43c722092aa1479f7c6d4325956f5ef2b9cde9379343735329ec27814
                    • Instruction ID: ad3d7be27a1f815bcb8f68b0fa5cc2649ad23048c0c9ce3d7f6afba41b8f0025
                    • Opcode Fuzzy Hash: 36eb03f43c722092aa1479f7c6d4325956f5ef2b9cde9379343735329ec27814
                    • Instruction Fuzzy Hash: 72110336200301EFCB24AF74DC05D7A77AAFF49310B40806AF81ACB251EB72A954C7A1
                    Function 00655332 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • _free.LIBCMT ref: 00655351
                      • Part of subcall function 0064594C: __FF_MSGBANNER.LIBCMT ref: 00645963
                      • Part of subcall function 0064594C: __NMSG_WRITE.LIBCMT ref: 0064596A
                      • Part of subcall function 0064594C: RtlAllocateHeap.NTDLL(00FF0000,00000000,00000001,00000000,?,?,?,00641013,?), ref: 0064598F
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: AllocateHeap_free
                    • String ID:
                    • API String ID: 614378929-0
                    • Opcode ID: a3bae6b6fdc037adab26aa21c9bb1d10eca5be1847813b5394f72fa57ed7d095
                    • Instruction ID: 0acdd2b7644313420c53923fcf384620ecb8031a725e153a6455407125ff8fb3
                    • Opcode Fuzzy Hash: a3bae6b6fdc037adab26aa21c9bb1d10eca5be1847813b5394f72fa57ed7d095
                    • Instruction Fuzzy Hash: 7F110432805B15AFCF203F70E86969D37975F013E2F10042DFD0A9A291EE7189459694
                    Function 006840B1 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON
                    Download Yara Rule
                    APIs
                    • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 006840D1
                    • _memset.LIBCMT ref: 006840F2
                    • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00684144
                    • CloseHandle.KERNEL32(00000000), ref: 0068414D
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: CloseControlCreateDeviceFileHandle_memset
                    • String ID:
                    • API String ID: 1157408455-0
                    • Opcode ID: 75e32246b09361c2af7867710aa6ed59c7fbe4bcd5961043b1d62e3abe6d7e1b
                    • Instruction ID: 699e8da8a94ddedb1d08d23ba9227935619d2b7c6b3865821660db9edb14834c
                    • Opcode Fuzzy Hash: 75e32246b09361c2af7867710aa6ed59c7fbe4bcd5961043b1d62e3abe6d7e1b
                    • Instruction Fuzzy Hash: 85110D759012287AD7306BA59C4DFEBBB7DEF45760F10429AF908D7280D6744F80CBA4
                    Function 0069667C Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00625B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00687B20,?,?,00000000), ref: 00625B8C
                      • Part of subcall function 00625B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00687B20,?,?,00000000,?,?), ref: 00625BB0
                    • gethostbyname.WSOCK32(?,?,?), ref: 006966AC
                    • WSAGetLastError.WSOCK32(00000000), ref: 006966B7
                    • _memmove.LIBCMT ref: 006966E4
                    • inet_ntoa.WSOCK32(?), ref: 006966EF
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                    • String ID:
                    • API String ID: 1504782959-0
                    • Opcode ID: 594db7521bc34ae83a2e7496e8eda0f9ed7e5a07537cd9461919206ba4ba1f4a
                    • Instruction ID: 01124a8545b04b42100e989801820a682705ee267660b5dd575d545c063769de
                    • Opcode Fuzzy Hash: 594db7521bc34ae83a2e7496e8eda0f9ed7e5a07537cd9461919206ba4ba1f4a
                    • Instruction Fuzzy Hash: B9115135500505AFCF40FBA4ED96DEEB7BAAF45311B144069F506A7161DF30AE04CF65
                    Function 00679023 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(?,000000B0,?,?), ref: 00679043
                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00679055
                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0067906B
                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00679086
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: MessageSend
                    • String ID:
                    • API String ID: 3850602802-0
                    • Opcode ID: 4ab21975033981825207686894a728092c408b234f743c87b844e45771c01233
                    • Instruction ID: 1706a5f795ff0c07b093743bb1edd3ec63129a0afc46aed3dcab940213cf933b
                    • Opcode Fuzzy Hash: 4ab21975033981825207686894a728092c408b234f743c87b844e45771c01233
                    • Instruction Fuzzy Hash: ED115E79900218FFDB10DFA5CC85EDDBBB9FB48310F204095E904B7250D6716E10DBA4
                    Function 00621290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00622612: GetWindowLongW.USER32(?,000000EB), ref: 00622623
                    • DefDlgProcW.USER32(?,00000020,?), ref: 006212D8
                    • GetClientRect.USER32(?,?), ref: 0065B84B
                    • GetCursorPos.USER32(?), ref: 0065B855
                    • ScreenToClient.USER32(?,?), ref: 0065B860
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: Client$CursorLongProcRectScreenWindow
                    • String ID:
                    • API String ID: 4127811313-0
                    • Opcode ID: 8e51bd4cc5522cfee8d5d3a26685e2b52caada002ce431f5957fd3b46a8d156b
                    • Instruction ID: 1332c17e4bcb6b64e9c8bd1b44f565744b6d9ed152ff8acbbcc929eb795199b0
                    • Opcode Fuzzy Hash: 8e51bd4cc5522cfee8d5d3a26685e2b52caada002ce431f5957fd3b46a8d156b
                    • Instruction Fuzzy Hash: DD116A35905429EFCB10EFA4E8859EE77BAEB16300F000456F901EB241C730BA918FAA
                    Function 00681652 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
                    Download Yara Rule
                    APIs
                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,006801FD,?,00681250,?,00008000), ref: 0068166F
                    • Sleep.KERNEL32(00000000,?,?,?,?,?,?,006801FD,?,00681250,?,00008000), ref: 00681694
                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,006801FD,?,00681250,?,00008000), ref: 0068169E
                    • Sleep.KERNEL32(?,?,?,?,?,?,?,006801FD,?,00681250,?,00008000), ref: 006816D1
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: CounterPerformanceQuerySleep
                    • String ID:
                    • API String ID: 2875609808-0
                    • Opcode ID: 655e36c6e5b244a1cdd8497cf2000e4f867185068e99ea3afc9a4c48aa662e2b
                    • Instruction ID: eaf35876294f091c5a51978bcd761afa5aea70da90c6d8a38e952af35a57bc32
                    • Opcode Fuzzy Hash: 655e36c6e5b244a1cdd8497cf2000e4f867185068e99ea3afc9a4c48aa662e2b
                    • Instruction Fuzzy Hash: EE118E31C0052CD7CF00AFE5D848AEEBB7EFF0A711F154159E980BA240DB3169A28B96
                    Function 00657207 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                    • String ID:
                    • API String ID: 3016257755-0
                    • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                    • Instruction ID: 302a784b98241f02aed2a0fe89107141c5ba1a2f1e6b7ebd87b4d150909a83da
                    • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                    • Instruction Fuzzy Hash: 7D01803204414ABBCF525E84EC01CEE3F23BF19342F088515FE1858131C237CAB9AB81
                    Function 006AB57F Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                    Download Yara Rule
                    APIs
                    • GetWindowRect.USER32(?,?), ref: 006AB59E
                    • ScreenToClient.USER32(?,?), ref: 006AB5B6
                    • ScreenToClient.USER32(?,?), ref: 006AB5DA
                    • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 006AB5F5
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: ClientRectScreen$InvalidateWindow
                    • String ID:
                    • API String ID: 357397906-0
                    • Opcode ID: 377ae6a9cd6164012e9225653ef7b8da3f302aea6ca82c2d5c2d033628dcdce8
                    • Instruction ID: cac8ec3ad3c7753f55ef0923589985c990d86fc7ee1ca3b705f31ddd924023ca
                    • Opcode Fuzzy Hash: 377ae6a9cd6164012e9225653ef7b8da3f302aea6ca82c2d5c2d033628dcdce8
                    • Instruction Fuzzy Hash: 821143B9D00209EFDB41DFA9C8849EEFBB9FF09310F109166E914E3220D735AA558F91
                    Function 006AB8EF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 006AB8FE
                    • _memset.LIBCMT ref: 006AB90D
                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,006E7F20,006E7F64), ref: 006AB93C
                    • CloseHandle.KERNEL32 ref: 006AB94E
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: _memset$CloseCreateHandleProcess
                    • String ID:
                    • API String ID: 3277943733-0
                    • Opcode ID: 07457b1e8d205de205993c3c663b6cb2b938b322c5dcb4cc67d2ba4dcd039f21
                    • Instruction ID: 809195307a431a75c64112ca344fc0b36d161dbe92eaf8888e1924de25553eca
                    • Opcode Fuzzy Hash: 07457b1e8d205de205993c3c663b6cb2b938b322c5dcb4cc67d2ba4dcd039f21
                    • Instruction Fuzzy Hash: C5F05EB25443907BE7102BA1AC45FBB3A5EEB09754F006020BA08DA292D7715D008BA9
                    Function 00686E7C Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                    Download Yara Rule
                    APIs
                    • EnterCriticalSection.KERNEL32(?), ref: 00686E88
                      • Part of subcall function 0068794E: _memset.LIBCMT ref: 00687983
                    • _memmove.LIBCMT ref: 00686EAB
                    • _memset.LIBCMT ref: 00686EB8
                    • LeaveCriticalSection.KERNEL32(?), ref: 00686EC8
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: CriticalSection_memset$EnterLeave_memmove
                    • String ID:
                    • API String ID: 48991266-0
                    • Opcode ID: 46405992f5784488ae63f365d759d781fb5c6ec20802cf392a64b7dea0342c52
                    • Instruction ID: bf447460e7ab74d6fd53df3e8ceb13e7c7b0e2b34e2518b6206a69fdc64d397b
                    • Opcode Fuzzy Hash: 46405992f5784488ae63f365d759d781fb5c6ec20802cf392a64b7dea0342c52
                    • Instruction Fuzzy Hash: FAF0543A100210ABCF517F95DC85B89BB2BEF45320B048165FE085F226C731E951DBB5
                    Function 006AC00C Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 006212F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0062134D
                      • Part of subcall function 006212F3: SelectObject.GDI32(?,00000000), ref: 0062135C
                      • Part of subcall function 006212F3: BeginPath.GDI32(?), ref: 00621373
                      • Part of subcall function 006212F3: SelectObject.GDI32(?,00000000), ref: 0062139C
                    • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 006AC030
                    • LineTo.GDI32(00000000,?,?), ref: 006AC03D
                    • EndPath.GDI32(00000000), ref: 006AC04D
                    • StrokePath.GDI32(00000000), ref: 006AC05B
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                    • String ID:
                    • API String ID: 1539411459-0
                    • Opcode ID: 658d52f9987636d031b168cf7cbc930042e26ffd06a85dab85851e78c899c216
                    • Instruction ID: 01c240460ac288ce74352cef50c5ec0a27b7a166f2f8eb39a675125dc5623ba7
                    • Opcode Fuzzy Hash: 658d52f9987636d031b168cf7cbc930042e26ffd06a85dab85851e78c899c216
                    • Instruction Fuzzy Hash: FAF03A31005659BADB226F94AC09FCE3B9AAF16321F044000FA11651E287A56A61CFAA
                    Function 0067A37C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0067A399
                    • GetWindowThreadProcessId.USER32(?,00000000), ref: 0067A3AC
                    • GetCurrentThreadId.KERNEL32 ref: 0067A3B3
                    • AttachThreadInput.USER32(00000000), ref: 0067A3BA
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                    • String ID:
                    • API String ID: 2710830443-0
                    • Opcode ID: d25a1f70bd8462a6dc5a27365134b68e3022f2ca0070e27cd824a3763fcc6c42
                    • Instruction ID: adb5c4bd7943dbf9f0297533f764b0668149523ff7cb94be4289d3f1afe278e4
                    • Opcode Fuzzy Hash: d25a1f70bd8462a6dc5a27365134b68e3022f2ca0070e27cd824a3763fcc6c42
                    • Instruction Fuzzy Hash: DEE0C931545228BADB206FE2DC0DEDB7F5EEF167A2F009025F509D50A0C6719941DBA2
                    Function 00622218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                    Download Yara Rule
                    APIs
                    • GetSysColor.USER32(00000008), ref: 00622231
                    • SetTextColor.GDI32(?,000000FF), ref: 0062223B
                    • SetBkMode.GDI32(?,00000001), ref: 00622250
                    • GetStockObject.GDI32(00000005), ref: 00622258
                    • GetWindowDC.USER32(?,00000000), ref: 0065C0D3
                    • GetPixel.GDI32(00000000,00000000,00000000), ref: 0065C0E0
                    • GetPixel.GDI32(00000000,?,00000000), ref: 0065C0F9
                    • GetPixel.GDI32(00000000,00000000,?), ref: 0065C112
                    • GetPixel.GDI32(00000000,?,?), ref: 0065C132
                    • ReleaseDC.USER32(?,00000000), ref: 0065C13D
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                    • String ID:
                    • API String ID: 1946975507-0
                    • Opcode ID: 66adb9021bda08a95de25b2a6e7f92d3b9ea7bbdecc4ba7db1583ef78306338f
                    • Instruction ID: 13a27fad79b204a8258249d911650b339c04d6ec3270033407eb517f3f72bc6f
                    • Opcode Fuzzy Hash: 66adb9021bda08a95de25b2a6e7f92d3b9ea7bbdecc4ba7db1583ef78306338f
                    • Instruction Fuzzy Hash: 21E06D32600244EEDB216FA4FC0D7D87B12EB16332F0083B6FA69480E1C7724984DF22
                    Function 00678C5A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                    Download Yara Rule
                    APIs
                    • GetCurrentThread.KERNEL32 ref: 00678C63
                    • OpenThreadToken.ADVAPI32(00000000,?,?,?,0067882E), ref: 00678C6A
                    • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,0067882E), ref: 00678C77
                    • OpenProcessToken.ADVAPI32(00000000,?,?,?,0067882E), ref: 00678C7E
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: CurrentOpenProcessThreadToken
                    • String ID:
                    • API String ID: 3974789173-0
                    • Opcode ID: 599a1aa206e2877b6037641aae3f964d641e13cb3709255089491b179a54bb0c
                    • Instruction ID: 178f6e439774b97e511e9118b5ba7de829e0134bfb976f277101de4bf0c9e435
                    • Opcode Fuzzy Hash: 599a1aa206e2877b6037641aae3f964d641e13cb3709255089491b179a54bb0c
                    • Instruction Fuzzy Hash: 96E08636642211DFD7206FF16D0CF977BAEEF52792F089828B245CA040DA349841CF62
                    Function 00662187 Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                    Download Yara Rule
                    APIs
                    • GetDesktopWindow.USER32 ref: 00662187
                    • GetDC.USER32(00000000), ref: 00662191
                    • GetDeviceCaps.GDI32(00000000,0000000C), ref: 006621B1
                    • ReleaseDC.USER32(?), ref: 006621D2
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: CapsDesktopDeviceReleaseWindow
                    • String ID:
                    • API String ID: 2889604237-0
                    • Opcode ID: 887c410e605a6b00e5389a9ed37f08bcc670214824c49b1eae8e9166d3badec6
                    • Instruction ID: fb15ce37bb346f20c0c07abf9c36f52699f3e24fef7d337cb577a2afb511482c
                    • Opcode Fuzzy Hash: 887c410e605a6b00e5389a9ed37f08bcc670214824c49b1eae8e9166d3badec6
                    • Instruction Fuzzy Hash: 72E01A75800614EFDB11AFA0D808A9D7BF3EB4D351F109429FD5A97220CB39A1429F41
                    Function 0066219B Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                    Download Yara Rule
                    APIs
                    • GetDesktopWindow.USER32 ref: 0066219B
                    • GetDC.USER32(00000000), ref: 006621A5
                    • GetDeviceCaps.GDI32(00000000,0000000C), ref: 006621B1
                    • ReleaseDC.USER32(?), ref: 006621D2
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: CapsDesktopDeviceReleaseWindow
                    • String ID:
                    • API String ID: 2889604237-0
                    • Opcode ID: da11444b882f8c5af480efb3250e73150b8ed80173e6e588279b86cb3464e5fd
                    • Instruction ID: 7e0f188788198677d11365366ed846d01b7318dfa3bf28374623bafcfd7ac8d6
                    • Opcode Fuzzy Hash: da11444b882f8c5af480efb3250e73150b8ed80173e6e588279b86cb3464e5fd
                    • Instruction Fuzzy Hash: 90E01A75C00614AFCB11AFB0D80869D7BF2EB4D311F109029F95A97220CB39A1419F41
                    Function 006263A0 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID:
                    • String ID: %k
                    • API String ID: 0-3601005739
                    • Opcode ID: 6a5831c4704a952ebc3b175968dafcb34cb892ff82fe461a8ed6a381997b3296
                    • Instruction ID: 6da8a1d4ac3de5a4fd98a6a03ee79ed2a4268b73f7116b6ea1e9b16e36443add
                    • Opcode Fuzzy Hash: 6a5831c4704a952ebc3b175968dafcb34cb892ff82fe461a8ed6a381997b3296
                    • Instruction Fuzzy Hash: ACB1B27180092A9BCF24EF94E4819FDB7B6FF04310F50812AF942A7295DB349E86CF65
                    Function 0069B1B7 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: __itow_s
                    • String ID: xrn$xrn
                    • API String ID: 3653519197-3769791102
                    • Opcode ID: 859fa72000f08c44d1ddc2498e185071b053b2146866c54b641e7e0f8e51190f
                    • Instruction ID: 1f181e99ffbc4de068c55fd43ded68fb9bfd421e7f5a554b3157d44fe28c68e1
                    • Opcode Fuzzy Hash: 859fa72000f08c44d1ddc2498e185071b053b2146866c54b641e7e0f8e51190f
                    • Instruction Fuzzy Hash: 6DB17C70A00209AFDF14DF54E990EBEB7BAEF58300F149159F9459B292DB70EA41CB64
                    Function 0068B217 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0063FEC6: _wcscpy.LIBCMT ref: 0063FEE9
                      • Part of subcall function 00629997: __itow.LIBCMT ref: 006299C2
                      • Part of subcall function 00629997: __swprintf.LIBCMT ref: 00629A0C
                    • __wcsnicmp.LIBCMT ref: 0068B298
                    • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0068B361
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                    • String ID: LPT
                    • API String ID: 3222508074-1350329615
                    • Opcode ID: 0ad1bac66a34b692611bd812e1f9253f792af0c99c6295095fba833fd91f1540
                    • Instruction ID: 18dfe33db56ca644d23aa05027dfe221b2ef9d7a809e66d3f96204d6fb7f27eb
                    • Opcode Fuzzy Hash: 0ad1bac66a34b692611bd812e1f9253f792af0c99c6295095fba833fd91f1540
                    • Instruction Fuzzy Hash: 0A61A275E00215AFCB14EF94D891EEEB7B6AF08310F15915DF506AB351DB70AE80CB94
                    Function 00668A77 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: _memmove
                    • String ID: Oac
                    • API String ID: 4104443479-752515563
                    • Opcode ID: 4ff7708eaa290a61569ff269f946033c7988c456347a61d48ae920c10b2a3504
                    • Instruction ID: 01aa788b4907fd3fb88a0e2583c1a7687164a21ba5b9c07121daf9123ba57662
                    • Opcode Fuzzy Hash: 4ff7708eaa290a61569ff269f946033c7988c456347a61d48ae920c10b2a3504
                    • Instruction Fuzzy Hash: 205120749006099FCF64CFA8C884AAEB7B2FF44314F14455AE85AD7350DB31A995CB51
                    Function 00632AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                    Download Yara Rule
                    APIs
                    • Sleep.KERNEL32(00000000), ref: 00632AC8
                    • GlobalMemoryStatusEx.KERNEL32(?), ref: 00632AE1
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: GlobalMemorySleepStatus
                    • String ID: @
                    • API String ID: 2783356886-2766056989
                    • Opcode ID: 4ece3ce8ce129f2286f2213516cfbc6d29cbf4cafca8cbc93423224e75914c85
                    • Instruction ID: 28d8021b566ed1961685997d469f8357f7f8230436e23bfe95738d978ec3c6da
                    • Opcode Fuzzy Hash: 4ece3ce8ce129f2286f2213516cfbc6d29cbf4cafca8cbc93423224e75914c85
                    • Instruction Fuzzy Hash: 03514871418B549BD360AF10E886BABBBE8FFC4314F42485DF1D9411A5DB309929CB6A
                    Function 006899BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0062506B: __fread_nolock.LIBCMT ref: 00625089
                    • _wcscmp.LIBCMT ref: 00689AAE
                    • _wcscmp.LIBCMT ref: 00689AC1
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: _wcscmp$__fread_nolock
                    • String ID: FILE
                    • API String ID: 4029003684-3121273764
                    • Opcode ID: 82a1c39cd0337545f19ee48860c09506e8502bf6455eb9604b9842e3dc0f143a
                    • Instruction ID: 4c3fa4543b21a351c3798e657b383dd758c08271cecba6a051be839d3209eab6
                    • Opcode Fuzzy Hash: 82a1c39cd0337545f19ee48860c09506e8502bf6455eb9604b9842e3dc0f143a
                    • Instruction Fuzzy Hash: 0141D671A0061ABADF20AAA0DC45FEFBBBEDF45710F04006DF901A7281DA759A048BB5
                    Function 0066099E Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: ClearVariant
                    • String ID: Dtn$Dtn
                    • API String ID: 1473721057-570680631
                    • Opcode ID: 30dbd27e0872deb57742f6d5bd582307c6ecbb9e54eee44e303dc7a7c8f79f75
                    • Instruction ID: 96346b28f33d02202041bc27e4660aaa83b4336bab918051cf38a1412e6903f3
                    • Opcode Fuzzy Hash: 30dbd27e0872deb57742f6d5bd582307c6ecbb9e54eee44e303dc7a7c8f79f75
                    • Instruction Fuzzy Hash: 90510278608752CFD754CF59D480A6ABBE2BB99344F54885CE9818B361E372EC81CF82
                    Function 00692882 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 00692892
                    • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 006928C8
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: CrackInternet_memset
                    • String ID: |
                    • API String ID: 1413715105-2343686810
                    • Opcode ID: 77d91c5660e88e2a30ba0671e7a06a3e0630456430dc6a335d19d7d3e75ce0e2
                    • Instruction ID: 31efa768d7c38be9ce24ee9bf7eaa9709e71421c72249b35972c5e2d8000c632
                    • Opcode Fuzzy Hash: 77d91c5660e88e2a30ba0671e7a06a3e0630456430dc6a335d19d7d3e75ce0e2
                    • Instruction Fuzzy Hash: D8311C7180011AAFCF41DFA1DC85EEEBFBAFF08300F104029F815A6265EA355956DB61
                    Function 006A6CD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                    Download Yara Rule
                    APIs
                    • DestroyWindow.USER32(?,?,?,?), ref: 006A6D86
                    • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 006A6DC2
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: Window$DestroyMove
                    • String ID: static
                    • API String ID: 2139405536-2160076837
                    • Opcode ID: c44edaddbfba3398d2e5ebd2715c0933b154f6155e4b1e9c8b1663fc38b1090f
                    • Instruction ID: 3b4775a907744276cf47c0a31490230f7c0536a1e7299d1eddd9a39bcafb3bd0
                    • Opcode Fuzzy Hash: c44edaddbfba3398d2e5ebd2715c0933b154f6155e4b1e9c8b1663fc38b1090f
                    • Instruction Fuzzy Hash: 2431A171200604AEDB10AF74DC81AFB77BAFF49760F14961DF99697190CA31AC51CF64
                    Function 00682D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 00682E00
                    • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00682E3B
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: InfoItemMenu_memset
                    • String ID: 0
                    • API String ID: 2223754486-4108050209
                    • Opcode ID: cbd8fb2cb3f58a8633d2896590f27faae297fe8547c80bd3226900ff5e2897c4
                    • Instruction ID: a0de3f89ceb5b585f1cb24337e91f6227e79fe2eafb495264a7bae53159f80d0
                    • Opcode Fuzzy Hash: cbd8fb2cb3f58a8633d2896590f27faae297fe8547c80bd3226900ff5e2897c4
                    • Instruction Fuzzy Hash: E731E931A0030AABEB24EF58C9897DEBBFBFF05350F14022DED85962A1D7709944CB58
                    Function 006A6943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 006A69D0
                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 006A69DB
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: MessageSend
                    • String ID: Combobox
                    • API String ID: 3850602802-2096851135
                    • Opcode ID: 4d4f303e4f1c1850efd60a0bdfa5876b7d089073cdb9c596f2b330f55eaa9c26
                    • Instruction ID: f8129e200220669c9230d23aa746a7bdc5678dc4c89c0348f0781c1ac0159f5b
                    • Opcode Fuzzy Hash: 4d4f303e4f1c1850efd60a0bdfa5876b7d089073cdb9c596f2b330f55eaa9c26
                    • Instruction Fuzzy Hash: 3A11B27160020AAFEF11AF14CC80EEB376FEB9A3A4F150129F9589B391D6719C518FA0
                    Function 006A6E76 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00621D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00621D73
                      • Part of subcall function 00621D35: GetStockObject.GDI32(00000011), ref: 00621D87
                      • Part of subcall function 00621D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00621D91
                    • GetWindowRect.USER32(00000000,?), ref: 006A6EE0
                    • GetSysColor.USER32(00000012), ref: 006A6EFA
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: Window$ColorCreateMessageObjectRectSendStock
                    • String ID: static
                    • API String ID: 1983116058-2160076837
                    • Opcode ID: 463c1e92f7c9cbae4ffe1a9defa44a763e5abea9aac1c81ab52ac30233b9e674
                    • Instruction ID: 0f3c3df6511ca592e44fe6f16ef431c03f6779d6d11fb2b3d18f49a97f491f47
                    • Opcode Fuzzy Hash: 463c1e92f7c9cbae4ffe1a9defa44a763e5abea9aac1c81ab52ac30233b9e674
                    • Instruction Fuzzy Hash: 73215972610209AFDF04EFA8DC45AEA7BBAFB09314F045628FA55D3250D634E8619F60
                    Function 006A6B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetWindowTextLengthW.USER32(00000000), ref: 006A6C11
                    • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 006A6C20
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: LengthMessageSendTextWindow
                    • String ID: edit
                    • API String ID: 2978978980-2167791130
                    • Opcode ID: 9b718eef7169bd0588549ede74f8807d4bdbd09a88363033f2693ed297772e09
                    • Instruction ID: 98bebeba47fd117476cfc6e97c9476b22acce9c2d6ba449ca303256e197d90fe
                    • Opcode Fuzzy Hash: 9b718eef7169bd0588549ede74f8807d4bdbd09a88363033f2693ed297772e09
                    • Instruction Fuzzy Hash: FF116D71500208ABEB106F64DC41AEA376BEB16378F144724F961D72E0C775ECA19F60
                    Function 00682E9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 00682F11
                    • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00682F30
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: InfoItemMenu_memset
                    • String ID: 0
                    • API String ID: 2223754486-4108050209
                    • Opcode ID: 23724a5fbc143dddd1c4cbb1f88148aaedf201ad76c3308ae2b02fc2d38b625a
                    • Instruction ID: 84c64a857e4ba09ee159348fe3c82041cf69e93c3038f7855c0539685589a1ce
                    • Opcode Fuzzy Hash: 23724a5fbc143dddd1c4cbb1f88148aaedf201ad76c3308ae2b02fc2d38b625a
                    • Instruction Fuzzy Hash: 5911D031901216ABCB30FB58DD58BDA77BBEB11350F0402B6F944A73A0D7B0AD05C795
                    Function 006924CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                    Download Yara Rule
                    APIs
                    • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00692520
                    • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00692549
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: Internet$OpenOption
                    • String ID: <local>
                    • API String ID: 942729171-4266983199
                    • Opcode ID: fb69392b2e6201e0685e6374fee28d5b6d5f68961aee9e0e86ee66c98086fbb6
                    • Instruction ID: ef4c0ca1367912e094ec4babd23bb96a897cadb3528e1b5032dad545361cdfc0
                    • Opcode Fuzzy Hash: fb69392b2e6201e0685e6374fee28d5b6d5f68961aee9e0e86ee66c98086fbb6
                    • Instruction Fuzzy Hash: 01110670500226BADF248F51CCA4EFBFFAEFF06751F10812AF90582540D270A981DAF0
                    Function 006980A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0069830B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,006980C8,?,00000000,?,?), ref: 00698322
                    • inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 006980CB
                    • htons.WSOCK32(00000000,?,00000000), ref: 00698108
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: ByteCharMultiWidehtonsinet_addr
                    • String ID: 255.255.255.255
                    • API String ID: 2496851823-2422070025
                    • Opcode ID: 21d864e78ac17c8dfd8c7ddaab3f01ccb00a0315304dd41f848c62d60f5c084f
                    • Instruction ID: c621ea7dbd90d0c4639318380f3345e2321d60cb2e53870975ae41acac4c1860
                    • Opcode Fuzzy Hash: 21d864e78ac17c8dfd8c7ddaab3f01ccb00a0315304dd41f848c62d60f5c084f
                    • Instruction Fuzzy Hash: 8D11E534600205AFCF20AFA4DC46FFDB32AFF16320F10851BF91297791DA31A811CA59
                    Function 00630A8D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON
                    Download Yara Rule
                    APIs
                    • GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00623C26,006E62F8,?,?,?), ref: 00630ACE
                      • Part of subcall function 00627D2C: _memmove.LIBCMT ref: 00627D66
                    • _wcscat.LIBCMT ref: 006650E1
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: FullNamePath_memmove_wcscat
                    • String ID: cn
                    • API String ID: 257928180-15458471
                    • Opcode ID: c8d59bfcc21607afbf917c94513c9c5a20dfa95f6832072e4bbcce1a68313d96
                    • Instruction ID: efa514d7dfcdbf1ad7e5a8ef1d7067b35589702e0fdf450253140452c4aa2290
                    • Opcode Fuzzy Hash: c8d59bfcc21607afbf917c94513c9c5a20dfa95f6832072e4bbcce1a68313d96
                    • Instruction Fuzzy Hash: BB11A534A052189B8B80EBA4DC11ED9B7BFEF08350F0004A9B949D7241EA70EB888B65
                    Function 006792E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00627F41: _memmove.LIBCMT ref: 00627F82
                      • Part of subcall function 0067B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0067B0E7
                    • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00679355
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: ClassMessageNameSend_memmove
                    • String ID: ComboBox$ListBox
                    • API String ID: 372448540-1403004172
                    • Opcode ID: fe4648bbc155d5dbff1f92971f5eaacb4985114af9eae6fc51826b12fb230b06
                    • Instruction ID: 878e9193ffefbd6092803286b79c87e7ae52a50bfe6c6b6a2c339269a52594de
                    • Opcode Fuzzy Hash: fe4648bbc155d5dbff1f92971f5eaacb4985114af9eae6fc51826b12fb230b06
                    • Instruction Fuzzy Hash: 9001F171A05224ABCB04EBA4CC92CFE73ABBF06320B14461DF936673D1EB315808CA60
                    Function 006791DF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00627F41: _memmove.LIBCMT ref: 00627F82
                      • Part of subcall function 0067B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0067B0E7
                    • SendMessageW.USER32(?,00000180,00000000,?), ref: 0067924D
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: ClassMessageNameSend_memmove
                    • String ID: ComboBox$ListBox
                    • API String ID: 372448540-1403004172
                    • Opcode ID: 5091db903e93cb8bc6e176f5192075d0ffd35c3618d28527fc28bb614db8d6d4
                    • Instruction ID: 53052079aa67f9bba4e355733f89e6e195ec92a302bac275f08cf81c1c6eeda0
                    • Opcode Fuzzy Hash: 5091db903e93cb8bc6e176f5192075d0ffd35c3618d28527fc28bb614db8d6d4
                    • Instruction Fuzzy Hash: 2D01D471E452047BCB14FBA0D992EFF73AA9F05300F144169B91663292EA216F089AB5
                    Function 00679264 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00627F41: _memmove.LIBCMT ref: 00627F82
                      • Part of subcall function 0067B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0067B0E7
                    • SendMessageW.USER32(?,00000182,?,00000000), ref: 006792D0
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: ClassMessageNameSend_memmove
                    • String ID: ComboBox$ListBox
                    • API String ID: 372448540-1403004172
                    • Opcode ID: 72199d771a23770706158554610a06521e721e931aa73d4c624ac88bde29a740
                    • Instruction ID: 286c3041ba3fd766219329b1465866df4b919a4a4ae2c4e2eea7fb012c41c117
                    • Opcode Fuzzy Hash: 72199d771a23770706158554610a06521e721e931aa73d4c624ac88bde29a740
                    • Instruction Fuzzy Hash: 2301F271E4121877CF00FBA4D982EFF73AE9F01300F244129B91673282DA215F089AB5
                    Function 00646DAE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: __calloc_crt
                    • String ID: @Rn
                    • API String ID: 3494438863-2908497755
                    • Opcode ID: c2423edff8039807a386f5a2e84c0a68739c2ddc10c09bfb294542689cdd94d6
                    • Instruction ID: 2ee1def983d388ab60a4ea0eea586093b02874484657838661131fea926d02c1
                    • Opcode Fuzzy Hash: c2423edff8039807a386f5a2e84c0a68739c2ddc10c09bfb294542689cdd94d6
                    • Instruction Fuzzy Hash: F0F04471B087169FF7648F14FD516952B97EB12760B14442BF201CF290EBB089824685
                    Function 006851CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: ClassName_wcscmp
                    • String ID: #32770
                    • API String ID: 2292705959-463685578
                    • Opcode ID: c1d761e8e13d49403701023759e7bb9abd315207e1d06ca571cce66f9931d434
                    • Instruction ID: bc51ba605c3df9ccbd571e062235070bcbfa1f5240f262a67f02fc26d6364f26
                    • Opcode Fuzzy Hash: c1d761e8e13d49403701023759e7bb9abd315207e1d06ca571cce66f9931d434
                    • Instruction Fuzzy Hash: DCE0613290432C17D310ABD5AC45FA7F7ADEB41731F00015BFD10D3140D5609A058BD1
                    Function 006781BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                    Download Yara Rule
                    APIs
                    • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 006781CA
                      • Part of subcall function 00643598: _doexit.LIBCMT ref: 006435A2
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: Message_doexit
                    • String ID: AutoIt$Error allocating memory.
                    • API String ID: 1993061046-4017498283
                    • Opcode ID: 474a90610ea3986db6b6f65a8d027bd49d56d94bc9f77741af6297c16b20ee50
                    • Instruction ID: ebf968ae41a45a6630adf87748f8e6ab84845966768ad836944335ae87a8b2f9
                    • Opcode Fuzzy Hash: 474a90610ea3986db6b6f65a8d027bd49d56d94bc9f77741af6297c16b20ee50
                    • Instruction Fuzzy Hash: 1DD012322C532836D35433A46C0ABC56A8A4B16B51F44441ABB08596D38ED559C146AD
                    Function 0065B511 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0065B564: _memset.LIBCMT ref: 0065B571
                      • Part of subcall function 00640B84: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,0065B540,?,?,?,0062100A), ref: 00640B89
                    • IsDebuggerPresent.KERNEL32(?,?,?,0062100A), ref: 0065B544
                    • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0062100A), ref: 0065B553
                    Strings
                    • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0065B54E
                    Memory Dump Source
                    • Source File: 00000006.00000002.1309513024.0000000000621000.00000020.00000001.01000000.00000004.sdmp, Offset: 00620000, based on PE: true
                    • Associated: 00000006.00000002.1309490674.0000000000620000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006AF000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309579705.00000000006D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309627107.00000000006DF000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000006.00000002.1309649467.00000000006E8000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_620000_S91AYfMUT0.jbxd
                    Similarity
                    • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                    • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                    • API String ID: 3158253471-631824599
                    • Opcode ID: b12423e2e1e7069373a479546714f367d8dfd7134ba0998c0809b78ce7ef1126
                    • Instruction ID: 04ec2422c40944d96c4a666b6c2b74b1dff8d34cc453ef286fabc9e0aeff7606
                    • Opcode Fuzzy Hash: b12423e2e1e7069373a479546714f367d8dfd7134ba0998c0809b78ce7ef1126
                    • Instruction Fuzzy Hash: 89E092B02007128FE765EF68E4047427BE2EF04745F00992CE846C7351E7B4E548CFA1